IBM Sterling Ideas

formerly Watson Supply Chain

Submit new product ideas for Watson Supply Chain solutions. Before you submit, please review existing ideas; if an idea close to yours already exists, it's better to add comments or vote on the existing idea. We will review your ideas and use them to help prioritize our product development. Best of all, the portal will automatically update you when the status of your idea has been changed. Order Management, Store Engagement, Watson Order Optimizer, Inventory Visibility, CPQ and Call Center are now part of Watson Supply Chain

Connect with IBM experts and your peers on the Supply Chain Collaboration Community and the Order Management Interest Group

Submit ideas for other Watson Customer Engagement Products:

Watson Marketing
Watson Campaign Automation
Watson Commerce

Security enhancements for HSM

Minimum security requirements:
• The cryptographic strength of a wrapping key must be at least as strong as the keys it is protecting. RSA 2048 does not meet the protection for AES256 keys.
• Alerting must be in place when the password file system is read by a user account other than SFG system account.
• Where a solution/technology has been designed to operate with an embedded HSM card and/or HSM appliance from a vendor and the HSM is used to perform cryptographic functions (e.g. encrypt, decrypt, key generation, key wrapping, data signing, etc), then at a minimum the HSM must be used to protect master keys and the private portion of asymmetric keys. Note, storing a key in a HSM exclusively for key backup/archival purposes is not a cryptographic function.

For elevated cryptographic security:
• Use an HSM to randomly generate keys, i.e. AES keys used for data encryption.
• When session keys are not stored within an HSM (for future use), encrypt data encryption/session keys for system storage using a master wrapping key retained exclusively within an HSM.
• Connect to the HSM using the minimum required version of TLS (currently 1.2).
• Maintain persistent connections to the HSM, however periodic connection refreshes are recommended (e.g. daily).
• For implementations where a password must be presented to an HSM when connecting, retain the password in an external password management system (example: Centrify)

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Nov 1 2018
  • Needs review
How will this idea be used?

Enhance security around HSM

What is your industry? Financial Markets
What is the idea priority? Medium
DeveloperWorks ID
Link to original RFE
  • Attach files