Digital transformation has become a mission-critical strategy as organizations are adopting new ways of scaling their business, remaining agile to meet demand, and innovating for the future. Cryptographic management goes hand in hand with digital transformation, as organizations must evolve and future-proof their end-to-end cryptographic environments to ensure they are secure, compliant, and highly available to protect and secure their data, assets, and transactions.
I spoke with members of the global Futurex team — including Mark Howland, EMEA business development; Ruchin Kumar, vice president, South Asia; and Santos Campa, vice president, LAC — for their insights and perspectives on what cryptographic management challenges organizations are facing, implementation trends, and how they are future-proofing their systems.
There are common themes across industries and countries: cryptographic management is challenging, organizations are keenly interested in agility and scalability, cloud migration is happening everywhere, and the compliance checklist is ever important.
1 EMEA: Future-Proofing with Virtualization
When it comes to cryptographic management, the large financial institutions and major high-street banks have significant internal knowledge, best practices and their own ways of working and methodology. Across other organizations, we see the gamut: some are looking at new ways of doing things, such as HSM virtualization and cloud HSMs, while some are struggling with the skillset to configure and manage their existing systems. Throughout Europe, getting into data centers during the pandemic was difficult, resulting in challenges with on-premises cryptographic deployments and remote management.
There are progressive thinkers, many working at startups, who are future-proofing their systems and looking into load balancing, remote management, and virtualization. While others, who have always worked with on-premises cryptographic equipment, are slower to move to the cloud with questions around latency, regulations, and availability. Howland speculates about what’s ahead: “Cryptography-as-a-service and virtualization will be expected.”
Virtualization and the cloud enable organizations to be fluid in their services and abilities, accounting for scalability and growth without taking up rack space and being carbon neutral.
“You have to scale for your worst-case scenario. If you have virtual HSMs, you can literally spin them up and down, so you're not having to manage 20 HSMs when, for 360 days of the year, you only need five. When you then look at the costs, administrative costs, power, it makes a good business case to virtualize rather than use hardware,” states Howland.
2 LAC: Compliance and Cloud and Beyond
Virtualization accounts for the ebb and flow of retailers, such as handling demand for Black Friday, Cyber Monday, and the holiday season.
Overall, organizations are looking to be compliant, secure, scalable, and flexible. “For the financial HSM industry, it seems that, in most cases, everything is moving to the cloud,” says Campa. Moving to the cloud is financially motivating and empowers customers with an agile business case. Campa sees three cryptographic implementation trends across Latin America:
1. The need to implement cryptographic infrastructure as soon as possible.
2. The need to grow the current infrastructure. Organizations want to make sure that they are investing in an infrastructure that is scalable and used for the long term.
3. Security reliability and compliance
In Latin America, every financial customer needs to comply with PCI. In addition to PCI, there are regional compliance requirements to adhere to; for example, Mexico requires compliance with Comisión Nacional Bancaria y de Valores (CNBV) and Asociación de Bancos de Mexico (ABM). As a result, organizations prefer to invest in technologies that will be compliant with the next compliance regulations, including PCI and the next FIPS, to future-proof their cryptographic investments.
Beyond point-to-point encryption and PCI DSS support, we are seeing customers adopting tokenization, remote key loading, and contactless payments on COTS (CPoC) — and increasing features and functionality one at a time. In parallel, some customers have decided to increase the ROI of their HSM investment by using general-purpose features to comply with government and local security requirements and regulations. Futurex is hosting the Futurex Summit: Mexico City 2022, July 19-21, 2022, an opportunity for attendees to learn how to streamline their encryption infrastructures.
3 South Asia: Trends in Multi-Purpose HSM, Cloud
The cryptographic infrastructure has become an important part of the overall deployment of any project in organizations, and Kumar cites the lack of a centralized strategy as the main challenge. In India, he sees silos in most organizations, with overburdened budgets and resources. Data-centric security best practices can help organizations pass various security audits and mitigate unknown risks.
Another pain point is around compliance and mandates from regulators. As with many countries, cryptography is deeply embedded in the information technology laws of India to provide confidentiality and integrity to critical information like personal identifiable information (PII) and financial information. Adhering to these regulations is mandatory for each and every project within enterprises, banking, and government. “India is running quite ahead in HSM and key management. Organizations are well versed in the subject,” acknowledges Kumar.
Kumar sees many organizations interested in a single unified HSM platform that can handle both general purpose and payment functionalities to reduce implementation hassles. Additionally, as is common around the world, Kumar sees an interest in cloud migration and cryptography-as-a-service in South Asia. Many organizations are keen to outsource cryptographic management to a managed service provider or a cloud service provider to bring down the CAPEX cost for the customer, outsource complex cryptography operations to experts, and address regulatory compliance issues such as data localization and key localization.
As we’re seeing in the United States and around the globe post-pandemic, many organizations are looking at digital transformation strategies and future-proofing their cryptographic management investments, including cloud enablement, redundancy and agility, and hybrid deployments — all of which will help to both maintain a strong security posture while adapting and embracing new challenges and opportunities.