Regional Energy Company Ensures Compliance and Security with Entrust nShield HSMs

In the complex energy sector, a multi-state conglomerate faced the dual challenges of compliance and security. Responsible for providing energy solutions across several states, the company was required to adhere to stringent Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC)  policies, including FIPS (Federal Information Processing Standards). Protection of cryptographic keys is essential to maintaining the integrity of their infrastructure and ensuring the security of their operations.

The company encountered significant difficulties in managing multiple Microsoft PKI environments, which needed to be kept separate to ensure security and compliance. Each environment had to meet the rigorous FIPS 140-2 Level 2 standards, adding layers of complexity to the deployment. This standard specifically applies to hardware security modules (HSMs), meaning that the PKI keys had to be secured using HSMs that comply with FIPS 140-2 Level 2 or Level 3 standards. This requirement introduced additional challenges, as the presence of multiple root Certificate Authorities (CAs) further complicated the setup and management of their PKI infrastructure. Ensuring that the cryptographic keys were managed within a secure hardware boundary was crucial for maintaining the integrity and security of the entire system.

To address these challenges, the company implemented Entrust nShield hardware security modules (HSMs), which provided a robust and secure hardware root of trust for their PKI environments. The Entrust Professional Services team set up three high-availability Microsoft Active Directory Certificate Services (ADCS) environments, utilizing a total of six nShield HSMs.

Key aspects of the implementation included:

• Entrust nShield HSMs: Each PKI environment was designed to operate independently, with separate instances of Security World (the software environment for managing nShield HSM security architecture) and dedicated HSMs for each use case.
• Entrust KeyControl: KeyControl redefines cryptographic key management by combining traditional key lifecycle management and a decentralized vault-based architecture with a comprehensive central policy and compliance management dashboard.
• Comprehensive Support and Training: The implementation included root CA ceremonies, HSM setup, and extensive training for the customer's team.
• Ongoing Professional Services: Entrust established a yearly professional service agreement to ensure the ongoing functionality and security of the PKI environments.