Announcements
Voting is now open!
Members, make your selections in the annual (ISC)² Board of Directors election. Vote Now! Voting is open until Sept. 22.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
geraldjoyce312
Newcomer I

Compensating controls in place of an HSM

I am working on a project to identify compensating controls in lieu of an HSM. We all understand that HSMs are extremely effective in protecting the enterprise, but many companies are not large enough to justify the cost, or don't have the required skillset on staff to design the implementation so that it sits in the correct security zone behind the proper security controls, and manage the device. Additionally, although many cloud service providers offer an HSM option, they too can be very expensive for a small company to justify the cost.

 

My question is in regard to compensating controls for an HSM. If a company did not have an HSM, do any of the security frameworks identify compensating controls in place of the HSM? If anyone could point me to anything specific, I would be very grateful. Thanks.

5 Replies
SWALTERS
Newcomer III

Re: Compensating controls in place of an HSM


@geraldjoyce312 wrote:

I am working on a project to identify compensating controls in lieu of an HSM. We all understand that HSMs are extremely effective in protecting the enterprise, but many companies are not large enough to justify the cost, or don't have the required skillset on staff to design the implementation so that it sits in the correct security zone behind the proper security controls, and manage the device. Additionally, although many cloud service providers offer an HSM option, they too can be very expensive for a small company to justify the cost.

 

My question is in regard to compensating controls for an HSM. If a company did not have an HSM, do any of the security frameworks identify compensating controls in place of the HSM? If anyone could point me to anything specific, I would be very grateful. Thanks.


A YubiHSM is ~USD$700.  The smallest Thales HSM is ~USD$7000.

 

A typical HSM is around ~USD$200,000, but they usually come with software and hardware maintenance for 10 years, so the actual price is more like ~USD$20,000/year in recurrent spending.

 

None of these are actually out of the realm of possibility, even for small companies.

 

Compensating controls for not having a HSM really only works for offline CAs or offline code signing - as the control for HSM is hardware level protections on the key material (including tamper detection, which deletes the keys as soon as it believes it's under attack).

 

As soon the specific requirement is an online use-case (i.e. Transparent Database Encryption (TDE), online CA, online code-signing, or others) it is very difficult to institute any compensating controls that can scale to the needs of the online requirement.

 

It's not as easy as saying "X" technology is an equivalent control for a HSM.  You first have to look at what specific application or requirement is using the HSM (and how it's being used) and then devise a series of policies, processes, training and technologies that do some of the same things as a HSM would "in spirit".  Unfortunately, much can go wrong when attempting this.

dhouser
BoD Candidate

Re: Compensating controls in place of an HSM

I would first ensure your risk analysis answers the question, "What is the business problem we are trying to solve?" as HSMs provide a number of functions.  A small list:

> Ease of encrypted data key change

> Secure key storage

> Hardware acceleration

> Compliance with regulators

> Segregation of duties (e.g. via key splitting/escrow)

 

I would also note that there are some pretty inexpensive USB HSMs if cost is the big factor, and those can be physically secured in a rack and then secured with evidence tape (both on the USB HSM and the rack).  This would permit you to lay out cost-benefit analysis, and some of the downsides of going cheap on HSMs (e.g. performance, features) vs. the risks of going without.

 

I'd then do a quantitative analysis (e.g. FAIR-Lite) of probabilistic loss vectors & probabilistic losses compared with the costs of the controls (HSM procurement, continued verification/audit) and the cost avoidance of manual / software-based key management.

 

Hope this helps!

 

-ddh

_______

Dan Houser, CISSP-ISSAP-ISSMP CSSLP

Board Candidate, 2021 Election

#20889

-ddh__________
Dan Houser, CISSP-ISSAP-ISSMP CSSLP
Board Candidate, 2021 Election
#20889
geraldjoyce312
Newcomer I

Re: Compensating controls in place of an HSM

Thanks for the input. It has given me a lot to think about.
Caute_cautim
Community Champion

Re: Compensating controls in place of an HSM

@dhouser    I have a similar project except it is the replacement of existing HSMs for a financial Institution dealign with Mainframes and batch jobs etc as well as regulatory requirements for both Australia and New Zealand.  Their approach is to replace the existing HSMs with similar systems, upgraded by carrying out a migration.   However there is room for reviewing the use of Cloud based HSM's on a leased basis, but data sovereignty, latency and business continuity issues become very relevant when weighting up the risk factors.

 

Much of the influence comes from the application architects, who have spent years developing tools and applications, including integrations for on premise systems.   One of the drivers will be in the space of an HSM lifespan being five years or more - normally greater until support runs out altogether is take a lowest risk direction i.e. pay the fees for the replacement, despite not looking to the future of digital banks and electronic fund transfer mechanisms. 

 

Many times the FIPS 140-1 level 3 and banking regulations drive the way forward especially if there is PCI DSS requirements and auditing, integration factors required regularly.   In this case the Reserve Bank has its own regulations, which are regularly audited, requiring payment transfer mechanisms only a window of 6 hours outage, before a large penalty is delivered to the offending financial institution

 

Regards

 

Caute_Cautim.

 

 

geraldjoyce312
Newcomer I

Re: Compensating controls in place of an HSM

Great information!