So what is the answer for those who can't afford or want an alternative to HSM's?
November 27, 2018 / by Jeremy Spilman
BlindHash Cyber Protection is similar to an HSM in some ways -- both are an additive layer of security to protect crucial secrets, even if an attacker is able to access the database. But the BlindHash approach is quite different. Instead of playing the same game of trying to hide a tiny secret key from an attacker, we protect secrets with our patented data pool model. With BlindHash, an attacker would have to physically steal the entire data pool off our servers. Just based on the physics of the size of the pool versus the speed of the network, this process becomes easy to detect and easy to defend against.
It's a matter of approach. Instead of trying to hide a single key behind an "impenetrable fortress", we make the fortress itself the key. Instead of having to rotate your own keys on the HSM and having to actively manage that process, our data pool continues to grow larger making it more secure so your protected key, password, or code will automatically benefit from that increased protection.
HSMs are a powerful tool, and a system that utilizes one is certainly more secure than one that does not. Our goal with BlindHash Cyber Protection is to emulate and improve on their protection and to do so at a greatly reduced cost -- taking the risk of a password breach off the table, and allowing your users to login securely with simple, memorable passwords. We do this with a published algorithm that has been vetted by industry experts, and a system that is highly resilient to intrusion.
No single piece of defensive equipment, be it firewall, IPS, malware scanner, or HSM, will prove to be impenetrable. Layers of defense can stop or slow an attacker, or at least perhaps alert that an attack is occurring. A resilient system like BlindHash is designed with the expectation that breaches will occur, and the ability to maintain the security of protected secrets even in the face of that breach.