Hardware security for applications
nShield Connect enables enterprises to add hardware protection to critical applications such as public key infrastructures (PKIs), databases, web and application servers. Using standard cryptographic interfaces, nShield Connect integrates readily with Microsoft Certificate Services (PKI), Entrust Authority Security Manager, RSA Certificate Manager, Oracle Database, Microsoft SQL Server, and many other applications.
nShield Connect features tamper-responsive, rack-mountable hardware, which generates application keys in independently certified, secure hardware boundary. The CodeSafe option enables secure execution of custom applications within the security boundary to protect data in use against insider and Trojan attacks.
High availability features to ensure business continuity
Designed for business continuity, nShield Connect is the world’s only general-purpose HSM with dual, hot-swap power supplies. This enables organizations to connect the HSM to two power sources, safeguarding against the possibility of a blackout of one source. The power supplies can be replaced one at a time without having to power down the unit, in other words without using downtime. Because the power supplies are field-replaceable, operators can replace them on site rather than sending them to a service center.
nShield Connect features redundant fans. Should one of the fans fail, the remaining fans still provide enough cooling for the appliance. The fan tray can be replaced on-site during scheduled maintenance hours, minimizing impact on the business and without having to send the unit to a service center. To further increase availability, several HSMs can be clustered and load balanced. SNMP support enables remote monitoring of power supplies, temperature, fan speeds, and other parameters.
Remote management reduces costs
In situations where nShield Solo or nShield Connect HSMs are deployed at a remote site or in a lights-out data center, Remote Operator can be used with an nShield Solo card in the operator's machine to remotely provide credentials. This accelerates security administration and reduces travel costs.
Security World management lowers TCO
The Security World management software centrally manages nShield Connect, nShield Solo and netHSM to reduce setup and administration time. Security World securely supports remote operation of HSMs in lights-out data centers, disaster recovery even for total hardware replacements, and key sharing across HSMs and geographies. Keys and meta information can be automatically backed up without requiring additional hardware as the system, reducing the total cost of operations.
The operational and cost advantages of Security World become apparent when contrasting it with the approach of legacy HSMs which are still widely used:
| Legacy HSM approach |
|
Thales Security World |
- Expensive backup on custom hardware
- Backup requires manual, physical operation
- Storage is very limited and requires custom hardware for upgrade
- Outdated security approach makes operations cumbersome and expensive
|
|
- Cost-effective backup on file server
- Backup can be automated, reducing the cost of operations
- Clustering made easy by flexible approach
- Same level of security, more flexibility, and easier operations
|
Premium performance avoids bottlenecks
To provide services for up to 100 clients, nShield Connect offers hardware acceleration for cryptographic operations, making it the world’s fastest network-attached HSMs with up to 6,000 signing transactions per second (TPS) with 1,024 RSA keys. Using RSA 2,048 bit keys, which the National Institute of Standards and Technology (NIST) recommends from 2010, nShield Connect excels at up to 3,000. Web servers, such as Microsoft IIS and Apache, can increase SSL throughput by off-loading handshakes operations to the HSM. Two Gigabit Ethernet ports enable the HSM to service two network segments.
Elliptic curve cryptography is becoming increasingly popular. nShield Connect modules can process elliptic curves inside the HSM, which requires the Elliptic Curve (ECC) Activation.
Readily integrates with third-party applications
nShield Connect integrates with applications through standard interfaces including PKCS#11, Java Cryptography Extension (JCE), Microsoft CAPI and CNG.
nShield Connect is compatible with other nShield Solo and netHSM modules and can be upgraded to support additional features using various option packs. nShield Connect supports a broad range of operating systems, including Windows 2008 R2/2008/2003/Vista/XP, Linux Solaris, AIX and HPUX. nShield Connect also supports these operating systems on virtual servers.
nToken delivers Hardware HSM client authentication
For organizations that wish to enhance security for their HSM clients, nTokens are PCI or PCI Express cards that enable strong authentication for nShield Connect clients, ensuring that servers cannot be impersonated.
CodeSafe protects data in hostile environments
All HSMs can protect key material against breaches, but most cannot actually protect your valuable data while it is in use. Data breaches have shown that Trojans or rogue administrators still have access to sensitive information on the host system after it has been decrypted by the HSM. The Thales CodeSafe technology enables you to process sensitive information inside the HSM so that it is never exposed on the host system. This enables you to run critical processes in hostile environments, for example:
- Where facilities cannot be physically secured
- Where you need to protect against rogue individuals with access to the host system
- Where host systems may be hacked or become infected by Trojans
Thales offers off-the-shelf CodeSafe applications as well as CodeSafe Developer Software to create custom applications.
Cryptography and compliance
nShield Connect supports a broad range of public-key and symmetric algorithms, including a full Suite B implementation with optional, fully licensed elliptic curve cryptography (ECC). nShield Connect's security boundary is validated to FIPS 140-2 Level 3 and Common Criteria EAL 4+. Following security best practice and to enable compliance, it separates administrative and operational duties with two-factor authentication and dual control. These operator groups can segregate access to keys by application, role, division, or geography.
Integrated services
Thales offers professional services to ensure a best practice implementation of Thales HSMs. Organizations can benefit from developer support to integrate Thales HSMs with custom applications or to develop custom applications to be executed on the HSM to process sensitive data.
See specifications >>