The ARIA microHSM solution is a SmartNIC based Hardware Security Module (HSM) that provides organizations with a simple to deploy, zero-footprint hardware option for adopting and offloading KMIP-based encryption – locally for their critical applications.
Data encryption is a critical component to success in any cybersecurity strategy, and one that is often problematic. One common approach is to deploy a hardware security module (HSM), a physical appliance attached to the network that generates data encryption keys and performs encryption/decryption functions. Data as generated/manipulated by applications is sent across the network to be encrypted before being returned and stored. These “black box” HSMs need to have secured rack space and be properly networked to avoid latency that can lead to application performance degradation.
The largest concern is the fact that traditional HSMs require specialized expertise to set up properly with the applications they are to perform the encryption operations for. The professional services needed to deploy these systems and the need to continuously engage with such experts every time the applications are updated can be extensive.
Additionally, there are known security vulnerabilities inherent in the Intel x86 chip architecture, which can be challenging for those looking for strong data encryption techniques while running the encryption applications right on the host. The applications must run the keys in the clear when encrypting the data. Storing encryption keys in the open on an x86 host leaves them open to exposure if the server is hacked.
The ARIA microHSM offers four unique capabilities when compared to traditional HSMs:
- First, the microHSM hardware is deployable in any standard PCIe slot found in commercially available servers. Locating HSM functionality directly within the application server that generates and stores data requiring encryption eliminates the need for a costly, higher power consumption standalone racked HSM.
- Local HSM functionality removes the variable to-and-from network latency generated by standalone appliances to increase application performance and response times.
- Offloading encryption from the application server’s CPU host ensures that the keys are not exposed if the server is compromised.
- The ARIA microHSM is a plug-and-play solution compatible with any KMIP-based application. For legacy application support, an API is available.
The ARIA microHSM, based on the KMIP standard, gives organization not only the ability to offload encryption keys but also simple API deployment, FIPS 140-2 compliance, and high availability required for our customer’s complex data encryption needs. Deployment is as easy as plugging the PCIe board into a server and spending a few minutes to configure the needed APIs. Once installed, the ARIA microHSM takes on the full life-cycle management of encryption keys generating hundreds in a minute.