Are There Virtual HSMs?
The Real Deal
The quick answer is: No, there is no such thing as a virtual hardware security module (HSM). Some HSM vendors profess to have one, but “virtual HSM” is an oxymoron. The fact that the word “hardware” is in the name is critical. Hardware means a physical device, and “virtual” is the opposite of physical.
One of an HSM’s main tasks is to establish a root of trust for the creation of secure cryptographic keys. In order to accomplish this task, a complicated mathematical process needs to take place. At the core of this mathematical process is the creation of a random number.
Not all random numbers are truly random. Books have been written about this topic but suffice it to say that, without an appropriate random number, the subsequently created key isn’t secure. With the technologies available to the industry today, companies have created a hardware-based random number generator.
It’s a chip that’s specifically designed, tested, and certified by NIST’s Cryptographic Module Validation Program to produce a secure random number. The test of cryptographic randomness is called entropy. Software cannot adequately test entropy, only hardware can. Without the hardware-created random number, there is an increased risk of the keys being compromised.
The Bottom Line
Organizations concerned with the validity of their cryptographic keys can only use hardware. Therefore, a virtual HSM would be no better than using a file server’s processing power to create cryptographic elements. Don’t be fooled, virtual HSMs don’t exist.
HSMs as a Service: Not on-prem, but not virtual
Just because HSMs are tamper-resistant, physical security devices doesn’t mean they need to be on-prem. nShield as a Service provides all the cryptographic functions and key management capabilities of nShield HSMs, but with a cloud-based subscription model.