The PKI Guy talks enterprise security with Ryan Smith of Futurex

Q&A with Ryan Smith, vice president, global business development, Futurex

TPG: Tell us about your cryptographic solutions.

RS: Futurex is a global manufacturer of FIPS 140-2 Level 3 and PCI HSM validated hardware security modules and enterprise security applications. At a high level, our focus is on three areas: cryptographic processing, key and certificate management, and cryptographic infrastructure management. Our solutions are deployed either as on-premises hardware in our customers’ data centers, or in the cloud through VirtuCrypt’s Crypto-as-a-Service platform.

TPG: What are the latest security threats organizations are facing?

RS: Many of the biggest threats organizations face these days are, unfortunately, self-inflicted. A company can dedicate massive amounts of resources to selecting and implementing enterprise-wide data encryption and public key infrastructure (PKI), but if they view their responsibility as being finished once they “check the boxes,” they’re mistaken. It takes a great deal of expertise and regular maintenance to effectively operate a security infrastructure. It’s almost a cliché to say it, but spending equal amounts of energy on people, process, and technology really is critical.

Beyond that, we’re seeing a general rise in the sophistication and prevalence of attack vectors, which have implications for several threat types. Ransomware is still a significant threat and won’t be going away any time soon. Companies in general are also getting better at preventing and detecting advanced persistent threats (APT), but too many smaller organizations either aren’t aware of these strategies or don’t have the resources to implement them. And finally, the dramatically increasing number of deployed Internet of Things (IoT) devices is a topic we could talk for hours on: unauthenticated devices being hijacked and used as part of botnets, unauthorized firmware being loaded for malicious data collection, exploits being used for denial of service attacks, and many others.

And although this is looking a little further down the road, the research being done right now on quantum computing will have a significant impact on the cryptographic algorithms we use, and many of us in the enterprise data encryption industry are preparing for that.

TPG: What information security best practices do you recommend for enterprises?

RS: For a long time, the industry’s mantra has been “encrypt all sensitive data.” This is good, but it misses a vital component: key management. As organizations start incorporating encryption into more areas of their business, they need the technology and the training to effectively manage their cryptographic keys. When enterprises pair effective cryptographic processing with robust key lifecycle management, their overall security posture increases alongside general improvements seen in efficiency.

TPG: How are you addressing payment security?

RS: Futurex has a large presence in the financial payments industry, and many of the world’s largest banks and transaction processors trust our technology. We have a particular focus on financial use cases including PIN management, card issuance, mobile payments, Point-to-Point encryption, tokenization, ATM/POS remote key loading, payment validation, and more.

Traditionally, the HSM industry has viewed “financial” HSMs as being separate from “general-purpose” HSMs, with the main differences being the supported APIs and algorithms, as well as the internal cryptographic module’s suitability for either symmetric or asymmetric encryption, respectively. We take a different approach, and all our HSMs are capable of processing both financial and general-purpose transactions. This allows organizations to standardize all their cryptographic processing on a single common infrastructure rather than having several separate, siloed clusters.

TPG: What is your approach to PKI?

RS: Implementing a robust, scalable PKI is often a challenging task for organizations, and designing policies, approval workflows, and other tasks related to key lifecycle just as important as deciding on an HSM vendor. We’ve taken the approach of combining our FIPS 140-2 Level 3 validated HSMs with our key and certificate management applications inside a single appliance. This streamlines the integration process and provides a great deal of additional functionality beyond just PKI establishment, to include tokenization, application encryption, IoT security management, registration authority, code/object signing, and more.

TPG: How are you addressing cloud security?

RS: We address cloud security in two ways. First, we have an application integration team dedicated to working with cloud application vendors to help them implement HSM-backed security into their products. This is typically used for things like private key storage, database encryption, or tokenization. Second, we offer our own cloud-based Crypto-as-a-Service offering through VirtuCrypt, which is powered entirely by Futurex’s hardware appliances.

TPG: What do you see as the future of enterprise key management in the next five years?

RS: We’re seeing increasingly greater numbers of organizations move to the cloud for their key management. Overall cost savings is obviously a motivator, but we’ve found that an even greater driver of cloud adoption is the simple fact that most people in charge of their IT security infrastructure aren’t crypto experts. By relying on trusted vendors and partners with industry experts to manage this, organizations gain a sense of comfort and confidence that their most sensitive data is kept secure.

TPG: How are you addressing IoT security?

RS: Wearable devices, smart meters, autonomous vehicles, Point of Sale terminals, mobile devices, smart appliances, and more — all IoT devices need to have connections between devices, as well as to the backend infrastructure, secured to avoid intentional or accidental exposure of data.

Many of the largest IoT device manufacturers in the world trust Futurex’s manufacturer-class solutions as the foundation of their PKI. This is used for a range of purposes, including authentication of firmware updates, establishing encrypted and mutually authenticated connections between devices, enabling over-the-air updates, and more.