Home » Inside SafeNet » Protecting Your Certificates and Guarding Access to Your Fortress
Protecting Your Certificates and Guarding Access to Your Fortress
March 30, 2011, 08:38 am EDT
In recent weeks, we have seen several attacks occur against organizations that have been renowned for security. It is not that these organizations were unsecure; rather it is that the face of the security playing field is changing.
For years, organizations sought refuge in the fact they had a secure PKI in place to protect their sensitive systems, and that usernames and passwords were enough to protect against unauthorized access into those systems. But recently, we are seeing targeted attacks against the authentication infrastructure, signifying that usernames/passwords are no longer enough. These attacks have further supported the argument that integrating support for two-factor authentication is critical. Only this form of authentication can ensure that users trying to gain access into the infrastructure are who they claim to be. The more factors used to determine a person’s identity, the greater the trust of authenticity. Strong authentication can be achieved using a combination of the following factors:
• something you know – password or PIN
• something you have – token or smart card (two-factor authentication)
• something you are – biometrics, such as a fingerprint (three-factor authentication)
The threat model is changing, and because multi-factor authentication requires multiple means of identification at login, it is widely recognized as the most secure method for authenticating access to data and applications.
This by no means indicates that up to this point organizations lacked security protocols. In fact, leading organizations have relied on the issuance of certificates to create a chain of trust in numerous applications, from the most sensitive transactions to day-to-day business transactions. In fact, since its inception, CA’s have relied on a PKI system to secure the certificate themselves. The integrity of this system is dependent on the trust of the identities it issues. To trust those identities – CA’s, have secured a trust anchor at key points in the infrastructure, such as the Root CA, issuing CA’s, Registration Authorities, OCSP responders, and high-value websites.
In this scenario, hardware security modules (HSMs) are the trust anchor for protecting certificates—authenticating and providing integrity for the most sensitive CA infrastructures today. In general, HSMs are dedicated systems that physically and logically secure cryptographic keys and cryptographic processing. Unlike appliances that store certificates in software, SafeNet HSMs employ a keys–in-hardware approach that maintains the high assurance keys within the confines of the HSM throughout their lifecycle, including distribution, rotation, storage, termination, and archival.
HSMs protect cryptographic keys, and that protection is instrumental in ensuring the confidentiality of digitized information. To illustrate the robustness of HSM security, the following are the steps a key-stealing attacker would need to follow:
- Gain entrance to the environment where the HSM device has been deployed.
- Locate and steal the HSM device, which is typically stored in a physically secured safe or locked down in a datacenter.
- Disassemble the device without damaging it, including removing the potting material many tamper-resistant HSMs use.
- Reverse-engineer the flash contents of the device to find the key material.
Again, general-purpose servers that host key storage software do not have similar safeguards. In addition, and of equal importance, this same tightly controlled, physically protected environment defends HSM software/firmware from exploits aimed at software vulnerabilities. Without extraordinary and likely cost-prohibitive efforts, defenses on general-purpose servers do not compare.
For more than 25 years, SafeNet hardware security modules have been protecting more PKI infrastructures than any other solution. Leveraging SafeNet HSMs provides the assurance that these key trust anchor points are protected and their digital identities assured.
We are all susceptible to attack in today’s technological environment, but by deploying multi-factor authentication at the front end to authenticate parties trying to enter your system, and securing the certificates in a hardware security module, a solid defense can be established. With this approach, attacks to our systems can be avoided, and the integrity of our communications and other infrastructures can be protected.This entry was posted in Authentication, Compliance, Digital Signatures, DNS SEC, Energy, Financial Services, Healthcare, Key Management, Manufacturing, Retail by Trisha Paine. Bookmark the permalink.
SafeNet October 6, 2011, 11:35 am UTC
SafeNet October 4, 2011, 03:03 pm UTC
SafeNet September 13, 2011, 04:40 pm UTC
SafeNet October 6, 2011, 11:35 am UTC