Thales nShield Connect offers enterprise-class key management

The Thales nShield Connect 6000 is one of their line of Hardware Security Modules (HSM), which combine FIPS 140-2 level-three security (Federal Information Processing Standard) with key management (Thales acquired nCipher in 2008). Thales typically sends a support engineer to aid in installation of a new system, so we allowed them to send an engineer to install the product into our test bed and help integrate the product with our test platforms, Windows 2008 Server with the Microsoft Certificate Authority, IIS, Exchange and SQL Server 2005 and Ubuntu server 9.04 with Apache 2.2.12. It took the engineer about a day and a half to get the system working with all these applications.

One reason installation took that long was that the nShield had FIPS security enabled by default. This is a government standard for security that involves physical tokens (smart cards) that need to be inserted into the appliance's reader before most actions are taken. During initial configuration we set up nine smart cards, of which one needed to be inserted to continue with protected actions.

The number of cards and the number needed for a given action is flexible. This is to ensure that major actions, such as registering a new certificate with a provider (potentially a very expensive operation), has a consensus before the action is taken. One European institution requires that 55 out of 57 cards be inserted to request a new certificate, which given the 1 million Euro price tag, may be justified. On the other hand, many organizations may find this level of protection overkill, and turn off the FIPS security, with access allowed through normal passwords instead.

Setting up the nShield to work with a new application involves getting that application to work with one of the supported key management standards, PKCS#11, Microsoft CryptoAPI/CNG, Jave JCE or OpenSSL, or with one of the other supported security protocols. This can often be somewhat complex, as these are not necessarily the native methods for encryption. Even when they are, as with the Microsoft CryptoAPI, there can be numerous steps involved. 

Thales has 22 published guides to integration with particular products, which even the technician sent to install the product used, because each involved lots of steps. Eight to 12 pages of guidance is typical. The tech was able to go through the steps relatively quickly once the basic configurations and permissions were set, and after he left, I completed a couple of other configurations using the guides, with no special problems.

Once applications are connected to the nShield, certificates and keys can be easily managed using policies, making it easy to issue new certificates and revoke or renew certificates. Policies can set how long a key is used before being renewed or revoked. Since all the keys are provided to the applications on demand over a secure, encrypted link, with the keys themselves stored securely in a hardened appliance, keys are not only centrally managed and protected from breaches, but visible to the administrator.