“I been here for years”. Admit it, the first thing that pops into your mind when hearing LL Cool J’s magnum opus is the hardware storage module (HSM). The HSM is traditionally leveraged for x.509 certificate deployments in high identity assurance use cases. The HSM protects the certificate authority’s (CA) private key in a tamper-resistant hardware device. When issuing smart cards and certificates to users, an HSM is always in the picture. After all, why bother issuing hardware credentials to users when the CA’s private key resides in software?
From an authentication and single sign-on perspective, the rise of the Security Assertion Markup Language (SAML) federation credential was the response to the inherent difficulties of certificate distribution and private key security. Federation raised the PKI abstraction level upward; instead of issuing certificates to every user and managing a complicated validation process, a single certificate is issued to the identity provider (IdP). The IdP signs the user’s SAML assertion to facilitate the single sign-on SSO session. The issuance of fewer certificates is a good thing.
Enterprises are beginning to leverage the Cloud for critical infrastructure applications. Critical applications have higher identity assurance requirements and therefore need enterprise-grade credentials. Federation has become the Rosetta Stone between Cloud applications and on-premises user identities. Yet, few organizations use an HSM to protect the federation IdP’s private key. If the IdP’s private key is compromised, the attacker can issue SAML assertions and grant access to your critical Cloud applications. Are you using an HSM to protect your critical Cloud applications?
Category: Uncategorized Tags: