There are two main types of HSM modules: Payment HSMs designed for payment and transaction purposes and general purpose HSMs to generate, store and manage keys; encrypt and decrypt data, and create and verify digital signatures.
HSM modules can be used on-premise and remotely. Most of the significant cloud providers offer cloud-based HSM services that enable organizations to generate and use their own encryption keys in the cloud infrastructure. While this way has its own advantages, there might be performance issues and latency issues. With proper support, it is easier and safer to maintain your own solution.
Some HSM modules offer special features that can be utilized by QTSPs. For example, the Trident HSM meets the requirements of eIDAS, the regulation of the European Parliament and the Council that specifies the conditions and requirements for electronic identification and trust services for electronic transactions in the internal market. This means that QTSPs can run their qualified electronic signatures based on the Trident HSM.
There are special options on the HSM market for organizations that need an extra high level of security. For example, Trident HSM offers a special Secure Multi-Party Computation capability. This enables companies to organize multiple HSM devices into a distributed cluster and manage (generate, store, use, delete) its cryptographic keys in a truly distributed way within the cluster. This means that the key material cannot be identified independently on any of the devices, so even if one or even two of them is compromised in any way, the information obtained is worthless.
The effectiveness and reliability of HSMs is verified by international security certificates, so the owners of the HSM can rest assured that their data and processes are protected by proven methods and technologies. The two most common certifications are FIPS 140-2 and Common Criteria. FIPS 140-2 is mandated in the US for many federal agencies using cryptographic-based security systems to protect sensitive information in computer and telecommunication systems. On the other hand, in many European countries, Common Criteria certifications are required in such cases. Many public organizations are not obliged to use solutions with such certifications, but choose to do so anyway, in order to ensure the security and reliability of the purchased product. Find out more about the differences between the two most common certifications from our whitepaper ‘Standards and certifications for HSM devices‘.
To learn more about the topic, download our free ebook: Why every company needs HSM.