In this article, we briefly outline the challenges faced by regulated organisations that need procedural control over their HSM estate. It provides an insight into the level of awareness, lack of resources and expertise that pose significant challenges in production system adoption.
The need for procedures
Regulation dominates the payment systems behind global financial institutions. Primarily because most financial service providers are regulated to a standard by typically a local payments network provider such as LINK UK or an international provider such as VISA or Mastercard. In both cases regulatory control such as the Payment Card Industry (PCI) PIN is applicable either because PCI PIN is mandated directly by the international providers regulators (the PCI council) or because the local network provider adopts, legislates and regulates the relevant controls mandated in the PCI standard.
Regulatory compliance is at the forefront of all payment service provider’s service enablement strategy. It is the primary reason why the technical and procedural controls are in place. Failure to comply with the regulatory requirements through poor procedures could lead to steep penalties levied by the card brands and suspension of network use or card issuance for the issuer. Such a threat means that card issuers and switch service providers are highly sensitive to any aspect of the regulation not being adhered to and poor procedures are a factor. Furthermore poor procedures could lead to a costly security breach followed by the risk of reputational damage.
A significant aspect of regulatory control is the development and demonstrable use of procedures. PCI PIN Security mandates that virtually every control objective related to keys, components or HSMs has a policy and procedure. Furthermore, the business top down ownership of the procedures must be in place and all affected parties (key custodians, supervisory staff, technical management, etc.) must be aware of those procedures. Without procedures compliance is simply not possible and the fact is that most business owners don’t really know where they stand with the state of their procedures until it is too late, furthermore procedure custodians feel vulnerable with their liabilities at audit time.
HSM related procedures enable control and consistency over the way a company achieves an objective as well as to demonstrate retrospective control over its device, component and key management activities sometimes long after the activity has taken place. Crucially, signed procedures are the only way to attest for an event post performance to an auditor and so attested performances must be meticulously planned and coordinated to correctly capture any event. 61% of respondents in the 2019 Ponemon Global Encryption Trends Survey states that key management is painful with the top reasons shown below for which the right procedures can help:
The industry faces a common problem in finding it difficult to create and maintain a reasonably reliable quality programme for the creation of procedures, this issue needs to be addressed.
Personal experience has witnessed the fact that procedures often do not get enough visibility until very late on in a project and that little time, budget and resource allocation is assigned to them. The lack of resources given to the creation of procedures means that they are typically:
- Not demonstrative because they don’t sufficiently detail the process
- Do not capture the right sign off at the relevant points and therefore cannot attest to the performance
This lack of detail and attestation leaves little for an auditor to validate and without procedures there is a strong chance that the platform simply won’t make production.
The irony is that businesses all over the world, using the same HSM products to satisfy the same regulation for interaction with similar card schemes require carbon copies of procedures but without help they face varying problems. This help is not available because vendors are interested in product delivery and businesses are interested in service delivery, very little support is available to solve the problems that exist in the gaps.
Procedure creation is typically left to custodians within the business with little understanding of the intricacies of HSM implementation. In some cases an HSM was a reluctantly inherited item of hardware that in some cases was considered as simply an encryption router and treated as such.
Having worked for a vendor for many years as an HSM SME, my consulting role was typically to focus on the implementation of the HSM into its environment and any associated “near box” activities. I could be involved with pre-production or test, but it was unlikely that I would ever be part of the wider needs of standards such as ITIL service delivery. Vendor consultants typically do not assist with high or low lever designs, implementation planning, creation of logs for component access, device inventories, physical inspections or procedure development.
Consideration of the wider service delivery requirement provides a better experience in the handover of an HSM to the business from project to support, anything less is a problem which needs addressing.
Procedure development requires expertise. Having certified on a 2-day HSM capabilities training course and passing the exam is a great start to gaining that expertise but procedure-based training on how to complete daily operations is better. Access to a costly spare HSM is also fantastic to refresh skills and to get familiar with various controls but access to the required wisdom to make informed decisions on procedure development or to have them developed for you is better.
To summarise, some reasons for poor procedures in an organisation are listed:
- They are not backed by a Security Policy or sufficiently business owned
- They are not given enough time or budget for success
- Lack of hands-on HSM experience means that they are created without correct workflow and therefore not accurate
- They don’t reflect new product updates
- They can be inconsistent and disjointed due to multiple authors and no peer review
- They are created without a reasonable knowledge of the regulatory requirements
- They are created without any consideration of the vendors security recommendations
- The organisation is unclear of how to change a procedure after an auditor’s non-compliance notice
- Issues of versioning mean that the procedure is based on legacy features
- The procedures typically contain missing or incomplete signatories and attestation
- Paper based procedures become disorganised, lost, incomplete as well as hard to locate when requested
- On multiple occasions the procedures are not available for the performance
All of the above make HSM procedure management problematic for businesses globally. The business is accountable for the regulation and it will be the business that receives the non-compliance when a procedure does not satisfy its regulatory requirements. Put simply, HSM procedure mismanagement is a ticking time bomb for the unaware and should be considered a threat that could give rise to significant risk that must be managed. Not to take control over procedure management is naive at best and negligent at worst. Organisations need to regularly review how they are managing the risk or poor procedures.