2019-03-12

It’s time for Application Centric Security

Today’s enterprise security architects are facing the next level of challenges as the connected society requires a new concept for a holistic security approach. It is no longer possible to consider security in terms of static corporate perimeters to which only known and controlled devices have access. Planning an overall enterprise security architecture today requires a mindset where architects are user-, device-, and application-centric in their thinking.

The shifting and expansion of the corporate security network perimeters has evolved for some time already. One of the drivers behind the shift has been the trend to deploy and consume applications in the cloud and to have instant availability at any point in time. For many, there is a challenge in enabling this flexibility whilst keeping the application secure. One can find a paradox in open network perimeters that keeps the application secured, it is clearly a bigger challenge than the static security of the past.

A second trend affecting the security approach of today is the large-scale expansion of Internet of Things (IoT). IoT, and in particular Industrial IoT, is changing the traditional IT landscape. Today we see that the operational part of enterprises is working with IoT and creating new challenges for the classical IT/OT bridge. IT applications are no longer separated from the business case but are a vital part of the daily operations and the customer offering.

Following these trends and developments it is natural that the application itself is coming more in to the focus of security. Building a security architecture for the future requires that both the application and its data is carefully considered. The intriguing part of this development is that with an application centric security approach, a new and powerful toolset to secure the decentralized infrastructure becomes available!

We at PrimeKey have been following this development carefully during some time and are happy to give you our contribution to application centric security; the PrimeKey SEE. This is the first trusted platform for any kind of enterprise grade level server application. Let us explain in more detail by giving you two examples of use cases:

Securing the digital factory

In the world of IoT, device security starts during the production. Device security procedures can be security processes for provisioning certificates, creating key material for authentication and injecting birth certificates into devices. All these constitute the foundation for continuous security life-cycle management, code signing and secure over-the-air (OTA) update. This is why working with external production partners and manufacturing in untrusted environments requires advanced security concepts and processes.

Following the recommendations for a secure device life-cycle process in IoT today, a high effort in protection of all crypto material (key material for certificate generation, code signing, authentication, etc.) is made. Security modules or trust-zones are established. But what about protecting the issuing and injecting application itself? How can we trust these vital applications and that they have not been modified or manipulated? By using the PrimeKey SEE you can move the run-time environment of those applications into the trusted server environment of the SEE and get the following advantages:

  • No further need to protect your IT system with organisational and physical boundaries.
  • Copy your existing application into a physical protected server rack.
  • Legacy applications could remain in use.
  • No need to change the existing IT setup.
  • Minimize risk in downtime of production due to minimal changes in application and the process landscape.

Shared Crypto Resources

The usage of and the management of cryptographic Hardware Security Modules (HSMs) is a foundational part for securing your digital assets. Especially in the financial industry, HSMs are widely utilized for card production, authorisation or PIN verification and translation systems. HSMs can be a costly investment but as stated they are required for most proper security solutions. Fortunately, there is often a possibility to share HSMs between use cases and applications.

Today we see applications in the market that are offering security module resource management starting with centralized key management, resource monitoring and resource sharing (e.g. nCipher Security, Cryptomathic, Micro Focus, CryptSoft and KeyNexus). By installing and operating these applications inside the SEE’s trusted environment (FIPS 140-2 level 3) the benefits are:

  • No need for extra physical protection in the data center.
  • No changes inside the application.
  • Clearly defined and auditable execution environment.
  • Secure distributed access and management rights.

These examples give you a first glimpse into possible use-case scenarios of the SEE. In our upcoming webinar on the 14th of March we will tell you more and also show how easy it is to protect any applications with the SEE Platform.

PrimeKey SEE

If your software or application controls sensitive information or functionality, you know the consequences that an undetected malicious modification can have. Your IoT device might be hacked, your data compromised, or your machines stop working. With SEE you can sleep sound, no one can access or modify your software and data.

The PrimeKey SEE is a full-size rack-mounted application server that comes with a patented FIPS protected execution environment for any operating system and application. It ensures that the server runtime environment can only be accessed by an authorized security administrator, making it impossible to access, to extract or to modify by an unauthorized party. By doing so it opens up a new world of possibilities where you can run each mission-critical application in any uncontrolled environment. With SEE, you can place your software wherever it benefits further advances of your business. In addition, it prevents manipulation.

 

 


 

Author: Andreas Philipp

Andreas Philipp has more than 20 years with an extensive experience in several roles and positions in the Security Module Business. He joined PrimeKey in 2017 and is today Business Development Manager with his base in Aachen, Germany.

Contact Andreas:
andreas.philipp@primekey.com


 

Sign up for the webinar!

More about PrimeKey SEE