Wias Issa
June 6, 2021
Data Security Encryption Key Management

The Ubiq Platform vs KMS and HSM Solutions

We are often asked about how the Ubiq Platform compares to Key Management System (KMS) or Hardware Security Module (HSM) solutions. In short, an HSM solves a very specific problem, secure key storage, and you can build a KMS using an HSM as a base to provide centralized key storage with policy enforcement. KMS and HSM solutions typically designed for encryption and/or managed by security experts and power users.

Alternatively, the Ubiq platform is a developer-friendly, API-first platform designed to reduce the complexity of encryption and key management to a few lines of code in whatever language you’re already using. It requires no security, cryptography, or encryption expertise whatsoever. The platform is built on a KMS and HSM and provides the benefits of KMS and HSM, plus centralized policy management, metrics, and easy-to-use APIs without the boilerplate associated with an HSM or KMS.

Now let’s dive a little deeper into each one so you can see how each works.

What is a Hardware Security Module?

A hardware security module is device designed to solve a very specific problem: how can you protect your cryptographic keys from being stolen, even if an attacker gets highly privileged (or even physical) access to your server? The answer is to build an entirely separate computer attached to your main one that can only be used to store and operate on cryptographic keys. That device is designed to be as hardened against attack as possible – it runs a minimal embedded operating system and (hopefully) is heavily tested for correctness bugs that might allow a compromised PC to attack the HSM. It presents a simple interface to the computer that allows for key generation, and import, and allows the PC to request that it sign, encrypt, or decrypt some data. More importantly than the features it offers is a feature it doesn’t offer: cleartext key export.

The HSM will allow you to export keys for archival or storage (in fact you probably will have to, since they typically don’t have much in the way of nonvolatile storage), but the exported package will itself be encrypted with a key only known to the HSM. The encrypted key blob can be loaded back into the HSM, but is useless without it, so an attacker that gets access to it doesn’t get anything useful. Thus, even an attacker that obtains complete control of your PC or server cannot export your keys — they can still use the keys if they maintain persistent access, but they can’t export them, greatly increasing their chance of detection.

So where do you typically find HSMs? They’re typically at the root of cryptographic trust chains, holding certificate authority private keys or acting as the main cryptographic key stores for Key Management Systems, which we’ll discuss next.

So, what is a Key Management System?

HSM’s seem pretty cool, but they aren’t a universal solution to the complex problem of encryption and key management. First of all, you probably have more than one server, and HSMs are expensive, and somewhat complicated to manage at scale. Second, they don’t cover all your bases when it comes to enterprise data security or application layer encryption; you still need to handle key rotation, access controls, and other policy-related problems like what encryption parameters to use. The solution to those problems is to wrap your HSM in a Key Management System (KMS), which can be thought of as providing an HSM-as-a-Service.

A KMS will allow you to centrally store your key material, and then set access controls (principal x can encrypt data with this key but not decrypt; principal y can decrypt using these keys but not those ones) – this is important as a defense-in-depth measure, since it means that you can prevent an attacker that compromises a single server from asking the KMS to decrypt all of your data. You can also set policies like which ciphers can be used and combine these primitives into a complex set of policies like handling key rotation and archival or collect metrics about which keys are being used for what operations. However, a KMS is not the whole story for enterprise data encryption or application-layer encryption.

Enter, the Ubiq Platform

This brings us to the Ubiq Platform. You might be thinking to yourself “Gee, this KMS thing sounds pretty good, maybe I need one of those,” and you might even be right. But handling enterprise data security properly isn’t as simple as just using an off-the-shelf KMS to interface your servers with your HSM. Using a basic KMS product to implement, enforce, and monitor enterprise-scale encryption is difficult and fraught with subtle mistakes. Actually encoding your enterprise access and key lifecycle policies into KMS access controls is hard and typically involves a lot of boilerplate code to handle key archival and rotation. The same can be said for actually using the KMS to encrypt large amounts of data: a KMS can typically only encrypt small payloads, so you have to handle the “last mile” of encrypting bigger payloads yourself… which is what most application developers need the most help with in the first place!

This is where the Ubiq Platform can help. Ubiq’s end-to-end application-layer data encryption solution abstracts the complexities of policy, encryption, and access controls behind a dead-simple API that also makes it as easy as possible for developers to actually get stuff done. You get automatic key rotation, enterprise-wide encryption policy enforcement, and simple access controls all under a single service that also provides easily understood metrics and a transparent billing process. All it takes is a few clicks and you’ll be encrypting data in minutes, backed by the same strong key protection described above, without having to deal with the headaches of actually implementing a full enterprise data encryption solution.

Ubiq never sees your actual data, so it remains private and secure both against attackers and against the platform itself. And Ubiq’s client libraries, including the data storage format, are open source, so you don’t have to worry about being locked into a proprietary system. Your data remains yours, period.

Quick case in point: A SaaS-based logistics platform company was in the process of implementing encryption to secure structured and unstructured data stored in both Microsoft Azure and AWS clouds across a multitude of different storage types – S3, Blob Storage, SQL databases, Apache Hadoop, to name a few. Before encountering Ubiq, the company spent well over 500 hours of R&D and at least $500,000 on 5 disparate encryption tools and solutions to solve their data security and protection problem. With Ubiq, the customer was able to integrate native encryption controls directly into the application in a matter of 3.5 weeks, providing them a single, consistent solution for encryption and key management across their multi-cloud infrastructure and diverse storage and data types.

What are some of the core use cases for the Ubiq platform?

  1. You want to build data encryption directly into your application or infrastructure (to natively protect your data)
  2. You, like most security experts, realize that at-rest and storage-layer encryption (database, file share, etc.) is mostly ineffective against modern network-based cyber-attacks (cause the bad guys just turn it off!) and you want to more effectively protect your data

Comparison of HSM/KMS/Ubiq

HSMSecure key storage + operationsUnsuitable. Keys are by design stored only in a single location, which makes application layer encryption impossible without huge effort.
KMSCentralized key managementSuitable with effort. App-layer encryption requires building a large amount of boilerplate client-side code, managing encryption policy manually, and dealing with vendor-specific data formats and complex access controls.
Ubiq PlatformEnd-to-end app layer encryptionTurnkey suitable. Ubiq handles app-layer encryption end-to-end, from access controls to data storage to client libraries and encryption policy.

Detailed Comparison

Hardware-backed secure key storage
Network encryption key management and provisioning 
Automatic and one click on-demand key rotation 
Automatic key archival and retrieval 
Simple encryption policy management and enforcement  
Developer-friendly API  
Dead-simple client libraries  
Usable with no prior encryption skills  
Simple, affordable, scalable billing  
Turn-key ready for application layer encryption  

Summary and Key Takeaways

  1. A Hardware Security Module (HSM) offers the leanest possible set of APIs to manage encryption and keys. You can use them to protect encryption keys against even OS compromise, but they are intentionally limited in features, so actually using one requires a lot of boilerplate, and they are expensive.
  2. A Key Management System (KMS) is like an HSM-as-a-service. It abstracts away the HSM into a networked service you can set access controls on and use to encrypt, sign, and decrypt data for a large number of hosts. They don’t always offer pre-made policies for enterprise- grade data encryption, so implementation often requires extra development work to customize them for your needs, and really only handle key management.
  3. The Ubiq Platform simplifies enterprise-grade encryption into a simple, easy-to-use API and associated dashboard. You can set policies like cipher, key strength, and key rotation with a simple interface, transparent billing and metrics, and dead-simple APIs for your developers to use. Ubiq handles the complexities for you, and you get to have all the benefits of strong key storage and encryption with none of the headache or the risks involved in rolling out and supporting a custom solution.

If the Ubiq Platform sounds like it will help solve your encryption problems, sign up for a free account or drop us a line!  

Get radically effective data-level protection. Get Ubiq.