Moreover, it is even possible to create failover redundancy using a similar design, in situations where availability potentially takes priority over capacity or just as a sensible precaution to any practical implementation. Ultimately, the final number of YubiHSM 2 devices required in the final implementation will be directly proportional to the number of cryptographic requests per second, which might be projected based on metrics such as current network conditions and the number of concurrent users. This tradeoff between cost, performance and size is the foremost consideration by customers, when the YubiHSM 2 is being weighed as a candidate to solve the gamut of cryptographic security needs.Īs a means to mitigate this issue and demonstrate that the YubiHSM 2 can in fact be incorporated even in situations where there are heavy demands, this article will propose a scalable and practical load balanced approach using multiple devices accessed via a load balancer, in order to distribute traffic across several parallel sessions. The threshold will vary depending on both the algorithm and the type of operation being requested of the device, but is likely considerably less than its oversized counterparts. It is important, however, to highlight the one drawback of the smaller size of the device when compared to a traditional HSM, which is the distinct limitation in terms of its operational load capacity. Its applications are wide and varied, ranging from code signing, assurance of authenticity within manufacturing, and even as an identifier inside embedded IoT, but the most common use case for the device is within public key infrastructure (PKI) and for storing server secrets such as private keys or certificates used for critical signing or encryption operations.
The device is not only technically effective - each YubiHSM 2 is created using the same Yubico principles and has undergone the same production process as the YubiKey - but also cost effective, at a fraction of the price of other HSM devices on the market.
And as with all Hardware Security Module (HSM) devices, it affords superior protection compared to software-based alternatives - particularly at the enterprise level - because the physical separation of the secure element can prevent attackers from accessing memory and other traceable resources across a network, and whom might otherwise seek to subvert these in order to compromise the valuable secrets therein. It is to server-side security what the YubiKey is to personal security. The YubiHSM 2 was specifically designed to be a number of things: light weight, compact, portable and flexible.
0 kommentar(er)
