TryTRY
BuyBUY
  • newsletter
  • contact
  • corporate
  • careers
Utimaco
TRYour free HSM simulator
BUYget a quote
  • home
  • solutions
  • products
  • services
  • blog
  • downloads
  • partners
  • company

Utimaco Portal

Here you will find everything you need as a partner and customerLogin required

  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research

Home / Blogs / 7 Steps to Reduce Total Cost of Ownership Around HSMs to Gain Force in a Disrupting Finance Market

7 Steps to Reduce Total Cost of Ownership Around HSMs to Gain Force in a Disrupting Finance Market

November 09, 2020

The financial market undergoes significant changes. This article will look at how the choice of a suitable HSM and crypto strategy will support and enable a fast, targeted and enforced pursuit of the corporate goals.

In our article “Cryptography in Financial Institutions: Where Market Changes Require a Mutual Understanding by CEO and CISO – to Manage Risk AND Reduce Total Cost of Ownership”, we described the interdependence of

  • Changing competitive landscape
  • Changes driven by new regulations and standards
  • Consolidation on the supplier side of cryptographic systems
  • The ability to pursue the bank’s goal.

In this article we will dive deeper into the parameters which deserve consideration and explain why.

 

Reducing Total cost of Ownership

Severe competition and increasingly volatile markets push CEOs and CIOs to rethink their IT and bring costs down. On the first glance this does not look like good timing as attacks and attempted online fraud is getting more and more technically sophisticated.

But the bank can solve two problems in one by getting to more modern and safer systems.

So what can be done?

 

1. Upgrading and consolidating to more performant HSM infrastructures

PCI PTS HSM forces banks in its version 3 to lift their payment networks to more modern architectures. In particular they need to be key-block enabled. Old architectures and legacy HSMs need to be replaced. This will also involve an adaptation of the banking apps’ crypto interfaces.

Many old HSMs can be replaced by fewer, safer, more reliable and more performant HSM infrastructures. The amount of deployed HSMs can be cut by up to 50%.

 

 2. Move to virtualization of HSMs

The amount of HSMs can be drastically reduced when applying virtualization and thus move to partitioned or containerized HSMs. Technically this means that one physical banking-grade HSM can manage several virtual HSMs. If you are interested in learning how this works in practice, please get in touch.

Move-to-virtualized-HSMs

3. Delegating Banking applications partially to the cloud

The public cloud is a trade off to banks. It may create open flanks if not properly addressed  such as external hosting and travelling through the internet. But it also has many advantages like financial savings, flexibility and scalability or global reach.

The opening of banking APIs and the gradual replacement of old mainframe architectures by challengers like Microsoft, Oracle or SAP even migrate parts of the bank’s core management applications to the cloud.

This approach has the following risk potential:

  • The cloud provider is the master of all crypto that takes place in the cloud. The banks lays its security and hence its trustworthiness into the hands of a third party;
  • Managing all data, all applications and the cryptographic keys gives the cloud service provider access to all sensitive data
  • Changes in regulations, emerging security risks, changes in policies (e.g., geographical segmentation) may require rapid responsiveness and scope of manoeuvre by the bank. If the bank depends on the cloud service provider, it cannot act autonomously
  • the bank is pushed into a vendor lock-in (as data is tied to the one who has the key to them).

The bank loses its capacity to do end-to-end management of keys, if parts of the cryptographic keys are managed by various cloud service providers. In that case, key management of data accommodated by the local data center remains in the hands of the banks.

The silver bullet is a crypto server cloud, where keys are managed by the banks in secure, banking-grade HSMs. If the bank wants to move data from one cloud to the other, it can be easily done without any vendor lock-in.

Utimaco-Hybrid-Cloud

4. Turning the architecture less complex and more straightforward

Reducing the number of involved devices makes their management more economical and will most probably reduce the purchase price.

Another aspect will be to choose full line crypto-providers which supply out of one hand HSMs and key management and who provide readily the interfaces and key-blocks required in the variety of applications. This consequently also makes the banks faster w.r.t. Time-to-market, as interfaces are available, integration is simple (probably made as standard API) and less interlocutors are required.

5. Merging Payment and General Purpose HSMs

Let us address a holy grale. Why not bring payment and non-payment applications into the same banking-grade HSM architecture? If all compliance requirements are fulfilled, nothing speaks against it. It will definitely impact the bank’s internal structures and risks opposition as even internal human resources can be reduced.

Consequently it may require a more empathic and HR-oriented approach, than a technical. C-level managers should be aware that opinions by team members concerning the merging of these two worlds may be rather driven by fears about job loss than by technical concerns.

 

6. Turning the banking architecture flexible and crypto-agile

In the previous section we already addressed time-to-market. We should visit it when addressing the crypto-agility. New applications, new strategic targets or new regulations might require changes in applications as well as in crypto.

The answer to both is crypto-agility. Banks need architectures that are flexible enough to rapidly integrate new applications, built or deployed in-house, or connected via open APIs from external service providers.

In the same time crypto needs regular updates, driven by external threats, changes demanded by the regulators or the advent of post quantum computing.

Crypto-agile HSM architectures will make sure that operating costs will remain controllable. It would be fatal to save money during the purchase phase and end up in a monolithic, proprietary and non agile architecture after a short period of time.

 

7. Following a Dual Vendor Strategy

We keep on talking about lock-in situations. A serious infrastructure management involves risk mitigation. This implies that there are always a minimum of two vendors, providing HSM solutions. This will dilute the cost gains through centralization, but will retain independence from one monopolistic supplier. It also will reduce down-times and migration, if one of the vendors disappears due to financial or contractual problems.

 

New call-to-action

References and Further Reading

  • Read more on TCO in our series on total cost of ownership  (2019 – today), by Dawn Turner, Ulrich Scholten, Utimaco and more
  • Read more an Banking and Payment, using Cloud resources  in our series on cloud subjects (2019 – today), by Martin Rupp, Dawn Turner, Ulrich Scholten, Utimaco and more
  • McKinsey on Payments (2020), by McKinsey Company
  • Winning in a world of ecosystems (2019), by McKinsey Company
  • Platform-based innovation management: Directing external innovational efforts in complex self-organizing platform ecosystems (2010), by Simone Scholten & Ulrich Scholten
  • Global Banking Practice – The ecosystem playbook: Winning in a world of ecosystems 
    (2019), by McKinsey Company
  • The power of many: Corporate banking in an ecosystem world  (2019), by McKinsey Company
  • Platform-based Innovation Management: Directing External Innovational Efforts in Platform Ecosystems (2011), by Simone Scholten & Ulrich Scholten
  • Composite Solutions for Consumer-Driven Supply Chains (2010), by Simone Scholten, Ulrich Scholten and Robin Fischer. In: Bogaschewsky R., Eßig M., Lasch R., Stölzle W. (eds) Supply Management Research. Gabler
  • Banking-as-a-Service – what you need to know (2016), by Ulrich Scholten
  • Banking as a Service – The bank’s perspective (2017), by Gaurav Sharma
  • Digital Bank: Strategies to launch or become a digital bank Kindle Edition (2014), by Chris Skinner
Back to overview

Stay on top of our news
Don’t miss out on any Utimaco updates

Subscribe to Utimaco Newsletter

We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.

Subscribe now

Partners

CREAplus Italia S.r.l Compumatica secure networks B.V. CewTec S.A. Nexus Technology GmbH Altacom UAB CertiSur S.A. Cryptomathic GmbH intarsys AG Astel (UK) Ltd. - Utimaco Hardware Security Modules Partner Nexus - Utimaco Hardware Security Modules Partner E-Sign S.A. PETA (Thailand) Co., Ltd. Envoy Data Corporation - Utimaco Hardware Security Modules Partner Utimaco HSM - PTESA_profesionales en transacciones electronicas Safesoft Kft. Cryptomathic Inc. Cogito Group Pty Ltd Clearkey Consulting - Utimaco Hardware Security Modules Partner Abrantix AG Komar Consulting Inc. - Utimaco Hardware Security Modules Partner IQuantics Corp Microexpert Limited Ascertia - Utimaco Hardware Security Modules Partner MIcrosec Perceptus-sp.-z-o.-o. Nexus - Utimaco Hardware Security Modules Partner PKI Solutions Inc. Cryptomathic A/S VAR Group SpA - Utimaco Hardware Security Modules Partner JJNet International Co., Limited - Utimaco Hardware Security Modules Partner EUROPEAN DYNAMICS SA. ESYSCO Sp. z o.o. Throughwave (Thailand) Co.,Ltd - Utimaco Hardware Security Modules Partner SecureMetric Technology Sdn. Bhd. Encryption Consulting LLC CREA plus d.o.o. Thomas-Krenn.AG MTG - Utimaco Hardware Security Modules Partner Utimaco HSM - QuintessenceLabs Rohde & Schwarz Cybersecurity GmbH Skytech Computing Solutions Limited. - Utimaco Hardware Security Modules Partner AKEA S.A. - Utimaco Hardware Security Modules Partner MALKOM D.Malińska i Wspólnicy s.j. Fortiedge Pte Ltd. Primekey Solutions AB Real security d.o.o. Macroseguridad Versasec Cyber Armor Pte Ltd cv cryptovision GmbH Synergy Computers (Pvt.) Ltd. - Utimaco Hardware Security Modules Partner PrimeKey Labs GmbH CEGA Security Secure Source Distribution (M) Sdn Bhd - Utimaco Hardware Security Modules Partner Fornetix - Utimaco Hardware Security Modules Partner Telegrupp AS Compumatica secure networks GmbH Softline Solutions GmbH Utimaco HSM - InfoGuard Swiss Cyber Security Baas Control s.r.o.
Find a partner

Share this page

EMEA

Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Phone: + 49 241 1696 200

Americas

Utimaco Inc.
900 E Hamilton Ave., Suite 400
Campbell, CA 95008
USA
Phone: +1 844 UTIMACO

APAC

Utimaco IS Pte Limited
80 Raffles Place,
#32-01, UOB Plaza
Singapore 048624
Phone: +65 6622 5347

Utimaco

  • support
  • corporate
  • careers
  • legal
  • terms & conditions
  • privacy
  • cookie-policy
© 2021
to top
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research