We spoke to John Cragg, Director of Strategic Partnerships at Utimaco about the role of Hardware Security Modules (HSM) as part of digital signature solutions, what eIDAS 2 looks like and digital trust.
How do HSMs enable digital signatures?
Nobody ever goes looking for a HSM specifically, they are looking for a secure solution. Utimaco’s eIDAS 419221-5 solution was engineered to include an HSM to ensure the highest level of security. A typical enterprise will have a farm of these boxes serving many different applications including key management, generation and control of keys.
eIDAS is somewhat different as it has to include the software operating within the HSM to ensure the security of the signature and the authenticity is kept and managed within the FIPS boundary of the secure solution.
Whilst HSMs are used for many applications, in some implementations of eIDAS there needs to be dedicated units. For most enterprises it comes down to how they value their reputation, the data that they control and other business objectives. Any organisation who puts a high value on its reputation, data and client information should be using this level of security for all their data, including signatures.
We have a saying in our business, “software security is soft security”.
Trust is being discussed in relation to signatures and HSMs. How is that trust built from an Utimaco point of view?
eIDAS is a perfect example of trust. The process of developing the solution started with all interested parties getting together to devise a European standard that everyone could accept as a truly trusted solution. A typical digital trust solution will involve anywhere from three to six or more vendors, different parts of solution that come together to create that product that the customer wants to buy.
The beauty of the eIDAS solution is that it was built from the bottom up. It took many years to devise a truly end-to-end secure e-signing solution that banks, governments high-trust organisations have bought into and accept as an authentic, trusted, secure solution under law.
We’re increasingly seeing eIDAS-like laws in other world regions, why do you think that is?
I just think if there has been this amount of time, money and expertise spent on devising a system that’s accepted across the European Union why would you want to go and reinvent the wheel? It may not be called eIDAS and it may not be exactly the same but it is a truly secure system for cross-border signatures and authenticity. For me, I think it should be adopted everywhere.
What about eIDAS 2 and discussions around digital identity?
Current credit cards with a chip have the potential to be exploited. You can put so much on a chip – your whole history and identity. And most people have more than one of these cards in their wallet.
It’s the same with eIDAS. There are discussions around eIDAS wallets, so why can’t we put everything in one place? Then everything we do in the digital world, that identity is proven. It’s substantial, it’s secure and it’s accepted everywhere. Depending on how the market responds to it, it could become everything we need.
Are you still seeing a drive from governments and other institutions for digital transformation initiatives?
Digital transformation is being driven from less digitally advanced regions who leapfrog the older, more established regions like the UK.
When you have an infrastructure like the UK banking system which has been around for so many years, they are more reluctant to adopt technologies. They are content with existing systems and don’t want the expense of introducing new solutions so are much slower to appreciate the value and benefits of new technologies. This is one of the reasons why the government brought in e-banking after the financial crash, to try and force the evolution to happen quicker and allow smaller challenger banks to come onto the scene.
And with eIDAS, it wasn’t the likes of Germany or the UK or France, it was countries in South-eastern Europe. This is because countries in this region needed to build new infrastructures so they turned to the latest technology, which is eIDAS. Whereas in the USA, uptake has been slower as national adoption can be a little more complicated to implement.
With the growth of cloud, and the digitalisation of the world, we should be looking to make it secure, to make sure e-commerce works properly and to underpin our identity. Identity theft is a real problem and the eIDAS wallet is a way of stopping that happening.
Where do you see the relationship with CREAplus, Utimaco and Ascertia going in future?
It takes close collaboration between the application vendor and HSM vendor, especially in the eIDAS world where the whole solution needs to be certified. Both teams need to work closely together to ensure success - not just the initial certification but the ongoing support, evolution and development of the solution. So it’s really important that Ascertia and Utimaco work closely at that level.
When you look at CREAplus they’re not only the go-to market partner but they themselves have significant expertise and a professional services team who can support the end user to choose the right solution and implement it with input from Ascertia and Utimaco.
I think the three organisations are hugely complimentary, they make an excellent team in taking the solution to market and we’ve proven that in many implementations. We can install leading-edge solutions and support customers through the choice, the decision making, the implementation and the ongoing support.