Encryption is not only increasingly desirable, it is often mandatory. But while encryption is proliferating, the means for tracking and managing the keys that make encryption schemes workable has not kept up. Typically, said Jon Oltsik, an analyst at Enterprise Strategy Group, companies usually start encryption with tasks such as tape backups. Initially, they may only have a handful of encryption keys to worry about. But when organizations get more sophisticated and start to encrypt individual disk drives and tapes, the task can become daunting. "At that point, most users start to look for a central management system because the thought of managing all those keys is too much," he said.
But to date there have been few good options for encryption key management. Oltsik said the companies he tracks, which include many of the largest storage vendors as well as security vendors, currently tend to offer key management products tightly linked to some particular set of storage products. For instance, Hewlett-Packard (HP) Co. offers its HP StorageWorks Secure Key Manager and NetApp markets the NetApp Lifetime Key Management system. As a consequence, organizations using encryption have suffered from lack of interoperability between and among encryption and key management systems. The underlying issue has been getting agreement across the industry on how to manage keys and achieving buy-in on standards from enough vendors to make extensive automation of the process feasible.
IEEE P1619-3 key management standard under development
Fortunately, that capability may be on the near horizon. "One of the primary efforts in this area was IEEE P1619-3, which is a storage-centric key management standard still under development," said Oltsik. However, Oltsik said since the IEEE effort has not evolved very rapidly, a group of industry players including Brocade, Cisco Systems Inc., EMC Corp., HP, IBM Corp., LSI Corp., NetApp, Seagate Technology and Thales e-Security got to work on putting something into place quickly. The result is called the Key Management Interoperability Protocol (KMIP).
An initiative of the OASIS open-standards consortium, the Key Management Interoperability Protocol is envisioned as a way to provide interoperability between key management services by standardizing communication between encryption systems that use keys. KMIP contributes to this by defining a low-level protocol that can form the basis of an enterprise-wide key management system. According to OASIS, KMIP "establishes a single, comprehensive protocol for communication between enterprise key management servers and cryptographic clients." This provides a protocol that can be used "by any cryptographic client, ranging from a simple automated electric meter to very complex disk-arrays." For users, this means enterprise key management servers should be able to communicate via a single protocol, reducing complexity and costs while improving control and security.
Kevin Bocek, director of product marketing at Thales e-Security and a member of the KMIP technical committee, said the whole development process has been "very user driven."
"When the original companies got together for this it was clear that there was a need for a standard that would work across infrastructures, servers and customer applications that needed to use encryption," he said. In February, the committee released to OASIS a complete binary protocol specification for the protocol. Since then, OASIS has formed a committee to evaluate the protocol, field comments and make any needed changes. For instance, said Bocek, one of the areas of focus for the committee is ensuring that the standard will work well with 64-bit systems while also functioning with older, legacy systems.
In the past, said Bocek, vendors or customers had to do the integration between encryption applications, tasks that will now be largely eliminated. Furthermore, solutions were generally single vendor-focused and tended to require a wholesale "rip-and-replace" approach. By contrast, "KMIP is intended to be lightweight and easy to implement," he added, and will eliminate most of the headaches of encryption management.
But when? Bocek said the internal OASIS processes will continue through late in the year and should yield a final standard which commercial products will probably begin to reference starting in 2010.
In the meantime, however, there's still a lot that companies can do to improve key management. Guy Snyder, program manager at ICSA, an independent division of Verizon Business that sets standards for information security products, said "The fundamental problem has been that companies start out putting in a little bit of key management capability when they feel they really need to do something but they don't go any further because most of their spending ends up going to hardware and applications." The exceptions have been companies in the payment card industry and other organizations facing regulatory oversight.
Snyder said best practices guidelines published by the National Institute of Standards and Technology, primarily for the benefit of the government, are a good starting place for developing internal best practices. "Their publication 800-21 provides a good overview of cryptography in general and includes a very readable section on key management," said Snyder.
Snyder said ultimately, every company needs to have its own policies on encryption and key management. And until KMIP becomes established, he notes, the safest bet is to stay with one encryption management vendor if possible. "Within that environment, the biggest thing to focus on is backing up the encryption keys," he added.
However, warns ESG's Oltsik, the management of keys should always be done by a very tightly controlled group, preferably within the security organization. Above all, it needs to be user friendly. "The key management needs to be secure but also transparent because if an IT administrator needs to take time to track someone down to get the key needed to restore some data, that won't help anyone."About this author: Alan Earls is a Boston-area freelance writer focused on business and technology, particularly data storage.