Home >

Product Overview > Security Guidance > Security and Handling Considerations - HSM Appliance

Security and Handling Considerations - HSM Appliance

This section discusses general security and handling issues related to the SafeNet Network HSM appliance.

Physical Security of the Appliance

The HSM appliance is a commercial-grade secure appliance. This means that:

It is provided with anti-tamper external features that make physical intrusion into the unit difficult - tamper-resistant screws must be drilled out, in order to open the case, and tamper-evident stickers secure the seams. These measures do not deter a determined attacker, they merely deter casual intrusion and leave visible evidence of attempts (successful or otherwise) to open the unit.

Vents and other paths into the unit are baffled to prevent probing from the outside.

The HSM Keycard, inside the appliance, that houses the actual HSM components, is encased in an aluminum shell, filled with hardened epoxy. Attempts to gain access to the circuit board itself would result in physical evidence of the attempted access and likely physical destruction of the circuitry and components, thus ensuring that your keys and sensitive objects are safe from an attacker.

If an attacker with unlimited resources were to simply steal the appliance, and apply the resources of a well-equipped engineering lab, it might be possible to breach the physical security. However, without the Password (password authenticated HSMs) or the PED Keys (PED-authenticated HSMs), such an attacker would be unable to decipher any signal or data that they managed to extract.

With that said, it is your responsibility to ensure the physical security of the unit to prevent such theft, and it is your responsibility to enforce procedural security to prevent an attacker ever having possession of (or unsupervised access to) both the HSM and its authentication secrets.

Physical Environment Issues

The data sheets provided by SafeNet show the environmental limits that the device is designed to withstand. It is your responsibility to ensure that the unit is protected throughout its working lifetime from extremes of temperature, humidity, dust, vibration/shock that exceed the stated limits.

We do not normally specify operational tolerances for vibration and shock, as the SafeNet HSM is intended for installation and use in an office or data center environment. We perform qualification testing on all our products to ensure that they will survive extremes encountered in shipping, which we assume to be more demanding than the intended operational environment.

It is also your responsibility to ensure that the HSM appliance is installed in a secure location, safe from vandalism, theft, and other attacks. In summary, this usually means a clean, temperature-, humidity-, and access-controlled facility. We also strongly recommend power conditioning and surge suppression to prevent electrical damage, much as you would do for any important electronic equipment.

Communication

Communications with the unit are either local and, therefore, subject to direct oversight and control (you decide who is allowed to connect to the serial port or the PED port) or via secure remote links. All remote communications are as secure as SSH and TLS with tunneling protocol can make them.

Authentication Data Security

It is your responsibility to protect passwords and/or PED Keys from disclosure or theft and to ensure that personnel who might need to input passwords do not allow themselves to be watched while doing so, and that they do not use a computer or terminal with keystroke logging software installed.

HSM Audit Data Monitoring

The HSM Keycard of the SafeNet HSM appliance stores a record of past operations that is suitable for security audit review. The easiest way in which to retrieve this record is to use the “hsm supportinfo” command and extract the dual port data provided within the supportinfo.txt file that is returned by the command. Because of the limited storage capacity of the HSM card, it has a limited size window in which to write these records and it must periodically re-start from the beginning of the window and overwrite existing records. For this reason, it is important that the audit data be retrieved often enough to ensure no data loss. Under typical load conditions, retrieving the file once every eight hours should be sufficient. However, for very heavy loads or operations containing large input data payloads, it might be necessary to retrieve the file as often as once per hour.

Audit Logging

Beginning with SafeNet HSM 5.2, the secure Audit Logging feature provides an Audit role (white PED Key) separate from all other HSM roles, to manage a secure audit logging function. Audit logging sends HSM log event records to a secure database on the local file system, with cryptographic safeguards ensuring verifiability, continuity, and reliability of HSM event log files.

Intended Installation Environment

The following assumptions are made about the environment in which the SafeNet cryptographic modules will be located and installed:

Those responsible for the SafeNet HSM must ensure that the authentication data for each SafeNet HSM account is held securely and not disclosed to persons not authorized to use that account.

Those responsible for the SafeNet HSM must ensure that it is installed, managed, and operated in a manner that is consistent with the local security policy.

The host IT environment must be configured and checked to ensure that any applications installed in the host environment, that require access to the HSM are legitimate, are valid and have been vetted for authenticity and integrity (i.e., have not been modified for malicious purposes).

Those responsible for the SafeNet HSM must ensure that it is installed and operated in an environment that is protected from unauthorized physical access.

Those responsible for the SafeNet HSM must ensure that there are procedures in place such that, after a system failure or other discontinuity, recovery of the SafeNet HSM and the host IT environment is possible without compromise of IT security.

Those responsible for the SafeNet HSM must ensure that those using the SafeNet HSM (including Security Officers and Token/Partition Users), have a level of competence sufficient to ensure its correct management and operation. This competence may be established through a combination of training and the accompanying Installation Guide and Configuration, Administration, and Reference documentation.

Procedural and physical measures must prevent the disclosure of cryptography-related IT assets to unauthorized individuals or users via the electromagnetic emanations of the SafeNet HSM .

Those responsible for the host IT environment must ensure that no connections are provided to outside systems or users that would undermine IT security.

Those responsible for the host IT environment must ensure that the power supplied to the SafeNet HSM is adequately protected against unexpected interruptions and the effects of surges and voltage fluctuations outside the normal operating range of the device.

Those responsible for the host IT environment must ensure that the SafeNet HSM is operated in an environment in which there is provided adequate protection against disasters such as fire and flood.

Those responsible for the host IT environment must ensure that the SafeNet HSM is located in an environment that is adequate to protect security-relevant and cryptographic key data and the SafeNet HSM firmware from interference or inadvertent modification by strong electromagnetic radiation from other sources.