Skip to content

Root of Trust

Because working in the cloud is an accepted reality nowadays, data breaches and hackers are constant threats for any business. The potential for data to be stolen or privileges to be abused cannot be ignored. For this reason, management needs to go beyond basic usernames and passwords and opt for more robust secrets management methods.

One cybersecurity concept to pick up is the “root of trust.” It relies on the corporate use of encryption to protect valuable assets from theft or misuse. Encryption keys help secure data, whether it’s stationary or moving through the network. They validate the identity of users and devices as well as secure financial transactions with digital certificates.

But what is the root of trust, and can you rely on it for your critical business data in a constantly evolving digital space?

What Is Root of Trust?

For encryption to do its job, the keys themselves must remain secret. You can encrypt the keys, but then you end up with more keys to protect. That’s where root of trust security comes in.

You eventually end up at the root key, the most important one in the chain that has the highest standard of security. Companies with many departments and teams often have multiple root keys so that a single stolen key does not compromise the entire organization.

To better understand root keys, let’s talk about the chain of trust.

What Is the Chain of Trust?

The chain of trust is the relationship mentioned earlier: a linked pathway of verifications that connect a “trust anchor” to an “end-entity certificate.”

  • The trust anchor is the original certificate, also known as the root certificate authority (CA). The validity of the CA is integral to the security of the whole chain.
  • At least one intermediate certificate must exist. These entities pass the certificate down the chain and act as a buffer between the CA and end-entity, protecting the private root key from becoming compromised.
  • The chain ends at the end-entity certificate. This is the only link that does not issue its own certificates.

This chain of trust ensures security and scalability, helping businesses stay compliant while keeping up an environment of security for all its users.

Hardware-Based Root of Trust

Hardware is generally more difficult to crack than software, so many encryption keys run on devices known as Hardware Security Modules (HSM). Taking the form of USB sticks, extension cords, and sometimes entire machines, HSMs perform cryptographic functions like signing certificates and verifying the identity of electronic devices and other network entities.

With the Internet of Things (IoT) trend in full swing, business networks need to support a wide variety of electronics and personal devices. That’s why everything an HSM sends out must be authorized by the ecosystem. Every entity must know that the cryptographic information it receives is authentic.

However, the advent of cloud computing has shaken things up. The shift towards ephemeral infrastructure delivered over the Internet has made enterprises more scalable and efficient than ever, giving access to more computing power at lower maintenance costs. At the same time, having a single HSM for security purposes is no longer an option.

New Challenges for HSMs

Cybersecurity is always evolving as technology marches on. What does this trend mean for hardware-based security modules? What most businesses have learned is the following.

Hardware Is Still Vulnerable

Have you heard of the Meltdown and Spectre incidents in the news before? Those were examples of attacks that took advantage of vulnerabilities inherent in microprocessors. Even HSMs have suffered cybersecurity breaches in the past.

While companies are quick to push out firmware updates to address them as soon as possible, there’s still a window of opportunity for cybercriminals, and no solution can be perfect. Even Intel’s Software Guard Extensions (SGX), which uses hardware memory encryption, has suffered attacks before.

Scaling Is a Priority

HSMs rely on physical hardware, which does not scale well with enterprise demands. With cloud computing leading the charge for better agility and efficiency, hardware-based root of trust usually does not keep up.

For example, what if your field only has seasonal demand, and you only need a few HSMs available during a small part of the year? You’d have to pay maintenance costs for those devices even during times when they go unused.

As-Is Accessibility

Business professionals understand that computing happens globally now, not just in your office. However, you can’t easily access HSMs with root of trust from anywhere. An on-premises hardware security module would require external network access, which is a potential risk.

The Cloud Requires Special Attention

Your cloud computing service provider also sells to other client businesses as well. The result is that multiple users often own the same cloud HSM. Because supply chain attacks often infect cloud infrastructure, you can’t exactly trust an environment that you do not have full control over.

With these limitations in mind, is there still a future for HSMs and root of trust practices?

So What’s the Answer?

Root of trust will still remain relevant in enterprise-grade cybersecurity. However, it will have to evolve with new technologies and trends. Next-generation root of trust practices must adopt new business models to support:

  • Better scalability
  • Accessibility from anywhere at any time
  • Flexible authentication methods

If your business is looking to develop a root of trust, try to find a solution (possibly a cloud service) that gives you exclusive ownership of your encryption keys. Also, look for validation with the Federal Information Processing Standard (FIPS), a computer security standard set up by the U.S. government for encryption.