TryTRY
BuyBUY
  • newsletter
  • contact
  • corporate
  • careers
Utimaco
TRYour free HSM simulator
BUYget a quote
  • home
  • solutions
  • products
  • services
  • blog
  • downloads
  • partners
  • company

Utimaco Portal

Here you will find everything you need as a partner and customerLogin required

  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research

Home / Blogs / HSMs in banks – A case for a multi-sourcing strategy for critical tech infrastructure

HSMs in banks – A case for a multi-sourcing strategy for critical tech infrastructure

November 09, 2020

Supply chain optimization has been one of the primary ways to squeeze a bit more efficiency out of a business process for some time now. Over time, companies have perfected various such strategies like Just in time inventory management and co-locating vendors in the same industrial park as themselves. However, an excessive push towards supply chain and vendor optimization has increased risks as the logical conclusion of such unabated cost optimization is often a single sourcing strategy.

New call-to-actionThis single sourcing strategy is not unique to just manufacturing though. The same vendor strategy is often applied in the service sector to get the same benefits. Companies enter into contracts with just one vendor to provide a service across their global footprint. It’s not uncommon to find a single global vendor handling IT support everywhere and another single vendor handling travel and logistics, and then another single vendor for hardware or software and so on.

However, this strategy of single source procurement highlighted above is not without its risks. This is true for both important supply chain linkages as well as critical vendor services. Many companies treat procurement as a function where the goal is to minimize the cost of procurement. While cost is obviously an important factor, every operational and financial decision should take the risk component into account as well.

This risk traditionally used to be restricted in scope, but today the biggest risk perhaps is the reputational damage that may result from a security breach or fraud. Such disasters can be hard to recover from.

So at the end of the day, the question to be asked is this: What procurement strategy can give you the best return while restricting risk to a level that you are comfortable with?

Building a deeper procurement capability

If we look at the Hardware Security Module (HSM) market in particular, it is currently dominated by very few players following some recent consolidation. In such a scenario, it might make sense for large organizations which rely on HSMs, like banks for example, to have some built in flexibility in terms of their hardware sourcing strategy.

The multi sourcing strategy to vendor risk management requires this flexibility to be built into the procurement process. Since the vendor qualification process can be long and tedious for organizations with a global footprint, it might make sense to get the ball rolling sooner rather than later from a vendor risk management perspective.

In addition to the vendor risk management benefits, a multi sourcing strategy also ensures cost competitiveness, better service levels and access to diversified pools of industry experience. The disadvantage of such a strategy is of course the additional time and cost of vendor qualification and having two disparate systems in operation. Whether the benefits of the strategy outweigh the costs is a decision that each business has to make based on its unique circumstances.

The compromise between vendor independence and cost consolidation

Multi sourcing also has disadvantages. Managing the inventory on multiple vendors increases costs. Also key management becomes problematic. In particular when HSMs of smaller niche vendors are deployed which lack APIs and provenly reliable integration with the key management systems. Smaller vendors also add to the risk of organisational insecurity, including a potential lack of sufficient and timely emergency support or the simple risk of the vendor’s disappearance from the market.

The global HSM market is in a strong process of consolidation. Small players are disappearing. The leading top 3 are consolidating their head margin through an M&A strategy, incorporating relevant followers or niche players and rounding up their portfolio.

The current consolidation of HSM vendors in the global market, blended with banks striving for cost efficient and reliable processes has led to the emergence of a dual sourcing strategy, where banks preferably source from the top 3 vendors, preferably 2-3 parallel solutions.

The banks reach crypto-agility through key management systems which are able to handle the major HSMs and allow to switch from one system to the other within an acceptable time delay. The introduction of a crypto abstraction layer (middleware) between HSMs and applications gives an additional means to manage multiple HSMs and allows for accelerated migration from one HSM to another.

Conclusion

Banks are in a dilemma over maximized vendor-independence, limited inventory and procedural costs as well as minimized recovery times in cases of incidents. A dual sourcing policy emerges as the silver bullet out of that dilemma.

New call-to-action

Back to overview

Stay on top of our news
Don’t miss out on any Utimaco updates

Subscribe to Utimaco Newsletter

We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.

Subscribe now

Partners

CREAplus Italia S.r.l Primekey Solutions AB intarsys AG IQuantics Corp Fornetix - Utimaco Hardware Security Modules Partner Ascertia - Utimaco Hardware Security Modules Partner Altacom UAB Compumatica secure networks B.V. MALKOM D.Malińska i Wspólnicy s.j. Utimaco HSM - PTESA_profesionales en transacciones electronicas Macroseguridad Microexpert Limited MIcrosec Softline Solutions GmbH Nexus Technology GmbH Nexus - Utimaco Hardware Security Modules Partner SecureMetric Technology Sdn. Bhd. CEGA Security Compumatica secure networks GmbH E-Sign S.A. CREA plus d.o.o. cv cryptovision GmbH Skytech Computing Solutions Limited. - Utimaco Hardware Security Modules Partner Cogito Group Pty Ltd Astel (UK) Ltd. - Utimaco Hardware Security Modules Partner CertiSur S.A. PETA (Thailand) Co., Ltd. Cryptomathic GmbH CewTec S.A. Clearkey Consulting - Utimaco Hardware Security Modules Partner PKI Solutions Inc. JJNet International Co., Limited - Utimaco Hardware Security Modules Partner Cryptomathic Inc. Safesoft Kft. Utimaco HSM - QuintessenceLabs AKEA S.A. - Utimaco Hardware Security Modules Partner Synergy Computers (Pvt.) Ltd. - Utimaco Hardware Security Modules Partner Throughwave (Thailand) Co.,Ltd - Utimaco Hardware Security Modules Partner Utimaco HSM - InfoGuard Swiss Cyber Security Abrantix AG Telegrupp AS Cryptomathic A/S Baas Control s.r.o. EUROPEAN DYNAMICS SA. Versasec PrimeKey Labs GmbH ESYSCO Sp. z o.o. Cyber Armor Pte Ltd Secure Source Distribution (M) Sdn Bhd - Utimaco Hardware Security Modules Partner Nexus - Utimaco Hardware Security Modules Partner VAR Group SpA - Utimaco Hardware Security Modules Partner Envoy Data Corporation - Utimaco Hardware Security Modules Partner MTG - Utimaco Hardware Security Modules Partner Thomas-Krenn.AG Komar Consulting Inc. - Utimaco Hardware Security Modules Partner Perceptus-sp.-z-o.-o. Encryption Consulting LLC Fortiedge Pte Ltd. Rohde & Schwarz Cybersecurity GmbH Real security d.o.o.
Find a partner

Share this page

EMEA

Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Phone: + 49 241 1696 200

Americas

Utimaco Inc.
900 E Hamilton Ave., Suite 400
Campbell, CA 95008
USA
Phone: +1 844 UTIMACO

APAC

Utimaco IS Pte Limited
80 Raffles Place,
#32-01, UOB Plaza
Singapore 048624
Phone: +65 6622 5347

Utimaco

  • support
  • corporate
  • careers
  • legal
  • terms & conditions
  • privacy
  • cookie-policy
© 2021
to top
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research