Remote HSM Manager from Thales e-Security enables organizations to streamline and centralize administration of Thales payment hardware security modules (HSMs) by supporting secure remote monitoring and management of these devices. Remote management reduces travel to data centers, centralizes control, facilitates delegation, and enables administrators and their organizations to achieve new levels of automation and efficiency. The result is dramatic reductions in operating costs. Designed with the most stringent security requirements in mind, Thales Remote HSM Manager addresses two primary challenges faced by today’s organizations: how to securely manage payment HSMs across multiple data centers and how to accommodate the rising number of operations that must be performed. In the past, security policies demanded that an authorized administrator physically connect to an HSM via a “dumb terminal” or console to perform routine management tasks. Given multiple data centers—some with lights-out operation—today’s increasing workload often leads to more travel and higher costs. But with Thales Remote HSM Manager, once payment HSMs are initially installed, management tasks can be executed securely from a remote location using a graphical user interface (GUI). Beyond eliminating the time and cost of travel, the GUI streamlines operations by enabling faster execution of complex commands. Centralization reduces opportunities for insider security breaches while facilitating greater separation of duties. As a result, top security personnel can delegate more routine tasks while maintaining the high levels of security demanded in today’s payment ecosystem.
Remote HSM Manager Features
Strong authentication during connection to the hardware security module (HSM) helps eliminate man-in-the-middle attacks, therefore providing a secure management session with all cryptographic keys protected by HSMs and/or secure smart cards at all times.
Data encryption on all communications between the management console and the HSM provides the necessary confidentiality when connecting across open networks.
Comprehensive access controls, down to the level of individual HSMs, provides high levels of flexibility for system administrators.
A secure PC/laptop boot technique eliminates the threats posed by viruses or malware resident on the remote management machine, avoiding the need to dedicate machines to remote management tasks.
All configuration and management tasks can be performed at a location remote from the data center, thereby saving time and money and providing on-demand access to HSMs.
A single Remote HSM Manager client can manage multiple HSMs in multiple data centers, eliminating most travel requirements.
The ability to create and manage logical groups of HSMs provides a flexible and secure way to segregate complex HSM environments into smaller manageable units assigned to dedicated security teams.
Flexible administration enables changes to HSMs and/or security personnel to be implemented quickly and securely.
One Remote HSM Manager can manage current and legacy Thales payment HSMs (i.e. payShield 9000 and HSM 8000), minimizing complexity and operating costs.
Remote HSM Manager Specifications
HSM issued PKI-based credentials for mutual authentication
Creation and management of logical HSM groups
Role based access by security personnel (Administrators and Operators) enforced through personalized smart cards
Allocation of security personnel to individual HSMs for remote management purposes
Remote device management capabilities
Online, offline, secure and authorized state operations with smart cards replacing physical keys from local management mode
Interface management enabling all host and management configurations to be controlled
Security configuration settings enabling the primary security parameters for the HSM to be configured
Loading of firmware and license files
Audit trail management
Status information providing insight into HSM security configuration and processing status and device utilization
Supported remote key management operations
Generate key components
Form key from components
Local master key (LMK) management
Logical and physical security
Secure PC or laptop boot to lock down operating system environment
Strong mutual authentication for establishment of remote session
Encryption to protect all data using a mixture of 3DES and RSA algorithms
payShield 9000 with firmware version 1.0 or later
HSM 8000 with firmware version 3.1 or later
Remote HSM Manager Options & Accessories
System Pack Software Upgrade
The Remote HSM Manager software application that runs on the remote PC/laptop is upgraded periodically to incorporate new features introduced in new payShield 9000 base software releases. The new software is supplied on a CDROM.
Additional Smart Cards
To address the needs of organizations that require more smart cards than are supplied as standard with the Remote HSM Manager system pack, additional packs of 10 Administrator and 10 Operator smart cards are available. The cards are configured at the Thales factory for use either as Operator or Administrator smart cards and are not interchangeable for security reasons.
Additional Smart Card Readers
The standard Remote HSM Manager system pack incorporates 3 smart card readers to facilitate normal operation of the system. In the event that a smart card reader is damaged or lost/stolen or that additional back-up units are required, Thales provides customers with the ability to purchase additional smart card readers that can be used with any Remote HSM Manager installation.