Security best practices for encryption key storage, management and protection is critical to protecting valuable data wherever it is located, but implementing the security requirements needed by your organization as well as those of regulatory governing and audit bodies can be a challenge. How many times have you wondered how you can achieve regulatory compliance? Or how many times did you feel lost in the complex requirements of regulations such as FIPS, eIDAS, Common Criteria, GDPR and HIPAA, or standards such as PCI-DSS?
Hardware Security Modules (HSMs) are dedicated crypto processors specifically designed for the protection and integrity of the crypto key lifecycle, and are a critical component for applications that require FIPS compliance. They act as trust anchors that protect the cryptographic infrastructure by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device. As an integral part of an enterprise’s drive to protect its data and help meet compliance, they provide a scalable infrastructure layer to support the increasing number of applications that require the use of cryptography to deliver security.
What is FIPS 140-2 Level 3 Certification?
FIPS 140-2 (Federal Information Processing Standard) is a US government computer security standard used to approve cryptographic modules that include both hardware and software components. Issued by the National Institute of Standards and Technology (NIST), it specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. FIPS 140-2 outlines the areas of cryptography that must be considered during design and implementation such as physical security, roles, ports and interfaces, key management and cryptographic module specifications.
FIPS 140-2 Security Level 3 attempts to prevent the intruder from gaining access to Critical Security Parameters (CSP) held within the cryptographic module. CSP is information such as secret and private cryptographic keys, and authentication data such as passwords and PINs, whose disclosure or modification can compromise the security of a cryptographic module. Physical security mechanisms required at Security Level 3 are intended to have a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic module.
For a breakdown of the various FIPS 140-2 security levels read through What is FIPS 140-2?
FIPS 140-2 Level 3-validated Luna HSMs
Thales Luna HSMs provide the highest levels of security by always storing cryptographic keys in hardware. Luna HSMs provide a high assurance, secure crypto foundation as the keys never leave the intrusion-resistant, FIPS 140-2 validated appliance unlike alternative solutions in the market. Since all cryptographic operations occur within the HSM, strong access controls prevent unauthorized users from accessing sensitive cryptographic material. Luna HSMs are cloud agnostic, and are widely used by Microsoft, IBM and AWS, providing a “rentable” HSM service that dedicates a single-tenant appliance located in the cloud for customer cryptographic storage and processing needs.
Luna HSM – FIPS 140 Security Features
Cryptographic modules, like the Luna HSM, that are certified as meeting the requirements of FIPS 140-2 Security Level 3, have characteristics that aim to preserve the confidentiality, integrity and availability of both the cryptographic module and the CSPs stored in the module. In addition to meeting the rigorous requirements to meet FIPS certification, customers benefit from the following security features offered by Luna HSMs:
- Keys in Hardware – ensure your keys are safe from a breach and benefit from both physical and logical protections with Thales’s keys-in-hardware approach, always storing your high-value keys in a high-assurance vault;
- Create an audit trail and prove you know the whereabouts of your keys at all times with secure audit logging;
- Split an authentication secret into multiple parts with multi-factor authentication (MFA) such as MofN so that several overseers must be present in order to initialize the HSM.
- Strong enclosures and tamper-detection/response circuitry that zeroes all plaintext CSPs when the removable covers/doors of the cryptographic module are opened;
- Permanently prevent access to material contained within the HSM, and ensure all partitions and their contents are deleted including the audit role and the audit configuration, by directly decommissioning the HSM without the need for either a serial console or a remote SSH connection; and,
- Run FIPS-validated hardware-to-hardware backup and restore with Luna Backup HSM or in the cloud with Data Protection on Demand.
Luna HSMs NIST FIPS 140-2 Level 3 Certification
According to the NIST certificate #3205, “The SafeNet Luna K7 Cryptographic Module is a high-assurance, tamper-resistant Hardware Security Module which secures sensitive data and critical applications by storing, protecting and managing cryptographic keys. It provides end users with industry-leading security and performance, and can quickly be embedded directly into security appliances for FIPS 140-2 validated key security. The module meets compliance and audit needs for HIPAA, PCI-DSS, eIDAS, GDPR.”
The latest firmware version 7.3.3, for Luna HSMs is certified as FIPS 140-2 Level 3 by NIST and is available for download on the Thales support portal (Luna Network HSM 7 | Luna PCIe HSM 7). In addition, Thales offers a FIPS 140-2 Level 3 certified Cloud HSM service, Data Protection on Demand.
Thales Can Help
Protecting encryption keys in a FIPS 140-2 cryptographic module is necessary to maintain the confidentiality and integrity of your high value data. Avoid hefty fines by ensuring your firmware and policies are compliant, protected by a Luna HSM hardware root of trust.
Contact us to determine how we can help you achieve compliance for PKI, code signing, certificate and document signing, digital signatures, SSL/TLS, cloud, data base encryption and more, with a variety of form-factors to suit your needs, including network attached, PCIe card, USB attached and cloud-based HSMs.