Fortune 500 Utility Sets Up High Availability Public Key Infrastructure In A Geographically Distributed Environment

How Thales Expertise And High Assurance Hardware Security Modules (HSMs) Helped One of The Nation’s Largest Utilities Provide Strong Security While Simultaneously Enabling New Customer Services.

The Goal: Preparing For The Future

The IT team at one of the nation’s largest utility companies set an ambitious goal for themselves and their security infrastructure.

As technology in the energy sector was evolving, they were determined to remain on the leading edge. They needed to ensure they could provide continuous service to their customers while simultaneously preparing their infrastructure for new and demanding technology like Smart Metering and Smart Grid. They wanted to meet and exceed the high security requirements that their auditors and Homeland Security had established. And they wanted to enable new services, like allowing employees and customers to use tablets and smart phones to access the network.

To meet these goals, the utility’s security team planned to migrate to an updated version of public key infrastructure (PKI) software and core server platforms. Their existing PKI, now almost a decade old, had worked well for authenticating internal servers and laptops. But they would need a new solution if they were going to issue certificates for these mobile devices and accommodate other new technologies while ensuring the highest levels of security. A new PKI would enable new services like code signing and time stamping to ensure the integrity and appropriate governance of their internal software development processes, as well as “bring your own device” (BYOD), where certificate enrollment would allow mobile devices and tablets to access the network in a controlled and secure manner.

The Challenge: Complex and Distributed Environment

The real challenge of this deployment would be in working with the utility’s unique environment. To achieve the high availability, redundancy and disaster recovery functionality they needed, the team would have to deploy the PKI in conjunction with a complex server clustering infrastructure that resided on multiple sites. If they were successful, the utility’s infrastructure would be able to easily meet the demands of the next decade. But little information was available about configuring a PKI in this demanding environment – a few experts suggested it was possible, but it was clearly a daunting task.

Given their security requirements, the team knew the solution would have to include hardware security modules (HSMs). “We knew we needed a certified hardware solution,” reports the utility’s lead security analyst. “We had to ensure that all of our private keys were afforded the strongest protection available – we had read too many stories about private key theft compromising entire PKIs. Our most important priority is delivering services to the public and we had to ensure we could provide the highest assurance available.”

Benefits: Availability, Security and Broader Services

The Thales solution provides several critical benefits:

  • High availability. The clustered setup and nShield’s resiliency features allow for greater redundancy, including automated failover providing more robust disaster recovery and continuous availability.
  • Stronger security. As the company opens the network to more devices, the Thales HSMs enable stronger authentication through issuance of device certificates. The PKI can issue certificates to all devices, with personal devices having only limited access to the network.
  • Multiple HSM form factors. Using Thales HSMs allows the company to purchase appropriately-sized hardware for laptops and servers and not be forced to “over-buy”.
  • Smart metering support. As the company rolls out smart metering technology, the solution will ensure the integrity and confidentiality of transmitted data.

The Solution: Thales nShield HSMs and Expert Advice

To deploy this innovative solution, the company chose a suite of Thales solutions that included nShield Connect and nShield Edge HSMs and Thales Time Stamp Server. With a legacy of experience with Thales products and recognition of their superior combination of strong security with operational ease, the security team knew their Thales products would provide the configurability and flexibility needed to work in this demanding environment.

The team also relied upon the expertise of consultants in the Thales Advanced Solutions Group to help structure the deployment. “The Thales team was amazing,” says the lead security analyst. “Remember, this had never been done before. There were whitepapers out there saying it could be done, but some of the more advanced and complex technology hadn’t been proven in an actual deployment. Thales provided the enterprise HSMs, taught us how to configure and use them correctly in our specific environment, and helped us put all the pieces together with training. Their consultants were extremely knowledgeable and experienced in PKI technology and their dedication to ensure a successful project was second to none.”

The results? “Our Thales solution has had a phenomenal impact on operations. Our infrastructure can now support a host of other projects that were pending. And our PKI is doing what it was created to do: not just issuing server certificates, but truly enabling many different kinds of services. We rely on PKI for so many things. And the more you depend on it, the more you need security that is hardware-based.”

Thales Hardware

The products deployed in this solution include:

Thales nShield Connect HSM.

This high-performance network-attached HSM provides secure cryptographic services as a shared resource for distributed application instances and virtual machines. nShield Connect delivers a cost effective way to ensure appropriate levels of physical and logical control for server-based systems. With nShield Connect, organizations can:

  • Minimize operational costs with powerful key management architecture
  • Maximize utilization and scalability with a shared centralized platform
  • Provide cryptographic protection for network architecture in traditional, virtualized and cloud deployments
  • Overcome the inherent vulnerabilities of software-based cryptography

Thales nShield Edge HSM.

This USB-connected HSM provides a cost effective way for organizations to implement high assurance cryptography. With greater portability and USB-connectivity, nShield Edge is especially suitable for laptops and in workstation or desktop environments, and its compact design and integrated smartcard reader makes it a perfect fit for deployments with limited space or where HSMs are used only on occasion.

Thales Time Stamp Server.

This turnkey, network-attached appliance keeps accurate time and provides secure time stamps for record creation, filing and the timing of other events associated with electronic records and applications. Time stamp server protects time-stamping operations in independently certified, tamper-resistant hardware and offers superior time accuracy and auditability.