HSM vs software-only Key Management?

Picking the right tool for your encryption job

Why pick? - both have a role in an enterprise key management strategy

The traditional approach to protecting encryption keys and data is to use a Hardware Security Module (HSM). There are many different HSM vendors and models and the core features common to all are the ability to provide encryption and decryption of data/keys and store the master key (a key that never leaves the HSM).

Most organizations need to protect many types of data ranging from credit card data (numeric, 16 digits), personal identifying data (PII), images (x-ray), video (CCTV), through to databases, etc.

Whilst credit card numbers are small in size and suitable for rapid transport and processing inside an HSM, the same is not true for databases and other large data types.

Randtronics DPM is a data security platform for encryption. It centrally coordinates encryption and key management for applications, file storages and databases to protect sensitive data right across an organization – thus protecting data (and copies) regardless of the size wherever they reside.

Customers using Randtronics DPM tailor key policies to selectively use software-generated keys or HSM generated keys depending on business needs. Randtronics supports a wide range of multivendor HSMs.

Unlike HSM’s that require specialist skills to operate, Randtronics DPM is designed to simplify and automate all aspects of data privacy administration:

maintaining all keys and certificates across their lifecycle based on centrally managed policy
no-code change data protection at the file/ folder (transparent data encryption) and database field level (for Oracle and MS SQL)
low-code change field-level data protection via Randtronics API for any application and databases – stored anywhere
best practice guideline implementation of policy-based key management, policy-based data encryption and spoofing, as well as access control, separation of duties and auditing

Randtronics DPM makes encryption easy;

For businesses, that have held-off implementing widespread encryption over concerns of implementation disruption and the challenge of hiring and retaining specialist skills – Randtronics DPM makes encryption easy
For businesses seeking to rationalize their encryption protections and close gaps in their attack surface – Randtronics DPM makes it easy to close the gap between piecemeal encryption and effective encryption

Enterprise Key Management

Enterprise Key Management platforms are playing an increasing important role as organization tighten up their data protections, implement more encryption and need to manage more keys (and manage them more effectively):

Shift to comprehensive encryption: legacy approaches to encryption often created island or silo’s of protection with the unfortunate result that some organizations suffered data breach despite encrypting some of their systems;
Role separation best practice: data privacy guidelines including the recommendations contained in GDPR and the increasing number of international PDPL frameworks modelled after this approach, stress the need of role separation. Many organisations using EKM systems hand control of key administration to a dedicated data privacy team, with benefits both in terms of reducing the number of technical staff required with deep HSM knowledge and visibly demonstrating to data auditors role separation and maintenance of key change records.

Enterprise Key Management also brings benefits to organizations using Hardware Security Modules:

Reduce dependence on specialist skill: remove day-to-day administration responsibility from the technical team, make more effective use of highly skilled staff and/or mitigate challenges in hiring technical skills to support multiple HSMs (multi-vendor and multi-generation)
Increase economic life of HSM fleet: Simplify task of rotating in new HSM’s for PCI or other highly sensitive requirements – rotate older HSM for general use complementing software-based keys