The key to properly protecting your PKI environment is carefully designed procedures and policies. But how do you enforce them consistently? The integrity and assurance level of the PKI depends on ensuring organization procedures are followed at all times. Hardware Security Modules (HSM) are available from a number of manufacturers and are leveraged in a PKI to enforce defined procedures. HSMs can be used to ensure no one person can compromise a PKI. They can also be used to speed up signing/issuance in high-volume environments. HSMs can also be used to secure your CAs against the extraction and misuse of your CA private keys.
The proper selection, architecture and implementation of one or more HSMs in your environment is critical. Does your environment require a collusion requirement? If so, a K of N implementation on the HSM is recommended. Do you need to ensure a chain of custody for non-repudiation? Then the design and day-to-day history of the PKI needs to be carefully tracked and audit. This must be in place before the first component is ever installed.
HSMs can be leveraged to provide EAL 4/FIPS 140-2 level 3 protection of your PKI. PKI Solutions is very experienced with architecting and deploying Thales HSMs and can even provide your organization with assistance in selecting and acquiring the HSMs.