Platform Security
ADAM CASON | October 12, 2022
Securing data, assets, and transactions is ever critical especially now with increased innovation, customer demand, and the need to navigate a complex regulatory landscape — not to mention staying ahead of evolving cyber threats. As a result, organizations of all sizes and in every country around the world require implementing cryptography solutions to help secure everyday business. This includes managing and securing transactions, managing encryption keys, authenticating identities, providing message integrity, and encrypting data and applications.
From the largest global banks and payment processors that process thousands of transactions a second to the micro merchants that are newly accepting payments, cryptography works behind the scenes to ensure payments are secure and sensitive information is protected. Whenever and wherever cryptography is at work, organizations turn to either hardware or cloud options (or a combination of both) to ensure data and transactions are secure and compliant.
Common cryptographic themes across industries and across countries:
1. Cloud adoption is happening across the board with payment processing taking the lead
2. Smaller FinTechs are innovating big time
3. Companies are continually seeking help to meet regulations, especially when it comes to data localization
Since writing Cryptographic Management Trends Around the Globe, I talked again with Futurex team members from our offices around the world, including Ruchin Kumar, vice president, South Asia; Mark Howland, senior business development, EMEA; and Santos Campa, vice president, LAC, for more cryptographic insights and perspectives, including drilling down on cryptographic use cases to see what’s similar and what’s unique across regions. Let’s take a look at each region: South Asia, EMEA, and LAC.
South Asia: Payment Ecosystem Thriving in South Asia
Ruchin Kumar emphasized that the payment ecosystem in South Asia, particularly India, is thriving — indicating that financial services are the largest consumers of hardware security modules (HSMs) and cryptography in the entire region. HSMs play an important role in South Asia, securing the root of trust, keeping the private keys secure, managing Public Key Infrastructures (PKIs), and managing digital signing for non-repudiation and message integrity. In fact, he said, India represents almost 95% of HSM use cases in all of South Asia.
Payment systems and securing payments go hand-in-hand with the standards and regulations required for payments/financial services. These include regulations set by Unique Identification of India (UIDAI), National Payments Corporation of India (NPCI), Payments Council of India (PCI), Information Technology Act of India, 2000 and its amendments 2008/2011/2016.
Kumar sees organizations use general purpose HSMs for digital signing for non-repudiation and message integrity and payment HSMs used for acquiring, switching, card issuance, green PIN, and other payment application security needs (these types of HSMs are required by regulations). What’s on the horizon? From Kumar’s perspective, organizations are doing a lot of testing and evaluation for cryptography inclusion in their infrastructure and many organizations are looking into tokenization for security and agility, especially with Internet of Things (IoT), blockchain, and AI emerging. Additionally, remote key loading is becoming more sought after because every device in the field these days — ATMs, point-of-sale devices, handheld devices — requires key exchange with centralized servers.
Companies in South Asia See Cryptography-as-a-Service and Local Data Centers Critical for Data Residency and Localization
Over the past two years, most organizations in South Asia have adopted the cloud on a large scale, including using the cloud as a resource to host their critical applications. Security has played a big role in this cloud migration, with organizations wanting to retain ownership and control of their encryption keys. As a result, many organizations have turned to Futurex’s VirtuCrypt cloud HSM and key management service for both security and meeting regulatory compliance.
Futurex’s data centers in India West and India Central help to power cryptographic automation, speed, latency, and data residency and data localization. “Local data centers provide customers a lot of assurance in terms of data residency, data localization, and key localization, which earlier was a barrier to move to the cloud. Now that Futurex’s cryptography services are hosted within Indian geography, we have seen a big difference in organizations migrating to HSM-as-a-service,” says Kumar.
India is well-known as a FinTech hub for start-ups and innovation, with many unicorns emerging, according to Kumar. Progressive companies look to service-based, OpEx models for their applications as well as for cryptography. OpEx models offer flexibility, money savings, and serve as a resource for those needing help with cryptographic management.
EMEA: Cloud and Payments Dominate HSM Use in Europe, Middle East, and Africa
Cloud adoption is also rapidly increasing in EMEA, with many organizations looking to HSM virtualization technology, especially for payment applications. According to Mark Howland, “Customers are asking, ‘can we cut down our use of hardware, our reliance on hardware, and have the payment applications that we are heavily invested in, spun up and spun down seasonally?”
Howland notes that smaller companies and VC-backed companies are more nimble and lean toward innovation by implementing such things as cryptography-as-a-service to meet PCI regulations. The early adopters are those organizations in the finance and payment industry, as consumer demand and pandemic adjustments have led to innovative payment processing including mobile payments and SoftPOS. Like South Asia, smaller companies including those in financial software and services, see the value of OpEx-based HSM cloud services, such as Futurex’s VirtuCrypt.
Organizations across EMEA are deploying HSMs for POS key management, PIN management, and virtualization. What’s ahead? Howland sees that many organizations are, again, moving to a service-based model, looking at application encryption, encrypting data at rest, and the overall protection of data in all industry sectors, not just traditional high-security finance customers.
LAC: Trends in Cryptography Use in Latin America and the Caribbean
What’s trending in LAC? According to Santos Campa, he is seeing a mixture of both on-premises cryptographic architecture and cloud payment demands. Several banks already have a huge investment in their hardware infrastructure — their own data centers, racks, servers, etc. However, at least 35% of customers are converting from these on-premises architectures to cloud HSMs. Many are opening new branches or are creating new FinTechs inside their organizations. “We’re seeing the majority of organizations moving to the cloud, or at least moving part of their operations to the cloud,” says Campa. “It's very important for many organizations to keep control and management of the key lifecycle.”
Again, much like other parts of the world, the financial sector is the big mover and shaker in terms of cryptographic implementations, using cryptography for PIN validation, key management, and tokenization. According to Campa, the cloud continues to be very important and beneficial, especially the ability to integrate cloud payment HSMs with the public cloud including AWS, Azure, and Google.
As organizations are adding new models, such as transaction processing models, a must-have is a secure, compliant cryptographic solution — compliant with PCI and local and regional regulations throughout Latin America — that will allow them to scale. A nice-to-have is an OpEx option to give flexibility and cost savings.
Pandemic trends have paved the way to make cryptographic management more streamlined — such as visualization and remote key management — and not needing to physically go to the data center. “Organizations are looking to a cryptographic platform that is future-proofed, one that is going to provide the best quality of service and support in the market,” says Campa.
All around the globe, organizations are looking to innovate payments and embrace the cloud, keeping security, agility, and cryptography top of mind.
Read More
Software Security
ADAM CASON | June 24, 2022
Digital transformation has become a mission-critical strategy as organizations are adopting new ways of scaling their business, remaining agile to meet demand, and innovating for the future. Cryptographic management goes hand in hand with digital transformation, as organizations must evolve and future-proof their end-to-end cryptographic environments to ensure they are secure, compliant, and highly available to protect and secure their data, assets, and transactions.
I spoke with members of the global Futurex team — including Mark Howland, EMEA business development; Ruchin Kumar, vice president, South Asia; and Santos Campa, vice president, LAC — for their insights and perspectives on what cryptographic management challenges organizations are facing, implementation trends, and how they are future-proofing their systems.
There are common themes across industries and countries: cryptographic management is challenging, organizations are keenly interested in agility and scalability, cloud migration is happening everywhere, and the compliance checklist is ever important.
1 EMEA: Future-Proofing with Virtualization
When it comes to cryptographic management, the large financial institutions and major high-street banks have significant internal knowledge, best practices and their own ways of working and methodology. Across other organizations, we see the gamut: some are looking at new ways of doing things, such as HSM virtualization and cloud HSMs, while some are struggling with the skillset to configure and manage their existing systems. Throughout Europe, getting into data centers during the pandemic was difficult, resulting in challenges with on-premises cryptographic deployments and remote management.
There are progressive thinkers, many working at startups, who are future-proofing their systems and looking into load balancing, remote management, and virtualization. While others, who have always worked with on-premises cryptographic equipment, are slower to move to the cloud with questions around latency, regulations, and availability. Howland speculates about what’s ahead: “Cryptography-as-a-service and virtualization will be expected.”
Virtualization and the cloud enable organizations to be fluid in their services and abilities, accounting for scalability and growth without taking up rack space and being carbon neutral.
“You have to scale for your worst-case scenario. If you have virtual HSMs, you can literally spin them up and down, so you're not having to manage 20 HSMs when, for 360 days of the year, you only need five. When you then look at the costs, administrative costs, power, it makes a good business case to virtualize rather than use hardware,” states Howland.
Virtualization accounts for the ebb and flow of retailers, such as handling demand for Black Friday, Cyber Monday, and the holiday season.
2 LAC: Compliance and Cloud and Beyond
Overall, organizations are looking to be compliant, secure, scalable, and flexible. “For the financial HSM industry, it seems that, in most cases, everything is moving to the cloud,” says Campa. Moving to the cloud is financially motivating and empowers customers with an agile business case. Campa sees three cryptographic implementation trends across Latin America:
1. The need to implement cryptographic infrastructure as soon as possible.
2. The need to grow the current infrastructure. Organizations want to make sure that they are investing in an infrastructure that is scalable and used for the long term.
3. Security reliability and compliance
In Latin America, every financial customer needs to comply with PCI. In addition to PCI, there are regional compliance requirements to adhere to; for example, Mexico requires compliance with Comisión Nacional Bancaria y de Valores (CNBV) and Asociación de Bancos de Mexico (ABM). As a result, organizations prefer to invest in technologies that will be compliant with the next compliance regulations, including PCI and the next FIPS, to future-proof their cryptographic investments.
Beyond point-to-point encryption and PCI DSS support, we are seeing customers adopting tokenization, remote key loading, and contactless payments on COTS (CPoC) — and increasing features and functionality one at a time. In parallel, some customers have decided to increase the ROI of their HSM investment by using general-purpose features to comply with government and local security requirements and regulations. Futurex is hosting the Futurex Summit: Mexico City 2022, July 19-21, 2022, an opportunity for attendees to learn how to streamline their encryption infrastructures.
3 South Asia: Trends in Multi-Purpose HSM, Cloud
The cryptographic infrastructure has become an important part of the overall deployment of any project in organizations, and Kumar cites the lack of a centralized strategy as the main challenge. In India, he sees silos in most organizations, with overburdened budgets and resources. Data-centric security best practices can help organizations pass various security audits and mitigate unknown risks.
Another pain point is around compliance and mandates from regulators. As with many countries, cryptography is deeply embedded in the information technology laws of India to provide confidentiality and integrity to critical information like personal identifiable information (PII) and financial information. Adhering to these regulations is mandatory for each and every project within enterprises, banking, and government. “India is running quite ahead in HSM and key management. Organizations are well versed in the subject,” acknowledges Kumar.
Kumar sees many organizations interested in a single unified HSM platform that can handle both general purpose and payment functionalities to reduce implementation hassles. Additionally, as is common around the world, Kumar sees an interest in cloud migration and cryptography-as-a-service in South Asia. Many organizations are keen to outsource cryptographic management to a managed service provider or a cloud service provider to bring down the CAPEX cost for the customer, outsource complex cryptography operations to experts, and address regulatory compliance issues such as data localization and key localization.
As we’re seeing in the United States and around the globe post-pandemic, many organizations are looking at digital transformation strategies and future-proofing their cryptographic management investments, including cloud enablement, redundancy and agility, and hybrid deployments — all of which will help to both maintain a strong security posture while adapting and embracing new challenges and opportunities.
Read More