Trustis Enables Rapid Deployment of Managed PKIs based on Thales HSMs
How a PKI Managed Service Company Uses Thales Hardware Security Modules To Provide On-Demand Digital Certificates To Government Agencies
The Goal: Expand Business By Enabling Strong Authentication For Mobile Devices – Quickly And on Demand
As one of the UK’s leading authorities on public key infrastructure (PKI) and identity assurance, Trustis has provided on-demand managed PKI and identity services for a wide range of public and private organizations from a high security hosting facility since 1998.
More recently, Trustis sought to launch a new service offering – the Mobile Device Certificate Service (MDCS). This would provide ondemand digital certificates for public and private organizations that wanted to give their employees secure access to their networks via smart phones, tablets and other mobile devices.
Two major factors drove this business decision. First, the UK government realized they must embrace mobile devices to support reduced expenditure. So for the first time the government would permit agencies to use iPhones and iPads up to Restricted level, as long as each device was authenticated using a valid digital certificate (among other provisions). Secondly, with G-cloud – the UK government’s program that promotes the use of cloud-based IT services (similar to President Obama’s Cloud First initiative in the US) – gaining traction, Trustis could provide their innovative service directly, saving agencies much needed money.
Trustis’ plan was to create a service that would allow government agencies to purchase on-demand PKI services for their mobile device users. It would also service private companies looking to reap the employee productivity benefits of Bring Your Own Device (BYOD) solutions that enable secure access to corporate networks. The service would target users that wanted to quickly and securely implement mobile technology, and wished to avoid the cost and/or effort of deploying a new or upgraded in-house PKI to support certificate issuance for mobile devices.
The benefits: Security, Reliability, Speed and Costeffectiveness
Robert Hann, Business Development Director at Trustis, says Thales HSMs provide a number of benefits for the Trustis service:
- Security. When you add a Thales HSM to your PKI you are deploying a high assurance, independently certified, tamperresistant device to secure some of the most sensitive keys and business processes within an organization. Thales HSMs enable Trustis to deliver the high level of security assurance and reliability necessary for such a widely trusted service.
- Resilience. Running a service at high availability, we have to have the most reliable HSMs. We have absolute confidence in the operation, security and control of Thales HSMs.
- Speed. With the ability to perform fast elliptic curve cryptography, Thales HSMs can provide added speed, which becomes increasingly valuable as the volume of transactions increases in very large scale managed services.
- Cost-efficiency. Thales HSMs provide a much more economic backup model than alternative solutions – a key differentiator when operating 24x7 managed services.
- Accreditation. Thales products have a long history of multiple and international certifications including, what is standard for Trustis, FIPS 140-2 Level 3.
- Simplicity The Thales product line is simple to understand and explain. There is an efficient backup and recovery model, which is critical for Managed Service Providers.
- Support. We’ve had an excellent track record with Thales support. Their support team is always available and their service staff are well trained.
- Partnership. Cloud services are still relatively new to government and enterprise and there can be many security issues to deal with. Having a partner like Thales that understands PKI and cloud services is vital to our shared success.
Trustis knew the service could be revolutionary. It would give public and private organizations alike an easy, cloud-based process for adopting mobile technology without having to invest in new or upgraded PKI technology. It could for example allow agencies to roll out a few dozen smartphones or 100,000 iPads quickly and without a lengthy IT security project. It would provide mobile device management products with a robust and compliant PKI to underpin their security features. And it would make mobile technology easier to manage, giving administrators the ability to control all credentials on a user-to-user basis. By making strong authentication easy, cost-effective and quick to deploy, it would allow organizations to achieve all the gains in productivity and collaboration that mobile devices can offer.
The challenge: Providing High Assurance And Scaling For Growth
One major hurdle for Trustis was to ensure the authentication enabled by their PKI services would provide an appropriate level of assurance to meet the strict standards of UK government classification as well as private sector usage. But the technology couldn’t be too costly or it would defeat the government’s objective of achieving cost savings through cloud-based services. It also couldn’t be too slow or too cumbersome – speed and ease-of-use were critical to delivering the value that would draw customers to the solution. And finally it needed to be in a position to scale to accommodate rapid growth.
From their long history and experience implementing PKI best practices, Trustis recognized the importance of using hardware security modules (HSMs) to protect private signing keys and signing operations for root and issuing certificate authorities (CAs) – even though their operations are operated in a highly secure ex-military facility. Combining dedicated hardware-based cryptography with proper procedures and processes, Trustis could offer a provable, auditable, high-assurance PKI foundation. But to meet the remaining requirements in their managed service environment, Trustis would need to deploy HSMs that could provide the type of operational efficiencies that do not often go handin-hand with high levels of security.
The Solution: Thales HSMs
Trustis chose to build its Mobile Device Certificate Service solution using Thales nShield Connect HSMs. nShield HSMs provide a hardened, tamper-resistant environment to protect private PKI signing keys and associated cryptographic operations from vulnerabilities such as key theft that could undermine the trust of the entire system. The Thales HSMs not only enabled Trustis to comply with the government’s exacting security standards and the assurance needs of private enterprises, but also to achieve the reliability, scalability and high availability it would need for a cloud service.
“It wasn’t a difficult decision,” says Robert Hann, Business Development Director at Trustis. “We provide managed service PKIs for a wide variety of organizations, and all of our managed PKI solutions rely on Thales HSMs because of their unique combination of strong security and operational ease for critical functions like key backup. They are also interoperable with multiple PKI products, highly reliable, and the company provides excellent customer service – which all combines to make them the most cost-effective choice for us.”
nShield Connect, the device deployed for this solution, is a highperformance network-attached hardware security module (HSM). nShield Connect delivers highly secure cryptographic services that provide a cost-effective way to establish appropriate levels of physical and logical controls for PKIs and many other business applications. Fully supporting the unique Thales Security World architecture, nShield Connect provides an ideal combination of high assurance and operational ease, which is critical in a managed service environment. The benefits for both in-house and managed service PKI deployments include:
- Easily deployed and independently certified security for high assurance key management and certificate issuance processes
- Accelerated cryptographic signing processes to boost performance and enable application and process scalability
- Tightly enforced key management policies to simplify compliance demonstration and responses to audit requests
- Choice from a range of form factors and performance ratings to meet deployment scenarios ranging from low volume, offline root CAs to high volume, redundant, network-attached CAs