Because of continuing demand for hardware security module (HSM) support for Documentum, Master Concept implemented a solution to enable Documentum Trusted Content Service inter-operate with nCipher NetHSM products

The netHSM is a highly secure, network-attached Hardware Security Module (HSM) that provides a shareable cryptographic resource for multiple servers.

Authorized applications that require access to hardware-protected cryptographic keys – from PKI and authentication systems to Web services and SSL – can share access to the netHSM over secured connections. Although dedicated HSMs are appropriate for security applications and servers that demand guaranteed availability and/or processing power, the netHSM provides a cost-effective deployment option for a variety of typical scenarios. The netHSM allows your investment in ‘hard security’ to be spread across multiple applications or servers.

• Shareable HSM
• FIPS 140-2 Level-3 validated security
• Under evaluation for Common Criteria EAL4+ certification
• Multi-layer security architecture
• Secure network communications
• Secure User Interface
• Strong authentication of requesting servers
• High performance cryptographic processing–up to 2000 TPS
• Space efficient 1U Rack mount form factor
• Elliptic Curve Cryptography support

Secure Architecture

The netHSM architecture provides a layered approach to security. Organizations can protect against a wide range of potential attacks from both internal and external sources including physical attacks and device theft, network penetration and logical attacks by insiders or malicious code. All cryptographic functions are performed within a core FIPS 140-2 Level 3 validated security boundary.

Scaleable and resilient solution

In line with all of nCipher’s HSMs, the netHSM is fully compliant with nCipher’s Security World key management framework. This enables keys to be managed and shared across installations involving multiples servers or many geographically dispersed sites.

Centralized Management

The netHSM allows a security team to centralize the management of cryptographic keys and functions while providing the same FIPS 140-2 security to multiple servers. By centralizing these security functions there is a reduced need to train regional staff and a natural separation is created between HSM management tasks and routine maintenance of servers, operating systems and application software.

Interoperable with nCipher’s dedicated HSMs

nCipher's Security World key management framework ensures that the netHSM is compatible and interoperable with the range of nCipher’s dedicated HSMs. This capability means that different nCipher HSMs can be used together in the same system and most importantly, keys can be securely migrated between different types of HSMs as circumstances change, for example as traffic levels increase. This flexibility in deploying HSMs allows system designers to choose the best configuration based on the needs of the business, not the limits of the technology.

Flexible Control

Access control lists and smartcard-based operator authentication allow individual keys or groups of keys to be logically separated and specific usage rules enforced. The netHSM can be configured for dual control and split responsibility ensuring that there is no single point of compromise. Through the use of strong authentication of the remote servers, the use of an individual key can be restricted to a specific remote server or servers. This functional separation avoids the need to impose rigid partitioning within the HSM.

High performance

The netHSM performs cryptographic processing on behalf of any or all of the remote servers. By offloading cryptographic functions from the servers the overall capacity of each server is increased. The netHSM can perform up to 2000 signing operations per second. The netHSM is a 1U, standard rack-mounted unit, offering high performance with a low impact on valuable rack space.

Addressing Regulatory Compliance