Protects cryptographic keys in secure hardware
nShield Edge enables enterprises to add hardware protection to critical applications, such as offline Root CAs, registration authorities, and code signing. Using standard cryptographic interfaces, nShield Edge integrates readily with Microsoft Certificate Services (PKI), Entrust Authority Security Manager, RSA Certificate Manager, Microsoft Authenticode, and many other applications. nShield Edge modules are tamper-resistant against physical attacks.
Easy integration with laptops
Laptops have long overtaken desktop computers in sales statistics, but most HSMs are not suited for use with laptops. HSMs with a PCI card form factor cannot be used because laptops lack a PCI slot; network-attached HSMs work with laptops but lack the aspect of portability and not cost-effective if protecting only one or a few machines.
nShield Edge is a USB-attached HSM that easily integrates with laptops. About the size of a double CD case, it is highly portable and draws its power from the USB connection.
Supports virtual machines
Virtual machine technologies, also known as hypervisors, have become extremely popular because they make more efficient use of hardware resources, simplify testing and development, and abstract the hardware layer. Connecting virtual machines to HSMs can sometimes be challenging because guest systems cannot access hardware in PCI slots. One way is to connect the virtual machine to a network-attached HSM, such as nShield Connect. This works well in deployments with high performance requirements or where many machines require cryptographic services. nShield Edge provides an ideal solution where virtual machines need to access a local HSM, as in the case of offline root CAs or development environments.
Provides dual control access for valuable keys
Smart cards or USB crypto tokens are a great way to protect personal keys, but they are not adequate to protect an organization's keys. To protect these valuable keys, such as escrow keys or signing keys for root CAs or code signing, organizations should enforce dual control.
nShield Edge can require a quorum of trusted individuals to be present to authorize a signature or decrypt sensitive information. This ensures that no single individual can circumvent policies and defraud the system, or simply walk out of the door with a copy of the key. nShield Edge verifies the identity of the individuals through smart cards with passphrases, which need to be inserted into the integrated smart card reader.
Enables secure backup of valuable keys
Smart cards and USB crypto tokens also have another disadvantage: Keys can either securely generated on the token, or backed up, but not both, leaving the organization the choice between the risks of low security and potential data loss. While this is perfectly acceptable for personal keys, it is not an acceptable option for high-value keys.
nShield Edge generates keys inside the tamper-resistant hardware using a true random number generator. The Security World key management concept enables a secure, encrypted backup and recovery of valuable key materials without compromising security. To ensure that this process passes an audit, the recovery of the backup can require a quorum of administrators to provide their two-factor credentials.
Shares management with other nShield HSMs
nShield Edge can be managed in the same Security World as nShield Solo and nShield Connect to reduce the total cost of ownership in large HSM deployments because staff don't have to be trained on different management systems. Security World enables remote operation of HSMs in lights-out data centers, disaster recovery even for total hardware replacements, and key sharing across HSMs and geographies. Keys and meta information can be automatically backed up without requiring additional hardware or on-site presence, reducing the total cost of operations.
Provides practical solution for offline root CAs
nShield Edge is the ideal form factor for offline root certification authorities (CAs), which handle the most valuable key material in an enterprise’s infrastructure.
To protect the offline root CAs from being compromised, machines hosting the root CAs are often locked away in vaults, so laptops have become a natural choice due to their size. It is an established industry best practice to protect root keys in an HSM, but until now the two main available form factors are not very suitable for root CAs. Network-attached HSMs are not cost-effective and too big to be locked away in a safe; PCI cards are not compatible with laptops running the CA software. As a USB-connected, small, and highly portable HSM, nShield Edge closes this gap.
Because many root CAs have a life span of 10 to 20 years, relying on the laptop hardware to continue functioning has been a risk factor. This is why it has now become industry best practice to run CAs in virtual machines, which can be stored and run independently of the laptop hardware. Many virtualization techniques are able to connect from a guest system to a USB-attached piece of hardware, enabling a connection between nShield Edge and the CA software. HSMs connecting through the PCI slots don’t have this advantage because guest systems cannot directly access such hardware.
Protects keys and key usage for registration authorities
nShield Edge is equally suited for protecting infrastructure and agent keys in registration authorities. Registration authorities are a component of a PKI that registers users and requests credentials for them. RAs typically run on a workstation and are located close to the end-users, for example in local HR offices, where the cards can be personalized with photographs, certificates, and signatures. nShield Edge enables the RA agent to carry out these tasks without compromising the security of the keys. For critical operations, nShield Edge can require a quorum of two or more people to be present to authorize a transaction.
Controls key use for code signing
Code signing is the practice of digitally signing executables, such as applications and applets, and scripts, including macros, to confirm the software author and guarantee that the code has not been altered or corrupted. This enables systems to reject malicious or foreign code not authorized to run on a certain systems or devices. For example, code signing is used to ensure authenticity of device drivers in Windows, approve apps for smart phones, and enable safe deployment of approved applications in cloud computing.
Code signing keys are very valuable and typically tied to an organization rather than a user. The theft of a code signing key could cause mayhem because the organization has the choice between revoking the key and causing many applications to suddenly fail, or opening itself up to attacks from malicious code signed by its organization.
nShield Edge can enforce a quorum of authorized people to approve code with two-factor authentication credentials. Even if one of the credentials is lost or stolen, the code signing key is not compromised or lost. nShield Edge also supports a secure backup that enables an organization to securely recover the key in an emergency.
Similar high-value, low-volume signing transactions include document signing, transaction approvals, and DNSSEC.
Facilitates remote nShield HSM operations
Using the optional Remote Operator, nShield Edge’s portability makes it ideal for security personnel who need to remotely operate other nShield HSMs, such as nShield Solo and nShield Connect, in data centers around the world. Managing these HSMs cost-effectively is a major concern.
nShield Edge’s portability and USB connection make it the natural choice for use with administrative laptops. Managing HSM remotely also requires the optional Remote Operator software.
Simplifies HSM application development
nShield Edge is perfectly suited for application developers who want to develop and test HSM integrations into their application, especially if the developer is using a laptop. Its size makes it the ideal personal HSM to be used by developers at their desks. Developers can also run the application inside a virtual machine for testing.
Ideal for branch-office deployments
As end-to-end encryption becomes more popular, organizations are increasingly deploying HSMs to their branch offices to ensure data protection. nShield Edge hardware is very easy to install or retrofit, even for non-IT personnel, making it a great choice for distributed deployments. The Security World key management philosophy also enables remote and even automated provisioning of keys to the branch office without the need for security personnel to travel to the site.
Readily integrates with third-party applications
nShield Edge integrates with applications through standard interfaces including PKCS#11, Java Cryptography Extension (JCE), Microsoft CAPI and CNG.
nShield Edge is compatible with nShield Solo and nShield Connect products and can be upgraded to support additional features using various option packs. nShield Edge supports a broad range of Windows versions.
Delivers FIPS compliance
nShield Edge supports a broad range of public-key and symmetric algorithms, including a full Suite B implementation with optional, fully licensed elliptic curve cryptography (ECC). nShield Edge's security boundary is validated up to FIPS 140-2 Level 3. Following security best practice and to enable compliance, it separates administrative and operational duties with two-factor authentication and dual control. These operator groups can segregate access to keys by application, role, division, or geography.
Ensure project success with Thales deployment services
Thales offers professional services to ensure a best practice implementation of Thales HSMs. Organizations can benefit from developer support to integrate Thales HSMs with custom applications.
See specifications >>