Mainframe as a service: Myth Buster 006.02 -
In Part 1 we discussed the basic requirement for your cryptography journey. We are now going to focus on the constructs of running off-host Hardware Security Modules (HSMs) vs on-host HSMs vs Software HSMs. It’s a 3-way comparison and some of the considerations when taking your cryptography journey. Again we state that you really need to understand the end goal so designs are embedded into your frameworks and systems in a manner that obfuscates anyone from understanding what is actually happening.
Mo, Hassem, Mohammed, IT, CIO, Fintech, Advisory, Consulting, Leadership, Technology, Tech, IT, ISFAP,Jay Prag,Farieda Mayet,Jayesh,Bank Zero,mainframes,IBM,software development,cyber security,
17016
portfolio_page-template-default,single,single-portfolio_page,postid-17016,ajax_leftright,page_not_loaded,,qode-title-hidden,qode-content-sidebar-responsive,qode-theme-ver-16.7,qode-theme-bridge,qode_advanced_footer_responsive_1000,wpb-js-composer js-comp-ver-5.5.2,vc_responsive,elementor-default,elementor-kit-16169

Myth006 Part2 – Cryptography and far reaching implications

 

In Part 1 we discussed the basic requirement for your cryptography journey. We are now going to focus on the constructs of running off-host Hardware Security Modules (HSMs) vs on-host HSMs vs Software HSMs. It’s a 3-way comparison and some of the considerations when taking your cryptography journey. Again we state that you really need to understand the end goal so designs are embedded into your frameworks and systems in a manner that obfuscates anyone from understanding what is actually happening.

So let us discover together what is meant by off-host, on-host and software HSMs.

 

Off-host HSMs provide capability to perform encryption/decryption in hardware where the keys are in the clear. There is no way you can tamper with these HSMs in order to obtain the clear keys.

 

On-host HSMs provide the same capability as Off-host HSMs, but the big difference is that the HSMs are securely configured in the physical hardware of the particular host. This is particular to mainframes where the Crypto Express cards are part of the hardware configuration you order.

 

Software HSMs also provide the same capability as Off-Host with the difference that all encryption/decryption is in software and the possibility of clear keys being available in memory. So theoretically someone can exploit these keys if you know what you are looking for.

 

Let’s discuss the important constructs of cryptography showing the various dimensions.

 

The cipher/algorithm you are going to use. There are currently many available so you need to be aware on the performance implications of each. Specifically if you will be using symmetric, be aware of obsolete algorithms with AES being the winner. With asymmetric, a public/private key pair is used with RSA or Elliptic Curve being the most popular algorithms. With hash functions be aware of the algorithms that have been outdated.

 

The key size is important as it defines the logarithmic measure of the fastest known attack against an algorithm. Speed is impacted the higher the key size so be careful on what you choose and why you are choosing it.

 

There are separate modes of operation and the determination of which mode to use is strictly a dimension of the encryption you are seeking. Be very careful here.

 

Key protection is critical and you must refrain from using clear keys anywhere. Secure keys are best but for specific purposes whilst protected keys are used for extreme volume situations.

 

Crypto requests to a HSM is a factor of whether the HSM is off-host, on-host or in software, apart from the above performance constructs. The difference is milliseconds to off-host versus microseconds on-host.

 

Over and above this is key management specifically for symmetric encryption which ensures that keys can be injected securely through trusted sources. For asymmetric it is normally a journey with a certified certificate engine that will enable trust.

A cryptography journey is not just buying a set of products and believing that it’s the silver bullet that will resolve you problems. You have to really take a deep dive into what you want to achieve and embed into designs the key secrets you would like to be kept as secrets.

 

So the myth that cryptography is the silver bullet has been busted. You need far deeper levels of engagement to ensure the correct enablers are in place to execute your security designs.