No, you don't need to deploy a hardware security module at every single point where some sort of encryption might be done. Like most things in security, you're going to make some sort of assessment of risk and pain versus security benefits. It might well turn out that you're using an encryption system that can encrypt data at the remote edges of your network, but most of your keys are actually contained at the center. Therefore the hardware security modules, the things that actually protect keys, might be relatively essential to your organization and live within your data center. As time goes by, we might see hardware modules find their way out to the edge of networks. This is relatively specialized technology. There are relatively few people in an organization who know how to manage this type of security and I think most people elect to have hardware modules be relatively close to the center. You mentioned end-to-end encryption. A number of people have recently called that more of a marketing term. Can you define what Thales means when it says end-to-end encryption?
At the end of the day, Thales is really a provider of key management technology rather than encryption. It's our partners like Voltage Security Inc. that are really the encryption providers and what we do is really the security of their system, bringing key management components to essentially compliment the Voltage products. I think the term end-to-end encryption has been brought to the forefront lately by Heartland Payment Systems Inc. This goes back to the point I was making earlier. Certain data like PIN numbers have been protected end-to-end for a long time in payments networks and I think that Heartland is fully aware of that because they're a payments processor. What they are doing essentially is applying those same protection methodologies to other card holder data. They're saying, "Look, if we can encrypt a PIN number when a user types it into an ATM or point-of-sale device, then why can't we encrypt the card holder data?" The term essentially means, let's try and encrypt this information at the moment in which it's captured. How prescriptive do the PCI Data Security Standards get when it comes to key management?
It doesn't get very prescriptive. It says there should be as few places storing keys as possible, which makes perfect sense. The people that administer the keys ought to be strongly authenticated and ideally more than one administrator would need to take part in the process to actually make a change to the system. Some form of mutual supervision of administrators is recommended. When you actually try to deploy these systems, it probably would be insufficient to follow the guidelines of PCI DSS. There are many more operational aspects that you would need to consider. In a survey you commissioned recently with the Ponemon Institute, of 155 QSAs, 81% require or recommend hardware security modules to manage data protection. If that's the case, why aren't we seeing more adoption? Is it very expensive to deploy hardware security modules?
As I say to my wife, expense is a relative thing. If you're trying to protect your entire payment infrastructure that is managing billions of dollars a year, then no, HSMs are not expensive. You always have to look at these things in the context of a broader security investment. It's certainly true to acknowledge that hardware modules have been relatively specialized technologies for quite some time. Some organizations can get by with buying ten or so hardware modules; companies don't have thousands of these things. The market isn't for hundreds of thousands of these devices a year. I think we're at the tipping point in that industry. The notion of an HSM as a very centralist, specialized security function, purchased by the most sophisticated security purchasers in the world has been fine for 10 years. What we're now seeing are those same best practices and same techniques being applied to much more diverse, much more mainstream cryptographic markets. That's put some pressure on the HSM market to gear their products to consumers that are less experienced and seeking a less sophisticated way that cryptography can be used and deployed. I think we'll see the market for hardware security modules or hardened key management and cryptography processing to change dramatically. We'll see prices go down, usability go up and the range of form factors for people to deploy increase quite broadly.
Thales acquired NCipher in 2008 and that seems to be the genesis of Thales' key management and cryptographic hardware. Does that part of the business operate on its own or did you integrate it with some of the security lines that you have?It's certainly true to acknowledge that hardware modules have been relatively specialized technologies for quite some time.
vice president of product strategyThales eSecurity
It's true that the NCipher acquisition bolstered the enterprise portfolio of Thales. But Thales was already in the enterprise space. It is perhaps best known for its role in payments networks. About 70% of credit and debit transactions pass through Thales encryption systems. There's a lot of talk these days about end-to-end protections for PCI DSS data and card holder data, but we tend to forget that the PIN numbers we type into the point-of-sale devices and ATM machines are already protected and encrypted end-to-end because of the entire payment infrastructure. So Thales has been strong worldwide in the payments encryption and payments security space. And what the acquisition of NCipher was able to achieve was essentially expand that footprint beyond just the payments market into the broader financial services. Let's talk about the benefits of deploying a hardware security module for PCI compliance encryption. It seems counter to the way the industry is moving. Isn't it counter to the whole cloud computing movement?
It's interesting that you made that point about hardware modules seemingly at odds with the general transition towards outsourced services and cloud-based systems. I can see that point and in many ways when you think about the cloud, it has a lot of operational benefits and a lot of flexibility and advantages, but one of the downsides of cloud-based systems or any service offering is that you're giving up a certain amount of control. You don't necessarily know for sure which servers are processing which transactions and which disk drives and which backup tapes are containing exactly what data. That's one of the trade offs. You tend to give up visibility for flexibility sometimes.
What we're talking about here when we talk about cryptography is the real infrastructure-grade security. When one looks at these things called keys, they're underpinning the whole fabric. If you've got a system that is encrypting your storage environment, if you've got a system that is encrypting data that is sucked in from the point-of-sale devices, some of the hearts of those systems are going to be keys and need to be physically protected. You need to know where these keys are, you need to know whether copies of these keys have ever been made and you need to know very explicitly, which administrators have ever had access to these keys. One of the first things auditors do when they ask about encryption in these systems is "where are the keys, who looks after them and who has the right to change them?" So, yes, services are fantastic, but there are certain things, some core security infrastructure, you don't really want to put out to service. You want it to be in as few places as possible. Some things should be kept very isolated and locked down.