Using a HSM in a service model solves the major problem on lack of skills
Interview, Stefan Auerbach, CEO Utimaco
What has been the evolution of the HSM market in recent years?
Where is the company going?
The Hardware Security Module (HSM) market has been growing steadily. According to research we did with IDC last year, we expect the HSM market to grow from 550m Euro in 2020 to 819m Euro in 2014, with most of the growth coming from General Purpose HSMs.
Utimaco has not only participated in that growth but has actually been growing much faster than the HSM market: within the past three years, we have doubled our revenue, both through organic growth and several strategic acquisitions that enabled us to expand our product and solution portfolio as well as our regional presence. Our plan is to continue on that growth path, supported by the increasing need for cybersecurity solutions in our digitized connected world.
What do you think is driving your demand?
We see three main trends that will be driving our business over the next few years: Usage-based IT, IoT Platform Security and Government Regulation.
Enterprises are increasingly migrating to public and private cloud services which allows them to create an IT infrastructure that is flexible and adaptable to their changing IT requirements. This trend has even gained in momentum with the corona pandemic. However, it tends to make IT infrastructures more complex, and it makes key sovereignty a new concern for organizations. Often, they will be using a combination of Cloud Service Providers (CSP) instead of relying on only one (according to a Kentik report released in 2019, 58% of business professionals reported using more than one of the three major cloud service providers Amazon Web Services (AWS), Microsoft Azure, and Google Cloud). Managing security and key sovereignty in these Multi-cloud environments is a major challenge that Utimaco can help solve by enabling them to retain control over data encryption and encryption key management.
Secondly, we have heard a lot about the Internet of Things (IoT) over the past years, and with 5G becoming more and more available, this enables new IoT business models across various industries which in turn require secure key and access management. For example, OEMs in the Automotive industry need to orchestrate complex and decentralized technical cybersecurity architectures to identify and manage connectivity components, secure data and OTA transmissions. We are working with Tier1 automotive suppliers to protect components from manipulation and hacking with our key injection and key management solutions. The automotive manufacturers do this to secure their systems of course, but also to comply with regulation such as the IEC 62443 set security standard for Industrial Automation and Control Systems (IACS) in production plants as well as the UNECE WP.29 defining cybersecurity requirements for Electronic Control Units (ECU).
Regulation like this is another key driver for our business, either through the introduction of new regulation e.g., in IoT to address vulnerability issues or with standards such as PSD2 or eIDAS which aim at giving consumers more flexibility and more security in digital financial transactions. You could say that defining a secure, authenticated, tamper-proof digital identity to guarantee transparency and trust is the ultimate aim of most regulations, and creating that kind of trust trough security is our core business.
Is the market prepared as HSM as-a-service proposal?
We believe that the as-a-service model will become an integral part of almost every business infrastructure. We have started developing cloud-service based solutions for our portfolio several years ago and have acquired the British Payment HSM as-a-service specialist MYHSM at the end of last year to strengthen our position in that area.
The corona pandemic has certainly helped to accelerate the trend towards service-based models as they offer great advantages in terms of agility and flexibility. Consuming a highly sophisticated security feature like an HSM in a service model by specialized providers with excellent expertise in that area also solves the severe skill shortage issue that many organizations already face today.
We see strong interest in our as-a-service offerings, both from HSM “newcomers” like Fintech, that cannot rely on the large IT infrastructure of traditional banks but still are required to comply with the same security regulations, as well as from long-term on premise HSM customers that are looking to complement their existing HSM installations with as-a-service capabilities to increase performance during peak times as needed.
. In the last year, Utimaco has acquired three companies (MYHSM, exceet Secure Solutions and REALSEC) and there has been a change in the shareholders (SGT Capital). What has been the impact of these acquisitions? What is the current situation of the company?
The acquisitions of MYHSM, exceet and REALSEC are part of our strategic plan to grow Utimaco by strengthening and expanding our solution portfolio as well as our global presence. We are already having great customer conversations for example through the combination of our key management and PKI solutions or with REALSEC customers who now have access to Utimaco’s cloud and as-a-Service offerings. While Utimaco already had a strong presence in Europe and the US, we can now also serve Spain and the big Latin American market, and we are actively looking into increasing our footprint in the APAC region where fast digitization creates a very interesting market and demand for our cybersecurity solutions.
Utimaco is a very healthy and dynamic company, and we are confident that we can maintain our course of on average 20% year over year growth. The change in shareholders to SGT Capital is still subject to approval by the authorities, we expect the process to be closed in the next few months.
What is your customer profile?
Our customers are large enterprises and institutions, traditionally in the banking and financial services and the telecommunications industries, but more and more also in the automotive and Industrial IoT space. Government bodies and authorities are also long-term customers, and every organization that is part of critical infrastructures has always had demand for cybersecurity solutions like ours.
Additionally, we have a global partner network and through their often very specialized solutions we are also addressing other market segments or regional markets where Utimaco itself does not have a presence.
What is the positioning of Utimaco against technologies such as blockchain? 5G? IoT?
Both 5G and IoT are very important drivers for our business, I mentioned IoT Platform Security as a key driver earlier. The implementation of IoT is often closely linked to 5G but 5G also creates data encryption requirements that we address with our telecommunications customers.
We have created the Smart City overview below that shows our ambition and relevance in both areas, as such a connected Smart City depends on 5G and IoT to be realized, but it also highlights that Utimaco’s cybersecurity solutions are vital to ensuring security, transparency, data integrity and data intelligence in the entire ecosystem and are effectively its root of trust.
Blockchain, too, is a very interesting and highly relevant technology that we and REALSEC have been investing in: Blockchain technology enables companies to evolve their digital business processes and include critical supply chains in a highly secure manner. The auditability of transactions in the blockchain is the core of its success, but as more and more companies develop and deploy blockchain technologies, it is essential to adequately protect the transactions they store. An HSM is crucial to securing blockchain systems to cryptographically protect the information stored in them, maintain information integrity, and ensure audit compliance. With Block-safe, launched in 2019, we have developed a product that enables companies to generate, manage and protect cryptographic keys for blockchain applications.
What plans do you have for the Spanish languages markets? Relationship with the distribution channel?
The Spanish-speaking market is very important for us, and we want to build on the excellent position and reputation that REALSEC has by ensuring continuity in customer service and its high product quality. At the same time, we believe that customers in those market can and will benefit from the new portfolio elements that Utimaco can offer – I think I mentioned earlier that we have seen almost instant interest and positive feedback for example on our cloud and as-a-service solutions.
We are all very excited about the opportunities created by the combined strength of Utimaco and REALSEC, not only with our direct customers but also with our channel partners.
Worried about quantum computing? and its impact on HSMs?
I am glad you mention quantum computing and by extension post quantum cryptography, as this is something we have identified early on as a very relevant issue and have been working on for years.
Many forms of asymmetric cryptography use 256-bit encryption, generally accepted as the gold standard, and breaking that encryption by correctly guessing a 256-bit encryption key would take millions of years. However, for quantum computers this operation could take hours, maybe even minutes. Therefore, quantum computing can be a worry for encryption algorithms in use today, but only if you consider this as a topic in the far away future that you need not address today.
It is true that we do not know when quantum computers will become available, but just look at the progress made by Chinese scientists who claim to have built not one but two quantum computers that are ten million times faster than even the most powerful conventional supercomputers and one million times more powerful than Google’s Sycamore processor. What organizations can and should do as soon as possible is prepare: analyse your data protection requirements today and see where quantum computing will make you vulnerable.
We have created a PQC Consultancy program to help companies in that analysis and the next steps, i.e. creating a PQC transition roadmap. https://www.utimaco.com/services/consultancy/pqc-consultancy
Tools like our Q-Safe simulator or our Q-Safe firmware extension allow them to experiment with the impact of quantum-safe algorithms on their IT infrastructure or even implement some of the new encryption algorithms today to become crypto-agile.
Coming back to your question: we are not worried that quantum computing will harm HSMs or our business as we see this as an evolution of cryptography and encryption technology. We have been preparing and will continue to create trust in the quantum age.