Futurex announced the next generation of its VirtuCrypt financial cloud hardware security module (HSM) service. Futurex’s VirtuCrypt financial cloud HSM service supports financial services organizations’ critical payment systems cryptography and key management needs in the cloud.
VirtuCrypt cloud HSMs are the industry’s first financial cloud cryptographic solution with native Amazon Web Services (AWS) support.
Financial services organizations depend on HSMs to meet their payment and cryptography needs, including for transaction acquiring, card and mobile issuing, and Point-to-Point Encryption (P2PE).
HSMs are used to handle tasks for banks and merchants including PIN translation and verification, CVV generation and validation, EMV validation, message authentication code generation and verification, key management, and mobile payment processing. Additionally, they depend on HSMs to issue payment cards and provision mobile payment tokens.
Since 2015, VirtuCrypt financial cloud HSMs have provided services for organizations of all sizes. With five data centers worldwide and certifications including PCI DSS, PCI PIN, PCI P2PE, and TR-39, VirtuCrypt services are a platform-agnostic way for organizations to deploy cryptographic services across a range of financial use cases and architectures.
“We have been working with the financial services industry for more than 40 years to deliver mission-critical cryptographic solutions to support the large volume of payment systems and processes required,” said Ryan Smith, vice president of global business development at Futurex.
“Today, we’re proud to announce a range of groundbreaking enhancements to our VirtuCrypt financial cloud HSM – the industry’s first financial cloud HSM with native AWS integration – building on years of cloud HSM experience and delivering on our commitment to meeting the security, robustness, scalability, and compliance needs of financial services organizations worldwide.”
Core-to-cloud architecture and automation
- Instant provisioning with the VirtuCrypt Intelligence Portal
- One-click migration from on-premises HSMs to cloud HSMs
- Cloud HSM SDK for natively integrating cloud crypto processing and key management into on-premises or cloud applications and services
- User-controlled clustering and synchronization of cloud HSMs
- Real-time, automated, and customizable scalability
- Flexible high availability and SLAs for test environments up to mission-critical production applications
Snapshot technology and cloud HSM management
- Take cloud HSM snapshots for backup, migration to new environments, or streamlining new deployments
- Enable and disable cloud HSMs with the click of a button
- Store cloud HSM snapshots on the VirtuCrypt cloud HSM backup service and re-provision them on-demand
- Instant provisioning for common payment host applications, with recommended settings built in
Cryptoverse & CryptoTunnel security fabric
- Cryptoverse: enterprise key schema for comprehensive, cross-platform security with TLS-secured mutual authentication and strong encryption across all endpoints
- CryptoTunnels: turnkey connection security between on-premises apps, cloud-hosted applications, and cloud HSMs
- Connection whitelisting ensures only trusted applications can access cloud HSM services
- Deployment in different PCI zones (acquiring/P2PE, issuance, or test) to meet compliance requirements
Crypto infrastructure intelligence and orchestration
- Centralized log management with audit-friendly reporting
- Integrated monitoring with user-definable push notifications
- Integration with third-party applications and cloud monitoring tools
- HSM orchestration allows cloud HSMs to be provisioned or modified based on user-defined scenarios
Native omni-cloud integration
- VirtuCrypt Access Points: use a single set of cloud HSMs across multiple regions within a single public cloud provider
- Connect applications spanning multiple public clouds to a single VirtuCrypt cloud HSM estate
- Direct integration with public clouds, such as AWS, allowing seamless deployment
- Public cloud integration allows account management, invoicing, and billing to be handled from a single interface
“Enterprise workloads are moving to the cloud in vast quantities, and payment applications are no exception,” said Tim Sloane, vice president of payments innovation at Mercator Advisory Group.
“As organizations determine the ideal mix of cloud and on-premises technology for their own ecosystem, it’s vital that hardware security modules and encryption key management be included in the conversation.”
Cloud providers such as Google Cloud Platform, AWS, and Microsoft Azure work hard to be the service provider of choice for enterprise customers. They often push the envelope with specialized features and capabilities unique to each platform. These features can often add real value for certain industries and applications and help to differentiate the platforms from each other.
At the same time, the reliance on unique services across the various public clouds creates a barrier that inhibits enterprise customers from easily switching from one cloud provider to another or managing applications efficiently across a multi-cloud environment.
In addition, all the public cloud vendors have their own solution for encryption key management, which can be extended to specific applications for enhanced data protection. While this establishes a high degree of security, organizations lose control over the keys and give up the ability to easily migrate to different cloud platforms.
Many organizations start off with the intention of sticking to a preferred cloud provider. But over time, they may need to host certain applications or access certain services that are only available on certain clouds. When that happens, they invariably migrate to a multi-cloud environment. For smaller organizations, it may be possible to stay with a single provider, but as organizations grow, they have to consider going multi-cloud. And from a redundancy standpoint, having the ability to move from one cloud to another in case something happens is very attractive to larger organizations. Additionally, organizations may have an audit requirement involving backup or redundancy capabilities and simply can’t be sole source on a single vendor.
Furthermore, if the cloud provider directly manages an organization’s cryptographic keys, local employees could access the organization’s sensitive data if proper oversight and controls are not in place. Also, if the cloud provider is issued a legal order, they are left with no choice but to comply and hand over the organization’s keys.
Use your own keys
To address these challenges, cloud providers have introduced support for Bring Your Own Key (BYOK) that allows organizations to encrypt data inside cloud services with their own keys while still continuing to leverage the cloud provider’s native encryption services to protect their data.
Even with BYOK, keys still exist in the cloud providers’ key management service. But because keys are now generated, escrowed, rotated, and retired in an on-premises hardware security module (HSM), BYOK helps organizations to more fully address compliance and reporting requirements. Another benefit is that companies can ensure cryptographic keys are generated using a sufficient source of entropy and are protected from disclosure.
While BYOK offers increased control, it also comes with additional key management responsibilities that are magnified in multi-cloud environments. Every cloud provider has its own set of APIs and its own cryptographic methods for transporting keys. With AWS, you import keys through the AWS Management Console, a command-line interface, and with APIs through the TLS protocol. Microsoft has the Azure Storage Service Encryption for data at rest along with the Azure Storage Client Library, and keys must be stored in Azure Key Vault. Google Cloud Platform meanwhile has its own set of tools for managing keys for services such as Google Cloud Storage or Google Compute Engine.
Fundamentally, the processes, procedures and methods for managing keys are completely different across clouds, and not just from an API standpoint, but from architecture and process standpoints with each requiring different key management techniques. Needless to say, all this complexity and variability is the enemy of efficient operations and any missteps can put critical data at risk.
The irony is that at the end of the day, you’re trying to accomplish the same thing, namely encrypt application data in the cloud using keys. That’s also the good news. Because you have a singular goal of key management, many organizations are turning to centralized key management to manage the full lifecycle of cloud keys.
In the BYOK scenario, centralizing key management can offer significant advantages by allowing organizations to consolidate policies and procedures, develop consistent, repeatable, and well-documented practices, and – most importantly – reduce the risks of exposing keys.
As mentioned above, even with BYOK, organizations still have to leave a copy of their cryptographic keys with the cloud provider. To address this problem, cloud providers are starting to develop interfaces to allow their customers to fully utilize external key management systems. Not only will this give organizations complete control of their keys, but it points toward centralization as the accepted best practice for managing encryption across multiple cloud environments.
Based on the broad trend toward multi-cloud and the challenge of key management in a multi-cloud world, it’s safe to assume that other cloud providers will be adding improved for support for external key management. This will make it increasingly easier to simplify key management functions across multiple clouds while allowing you to retain full control over your data and encryption keys.
Here are a few photos from the event, featured vendors include: Tenable, Ping Identity, PKWARE, eSentire, Deloitte, Securonix, and Futurex.