From Complexity to Simplicity: The Evolving Deployment of Hardware Security Modules
As cybersecurity becomes increasingly critical, the role of cryptographic applications - and of Hardware Security Modules (HSMs) that secure them - is expanding rapidly. However, this growing importance is at odds with a persistent time and talent shortage, particularly in IT security and cryptography.
One promising solution to this dilemma is to transition HSMs from traditional on-premises deployments to the cloud.
This shift solves several key challenges, including:
- The need for greater flexibility and scalability
- Limited availability of specialized talent
- High upfront investment and maintenance costs
One the other hand, a move to the cloud, brings with it further challenges such as:
- Independently scaling the HSM estate and the application environment
- Directing traffic to a specific HSM – which has retained state information from previous commands
Furthermore, developing secure and reliable cryptographic applications using traditional interfaces such as PKCS#11 is onerous and continues to demand deep cryptographic expertise.
Modern cloud-based applications call for a new approach - one that solves these new challenges while continuing to meet evolving security and compliance requirements.
Modern market requirements for HSM communication
Modern market requirements for HSM communication include:
- Supporting cloud-first development
- Abstracting the HSM estate from the application environment to allow independent scaling
- Stateless, URL based, communication avoid dedicated network access
- Intuitive security application development
- Programming language independent HSM access
The solution: A cryptographic API that follows the RESTful architectural design
A modern solution to simplify interaction with Hardware Security Modules is the use of a cryptographic API designed according to RESTful architectural principles. Based on the Representational State Transfer (REST) model, this API enables standardized client-server communication through well-defined HTTP requests.
Each request contains all the necessary information, and aside from managing the HSM user session, no state or connection specific information is held by either party. To ensure broad compatibility, the API is specified using the OpenAPI Specification, an industry-standard, machine-readable format that facilitates integration and automation across various platforms and development environments.
Cryptographic REST API – use cases and benefits for HSM setups
REST APIs are widely adopted due to their simplicity, scalability, and compatibility with modern web and cloud environments. In the context of HSM deployments, a cryptographic REST API offers far more than just another interface - it introduces a highly valuable level of abstraction enabling the application environment to operate completely independently without the need to build and maintain knowledge of the HSM estate thus significantly simplifying secure integration with the HSM.
In a typical setup, one or more REST API servers can be deployed per application (depending on volume of transactions), serving multiple client instances that need access to the same cloud-based HSM group and storage configuration. This eliminates the need for end-users to manage client-based key storage, further simplifying deployment and configuration. All communication is secured via mutual TLS (mTLS) and follows the OpenAPI 3.0.3 specification, allowing for machine-readable, language-agnostic client development.
Key Benefits
- Easy integration and communication
- Simplified development process
- Language-agnostic client support
- Cloud-first architecture
- Independent scalability of clients and HSMs
REST Cryptography API for Utimaco General Purpose HSMs
Utimaco’s General Purpose HSMs offer communication via REST Cryptographic API (RCAPI). It allows developers to communicate with the HSM through a simple HTTP-based interface over the secure TLS 1.3 protocol. This way, cryptographic operations can be seamlessly integrated through the same interface commonly used by applications with a service architecture.
Utimaco’s General Purpose HSMs – deployment on-premises or as a service
u.trust General Purpose HSM Se-Series
The u.trust General Purpose HSM Se-Series combines scalable multi-tenancy functionality with superior performance. Its container-based architecture supports up to 31 containers and enables flexibility across use cases including PQC, 5G, blockchain, and custom applications.
General Purpose HSM as a Service
The General Purpose HSM as a Service is a cloud-based GP HSM offering hosted in one of Utimaco’s secure, certified datacenters. It enables secure key generation, storage, and management under the customers’ sole control.
