FIPS 140-3 · KMIP · NIST SP 800-57

Cryptography & Key Management Advisory Malaysia

Vendor-neutral advisory for Malaysian banks, fintechs and regulated enterprises. Cryptographic posture review, HSM and KMS selection, PKI architecture, key lifecycle governance and post-quantum migration planning aligned to BNM RMiT, ISO 27001:2022 and NIST SP 800-57.

Get a Scope Talk to an Expert

Why cryptography is suddenly board-level

Cryptography used to be invisible engineering. In 2026 it is a board agenda item. Three forces drove the change. First, regulators caught up: BNM RMiT paragraph 10 series sets explicit expectations on cryptographic key management for licensed financial institutions, and ISO/IEC 27001:2022 Annex A.8.24 elevated cryptography from a technical control to a governance control with documented policy, lifecycle and inventory expectations. Second, the post-quantum transition forced every CISO to articulate a multi-year migration plan. Third, cloud and SaaS sprawl scattered key material across half a dozen control planes — AWS KMS, Azure Key Vault, Google Cloud KMS, the on-prem HSM cluster, and the SaaS-vendor-managed keys nobody can fully inventory.

The result is that “we have HSMs” is no longer an answer to an auditor or an examiner. The question is whether you have a current cryptographic inventory, whether each key is mapped to a documented purpose and lifecycle, whether the operational ceremonies are evidenced, and whether you have a credible roadmap for post-quantum migration. Our advisory engagement is the operational layer that produces those answers.

Cryptographic posture review

The opening engagement block is a structured discovery: every system that handles sensitive data, the algorithm and key length protecting that data at rest and in transit, the source of the keys, the rotation cadence, the access-control model around the key material, and the audit trail. Output is a cryptographic inventory — a single source of truth that maps data classification to algorithm to key to system. Most Malaysian banks we engage have never had this artefact before; the discovery alone surfaces 15-30 material findings (deprecated TLS, unmanaged self-signed PKI, application-side AES-128-CBC where AES-256-GCM is policy, hardcoded symmetric keys in legacy applications, dormant HSM partitions still holding live keys).

HSM & KMS platform selection

Vendor selection is driven by integration profile, regulatory scope, on-prem vs cloud strategy and 5-year TCO. We have delivery experience across the leading platforms:

Thales Luna & DPoD

Mature on-prem HSM with broad partition model; DPoD for cloud-native HSM-as-a-service. Strong PKCS#11, KMIP and JCA support.

Entrust nShield

Strong CodeSafe (in-HSM application execution), well-suited to payment HSM workloads, FIPS 140-3 Level 3 certified models.

Utimaco

European supply chain, payment HSM line (Atalla AT1000 successor), strong public-CA market presence.

AWS CloudHSM

Customer-controlled HSM in AWS; pairs with AWS KMS custom key store. Use when AWS-native is mandate.

Azure Dedicated HSM & Managed HSM

Customer-controlled or Microsoft-managed HSM in Azure; pairs with Azure Key Vault.

Google Cloud HSM

FIPS 140-2 Level 3 HSM behind Cloud KMS API. Use when GCP-native is mandate.

Key lifecycle management

The NIST SP 800-57 lifecycle (generation, distribution, storage, use, rotation, archival, destruction) sounds simple in a textbook and is deeply operational in practice. Our advisory work makes each phase auditable:

• Generation: Quorum-based key ceremony procedures, dual-control, split-knowledge, hardware-RNG sourcing evidence.
• Distribution: Wrapped-key transport, KMIP/PKCS#11 binding, certificate-based mutual authentication for KMS clients.
• Storage: HSM partition mapping, role-based access, audit-log integrity.
• Use: Application-side library hardening, prevention of key material leaving the cryptographic boundary, in-memory key handling.
• Rotation: Rotation cadence per key class, automated where possible, evidenced by ticketing.
• Archival & destruction: Cryptographic erasure procedures, witnessed destruction for compromised key material.

PKI architecture

Internal PKI is the silent infrastructure that nobody owns until it breaks. Root CA offline procedures, intermediate CA hardening, certificate-template governance (the AD CS attack surface — see our AD attack paths article), automated certificate lifecycle (ACME for internal, Sectigo/DigiCert/GlobalSign integration for external), short-lived certificate strategy, certificate revocation distribution (CRL/OCSP), and HSM-backed root and intermediate keys. We design the target-state PKI and the migration path from your current state — usually a mix of legacy Microsoft AD CS, point-solution PKI, and SaaS-vendor PKIs that grew organically.

Post-quantum readiness

NIST's post-quantum standards — ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205), with HQC and Falcon as additional candidates — are real and finalising. The harvest-now-decrypt-later risk applies today: any encrypted traffic intercepted now against an asset with long confidentiality (banking customer data, government communications, healthcare records) is at risk against future quantum decryption.

Our PQC workstream is pragmatic: cryptographic inventory mapped to data confidentiality lifetime, identification of high-priority systems for hybrid-classical-PQ migration (TLS 1.3 hybrid key exchange, code-signing migration to ML-DSA, long-term archive re-encryption), vendor readiness review of your HSM and PKI suppliers, and a phased 36-month roadmap aligned to NIST migration guidance and BNM RMiT 10.x crypto controls.

BNM RMiT 10.x crypto controls

BNM's Risk Management in Technology Policy Document, paragraph 10 series, sets specific expectations on cryptographic controls for licensed financial institutions: documented cryptographic policy, key management lifecycle, cryptographic inventory, algorithm and key-length minima, and incident-response procedures for suspected key compromise. Our advisory deliverable maps every recommendation to the relevant RMiT clause; the report drops directly into your BNM RMiT compliance evidence file. We also align to PCI DSS v4.0 requirement 3 (protect stored account data) and ISO/IEC 27001:2022 Annex A.8.24 (use of cryptography).

Frequently asked questions

We already own HSMs — why do we need an advisory engagement?

Owning HSMs and operating them well are different things. Most Malaysian banks we engage have HSMs deployed and certified to FIPS 140-2 or FIPS 140-3 — but the surrounding key lifecycle is improvised. Key-ceremony quorums have drifted, custodianship lists are out of date, key-rotation schedules exist on paper but not in JIRA, the KMIP integration to the application layer leaks key material into application logs, and there is no formal cryptographic-inventory linking each key to the data it protects. Our advisory work is the operational layer above the device — it makes the HSM investment defensible at audit and at examination.

How does this differ from a standard ISO 27001 cryptography control review?

An ISO 27001 cryptography control review (Annex A.10) checks that documented controls exist and that evidence is filed — it is a paper-and-process audit. A cryptography advisory engagement is a deep technical review of the actual implementation: which algorithms and key sizes are deployed where, how keys move between systems, what the dual-control and split-knowledge implementations look like, where post-quantum migration risk lives, and whether the key-management server is correctly hardened. The two are complementary; we frequently sit alongside an <Link href='/services/isms-iso-27001-consultancy' className='text-red-700 underline'>ISMS ISO 27001 consultancy</Link> programme.

Are you tied to any HSM or KMS vendor?

No. We have delivery experience across Thales Luna and DPoD, Entrust nShield, Utimaco, AWS CloudHSM, Azure Dedicated HSM and Google Cloud HSM. Selection is driven by your application-stack integration profile, on-prem vs cloud strategy, regulatory scope and total cost of ownership over a 5-year horizon — not by vendor incentives. We will run a 2-week vendor shoot-out as part of scoping if requested.

What is post-quantum cryptography and do we need to act now?

Post-quantum cryptography (PQC) is the family of algorithms believed to remain secure against attack by future cryptanalytically-relevant quantum computers. NIST published the first PQC standards (ML-KEM, ML-DSA, SLH-DSA) in 2024 and is finalising additional candidates. The risk is ‘harvest now, decrypt later’ — adversaries are believed to be capturing encrypted traffic today against the day quantum decryption becomes feasible. For high-value, long-confidentiality data (banking secrets, medical records, government communications), inventorying your cryptographic estate and planning the migration path now is the prudent action. We do not yet recommend wholesale migration of production systems but we strongly recommend the inventory and the roadmap.

What does an engagement look like and what does it cost?

A full engagement is typically 6-10 weeks, structured in three blocks: discovery and cryptographic inventory (2-3 weeks), gap analysis and target-state design (2-3 weeks), and roadmap with vendor recommendation and 12-month execution plan (2-4 weeks). Pricing for a mid-sized Malaysian bank typically lands in the RM 120,000 to RM 280,000 band, depending on application-stack breadth and whether HSM vendor selection is in scope. We can also deliver a focused 2-week posture review for a fixed RM 45,000 to RM 60,000.

Time for a cryptographic posture review?

Discovery calls take 30 minutes. Cryptographic inventory delivered within 3 weeks of engagement start. Full advisory engagement 6-10 weeks.

Get a Scope