Delivering Scalable Private Key Security with Hardware

DATA SHEET

// Delivering Scalable Private Key Security with Hardware Security Module Leaders

Hardware Security Modules (HSMs) protect machine Advanced Key Protect identities by generating strong keys for SSL/TLS At a Glance and SSH—these cryptographic keys along with digital certificates serve as machine identities. But, Venafi Advanced Key Protect powers the use previously, when enterprises wanted to combine HSM of secure hardware-based cryptographic keys key generation with certificate life cycle management, by orchestrating HSM-based generation and they had to rely on custom development or resource- protection of cryptographically strong keys intensive manual processes.With the introduction combined with certificate automation. of Venafi Advanced Key Protect, organizations can now use the Venafi Platform for fast, automated Prerequisites orchestration of secure HSM key generation and • The Venafi Platform protection combined with certificate issuance to • One of the following improve security, increase efficiencies and meet - Gemalto SafeNet Network HSM compliance requirements. The full key and certificate - nCipher nShield Connect HSM life cycle is automated without the need for administrator interaction. Benefits

• Leverage your existing HSM investment for As the number of severe vulnerabilities and attacks strong key generation and protection targeting machine identities increases, the need for strong private keys for SSL/TLS and SSH throughout Automate certificates and keys in a FIPS 140‑2 • the enterprise is becoming more acute. For example, Level 2 environment supported by HSMs when private keys are stored in files or memory, • Comply with industry and internal they are susceptible to file and memory scraping as security requirements well as recent side-channel attacks. HSM-generated keys address these risks by producing strong FIPS • Generate strong keys from a NIST certified compliant private keys with maximum entropy, using random bit generator (RBG) certified random number generation and secure • Orchestrate strong keys across your hardware protection for keys. enterprise under strict policy control HSMs have long been used in security-concious • Eliminate risk of stolen keys from file industries, including Banking, Financial Services, systems, software certificate stores and Federal Agencies and Retail. Critical business system memory applications containing sensitive data, such as PCI,

HSMs are critical for secure PKI and for the protection Venafi Advanced Key Protect delivers an out-of- of deployed SSL/TLS certificates to critical business the-box solution that overcomes these challenges. applications. Now with the close partnership between It integrates with industry-leading HSMs, including Venafi and leading HSM vendors, management has Gemalto and nCipher, to leverage strong HSM keys been dramatically simplified. HSM-generated keys can throughout an enterprise. As an add-on module to the now be accessible at machine speed, even in complex, Venafi Platform, Advanced Key Protect applies policy high-security environments. and workflow controls and enables fast, automated orchestration of keys and certificates. Together, these HSM security benefits are so strong that regulations capabilities make it possible for enterprises to ensure like PCI-DSS recommend that all private cryptographic the consistent use of the strongest cryptographic key material be generated and stored within an HSM keys possible. to protect in-scope PCI systems. In addition, entities doing business with government agencies must Supported Client Versions adhere to FedRamp standards. Beyond standards • Gemalto/SafeNet (Luna) client version 6.2.2 and regulations, organizations can substantially (plus OpenSSL toolkit 1.0.2 for Apache) improve their overall security by leveraging HSMs to protect private cryptographic key material across • nCipher Security World client version 12.40.2 the enterprise. Earliest Supported HSM Versions

Traditionally, HSMs have only been deployed for a • Gemalto SafeNet Network HSM (formerly Luna SA) narrow set of applications. Despite the improved key models 7000 running software version 5.4.7-1 and strength and overall protection that HSMs provide for firmware version 6.10.9 digital keys, their management burden has kept them • nCipher nShield Connect HSM from being utilized broadly. With Venafi Advanced Key Protect, organizations can easily expand usage and - Connect+: 500+; 1500+; 6000+; increase the value they get from their HSMs. Security World version 12.40.2 - Connect XC: Base; Mid; High; HSM Key Management Challenges Security World version 12.40.2 Broad HSM usage without key and certificate life cycle orchestration for SSL/TLS and SSH creates “We evaluated all of the products from new challenges for organizations that want complete the top players in the space. Venafi visibility into all of their keystores—this is a challenge was the clear winner for multiple even for the keys stored in the HSM. Organizations reasons: that deploy HSMs widely also lack the ability to • Venafi allowed us to keep the entire centrally manage all their distributed keystores certificate management process and are unable to consistently apply enterprise in-house. policy controls. • Venafi supported all the CA and HSM Previously, when organizations wanted to use technologies we use. automation to leverage strong HSM keys, manage the entire key life cycle, and apply policies or streamline • Venafi is extremely flexible and workflows, they had to create custom scripts or run could satisfy all our immediate manual processes—both of which require major needs and anticipated future needs. investments. These largely manual efforts often Fortune 500 Insurance Company resulted in high-maintenance, error‑prone solutions Source: TechValidate. TVID: 8DA-A8D-6DA that did not scale.

©2021 Venafi, Inc. All rights reserved. 2 How It Works and certificate are installed on the system that will use them. This capability is supported by Venafi Advanced Key Protect supports two Gemalto HSMs. distinct functions: When an administrator enters application and 1. Central HSM SSL/TLS and SSH Key HSM information into the Venafi Platform, it Generation with Key and Certificate Installation on Managed Applications. triggers these actions by the platform:

There are times when keys need to be stored • Instructs the HSM to generate a Keypair with the applications they support. Secure key • Retrieves the private key and a certificate- material is essential, especially when keys aren’t signing request (CSR) from the HSM stored in an HSM. Venafi Advanced Key Protect • Uses the CSR for certificate enrollment with a coordinates the generation of private keys for certificate authority (CA) certificates and SSH through a central HSM and pairs this with Venafi certificate issuance and • Installs the certificate and the private key on installation. Together, this provides automated, the managed application validated distribution with maximum key entropy 2. HSM SSL/TLS and SSH Private Key for applications. Protection Combined with Automated Certificate Orchestration. The Details This function is used when a business wants to The Venafi Platform can be used to generate all protect keys using an HSM that is associated X.509 and SSH keys in a central HSM, even for with the managed applications it supports. applications that do not have the capability to With Advanced Key Protect, private keys can be integrate with an HSM. This ensures that keys are managed without ever leaving the hardware or created with strong random number generation being exposed to host memory. Businesses get across the network. In this approach, instead of full SSL/TLS and SSH key management in a FIPS keeping the private key in the HSM, the Keypair 140-2 Level 2 or environment—pairing automated is exported from the HSM and the private key Venafi management with the security of the HSM.

Private Key and Certificate Installed on Managed Application

The Details Next Steps

Venafi Advanced Key Protect triggers the If you have the Venafi Platform and a Gemalto or generation of a Keypair by the HSM and nCipher HSM, or you’re considering investing in these orchestrates the connection to the system solutions, contact us to learn more about how you can that needs the certificate. Venafi delivers key best leverage these solutions to maximize strong key and certificate management with the Keypair generation and management. securely maintained by the HSM. Both Gemalto and nCipher HSMs enable this approach and this Venafi is trusted by: capability is supported on Apache, Windows IIS and Java keystores. 5 OF THE 5 Top U.S. Health Insurers 5 OF THE 5 Top U.S. Airlines Again, the process begins when an administrator 3 OF THE 5 Top U.S. Retailers enters application and HSM information into 4 OF THE 5 Top U.S. Banks the Venafi Platform, but this time it triggers the 4 OF THE 5 Top U.K. Banks following actions by the platform: 4 OF THE 5 Top S. African Banks • Connects to the managed application and 4 OF THE 5 Top AU Banks instructs the HSM to generate a Keypair

• Retrieves a CSR from the HSM through the About Venafi managed application Venafi is the cybersecurity market leader • Uses the CSR for certificate enrollment with a CA in machine identity management, securing • Installs the certificate on the managed the cryptographic keys and digital certificates application (the private key remains on on which every business and government the HSM) depends to deliver safe machine-to-machine communication. Organizations use Venafi key and certificate security to protect communications, commerce, critical systems and data, and mobile and user access.

To learn more, visit www.venafi.com