I'm interested in deploying an external key management system to handle my organization's encryption keys. Is a...
key management virtual appliance a more secure and efficient option than a self-managed HSM appliance? Does a virtual appliance reduce self-configuration errors that introduce vulnerabilities?
Encryption keys are literally the key to accessing organization data. They protect an organization's most sensitive information, so the system that generates and stores them should be protected at all costs. With that said, what's the best way to use and protect your key manager? Hardware Security Module (HSM) appliances are definitely more secure than virtual appliances and still the most common deployment I've seen. HSMs not only provide better physical security -- they are typically located in the heart of an organization's secure data center -- but they also ensure stored keys are never tampered with by allowing configurations that will destroy all stored keys if someone tries to open the appliance, for example.
Virtual key appliances provide more operational benefits. When you purchase a virtual key appliance the vendor provides a preconfigured, hardened software appliance. This supports more flexible deployment options -- you can run them within a cloud or virtual data center. However, there are known techniques for pulling keys from memory in certain conditions, so an organization should use a vendor that takes exceptional memory protection precautions to keep the keys safe.
Unless you have an environment where a physical data center isn't available, stick to an HSM appliance to ensure the safety of the organization's encryption keys, and leave virtualized services for the rest of your infrastructure while taking comfort in knowing its encrypted connections and data are safe.
What's your question?
Got a question about identity and access management technology and strategy in your organization? Submit your question via email today and our experts will answer it for you. (All questions are anonymous.)
Check out how AWS' Key Management Service boosts cloud security
Dig Deeper on Privileged access management
Related Q&A from Randall Gamby
Learn how to create account lockout policies that detail how many unsuccessful login attempts are allowed before a password lockout in order to ... Continue Reading
When it comes to minimum password length, 14-character passwords are generally considered secure, but they may not be enough to keep your enterprise ... Continue Reading
Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses. Continue Reading