Using HSMs
Avez-vous jamais été témoin de la fureur du bon bourgeois Jacques Bonhomme, quand son fils terrible est parvenu à casser un carreau de vitre? Si vous avez assisté à ce spectacle, à coup sûr vous aurez aussi constaté que tous les assistants, fussent-ils trente, semblent s'être donné le mot pour offrir au propriétaire infortuné cette consolation uniforme: "À quelque chose malheur est bon. De tels accidents font aller l'industrie. Il faut que tout le monde vive. Que deviendraient les vitriers, si l'on ne cassait jamais de vitres?"
Frédéric Bastiat, Ce qu'on voit et ce qu'on ne voit pas (1850)
Using hardware security modules that do cryptographic operations is fairly difficult unless that's what you specialize in. This means that if you're a security vendor, you often need to hire a consultant to help you integrate an HSM into your products. This might sound like a good idea, particularly in uncertain economic times.
By hiring a consultant, we're giving the consultant money that he then uses to buy stuff in the local economy. The people that he buys stuff from do the same, and the result is a chain of purchases that multiplies the effect of the money that we spent on the consultant and makes the local economy grow. This certainly sounds like a good thing, doesn't it? So maybe the fact that HSMs are extremely difficult to use is actually a good thing. It's like a government stimulus package for the economy, but on a smaller scale.
But as Frédéric Bastiat pointed out over 150 years ago, the idea that such spending is good for the economy is not true. It assumes that we wouldn't do anything else with the money that we'd have to spend on a consultant. This is never the case. In any business, there is never enough of anything. There's always more demand for cash than we have cash to spend. We could hire additional sales people. Or we could spend the money helping our channel partners. Or we could hire additional engineers. We could even buy some more of those balls that light up when they're bounced that are so popular at trade shows.
There's never enough money to do all of these, so when we have to spend money on consultants to help us get an HSM functioning, that means that we can't spend it on other things, like giving customers features that will make our products easier to use and thus save them money on the costs of supporting and operating our products.
The fact that HSMs are hard to use doesn't really benefit anyone, not even the manufacturers of the devices. You really have to wonder why they don't take the time to make their products more usable.
Comments