Security Storage: To HSM or Not To HSM?

Posted on by Joshua Marpet

Information security storage is necessary; without it, how would Amazon know what it is selling or what product recommendations to make? How could it store the shopper’s credit card information to make purchases with a single click?

While consumers would like to think their credit card information, purchase history, and other personalized data is stored securely, that is not always the case. Authorized third parties, such as advertisers, can mine anonymized or aggregated data to still show targeted ads.

So now we have to deal with multiple parties looking at the data, some of which Party A can see, and some of which Party B can see, but not vice versa. Some of the data overlaps, some of it is anonymized, some of it is aggregated. How do you, as the business, keep track of it all? And of course there's PCI DSS, HIPAA, and SOX regulations to make sure you don't forget the compliance end.

So how is that kind of sensitive data encrypted?

Good question. Public key infrastructure (PKI), with certificates, public keys, private keys, strong encryption, and strong passphrases, is a well-known solution to protect data from outside malicious parties. It isn't simple, and it certainly is a non-trivial answer, but it is doable.

But if those solutions only protect the data from outsiders, then how do we keep the many insiders from compromising the data? Who's to say that partner companies or divisions that need access to the data for marketing, demographic, or legal purposes are handling it safely and securely?

Most of them don't do it well. Quite a few companies simply copy the information to a location for Party A and a separate location for Party B. That way each party gets one location to see data. But then you have to secure access for each party, and you now have multiple copies of the data to secure. In a recent conversation, a credit card company executive explained that they have 50–70 copies of each piece of data for this exact reason. Even anecdotally, that's horrific!

How do you securely store data?

Some security professionals have turned to hardware security modules. If Amazon Web Services is your game, then you can use CloudHSM. Amazon has Hardware Security Modules for cloud information security storage and transactional use. If on-premise hardware is more your style, vendors such as Safenet offers HSMs that you can purchase and use in your security storage ecosystem.

Will an HSM guarantee that data is secure? Of course not. Nothing is perfectly secure. (Except for a computer locked in a safe, at the bottom of a mile-deep mine, encased in concrete, and guarded by a battalion of marines. And turned off!) HSMs don't guarantee security; they help with the encryption, encrypted transmission, and compliance of data. That does indeed increase security (pretty significantly, actually), but it doesn't guarantee it.

After all, we did say that people look at the data. And people are the weakest link.


cloud security risk management data security security operations

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs