Today, enterprise and cloud applications are given direct-line access to critical resources like HSMs. Although keys never leave the HSM itself, there is little focus on controlling the access. Often the access policies are limited to vendor implementations, and the granular audit trail information is not always available where you need it. Virtual machines and containers can be cloned, credentials can be stolen, leaving access to the HSM compromised. Additionally, it is typically not safe to grant IoT devices direct access to the HSM. For these reasons, organizations spend a lot of time and money to build their own custom access controls around the core HSM functionality to reduce security risk, standardize the integration process, and support the use case requirements.

What is the HSM Access Controller (HAC)?

The HSM Access Controller (HAC) delivers granular authentication, authorization and audit controls for IoT devices, servers, and applications. Enterprise applications and services connecting to HSMs will authenticate to KeyScaler and use KeyScaler REST APIs to consume common HSM operations, such as key generation, data signing, data crypto, and general public key storage.


What are the benefits of HAC?

• Prevents unauthorized access to critical HSM infrastructure

• Mitigates security risks and liability exposure

• Implements granular access policies for HSM to support key use cases

• Provides an audit trail for compliance

• Protects brand reputation

• Cost savings (operational and financial) derived from avoiding security breaches

• Eliminates custom development, accelerate time to market

• IoT Ready - Only solution to support headless and constrained devices


How does it work?

The HAC uses the KeyScaler registration control policies to enroll entities, patented Dynamic Device Key Generation (DDKG) and JSON Web Tokens (JWT) authentication methods to attest to the identity of the requesting entity. Authorization policies are configured as part of key management policy.


Key Management Functions Supported (for Authenticated and Authorized entities)

• Generate keys – Generate a new key inside HSM for later use

• List keys – Returns a list of available keys in the HSM

• Delete key – Deletes a specific key from the HSM

• Export Public Key – Export the public part of a given key pair

• Import Public Key – Import an external public key in to the HSM

• Rotate Key – Generate a new key pair for a given key alias stored inside the HSM.

• Data Encryption – Pass data to the KeyScaler service for encryption using the public stored in the HSM

• Data Decryption – Pass encrypted data to the KeyScaler service for decryption using the private key stored in the HSM

• Data Signing – Cryptographically sign data using a private key stored in the HSM


Additional Functionality

• Auto-Rotate Keys – Schedule rotation of managed key pairs in the HSM

• Granular Audit Information – See who accessed what, when, and for what purpose.

• Secure Data Storage – Encrypt sensitive data using keys in the HSM, and store in KeyScaler for centralized access. Data store policies are used to restrict access to encrypted data, and permit authorized entities to list, retrieve, and decrypt certain information.


Device Authority HAC meets the Enterprise requirements to protect the critical HSM resource from un-authorized access and provide granular access controls for “Key” management and operations. Enterprise private Blockchain and IoT implementations are on the rise and would need the same functionality.


Contact us for more information and to purchase the HSM Access Controller.