News Stay informed about the latest enterprise technology news and product updates.

HP, IBM, EMC propose encryption key management standard

A key management interoperability protocol drafted by four major IT vendors, including HP, IBM and EMC, will take its first step toward becoming an industry-wide standard today.

Hewlett-Packard (HP) Co., IBM Corp., EMC Corp./RSA Security and Thales Group led a coalition of vendors that submitted a standard for interoperability between key management systems and encryption devices to the Organization for the Advancement of Structured Information Standards (OASIS).

The spec is called the Key Management Interoperability Protocol (KMIP), and the collaborating vendors would like to see it become an industry-wide standard by the end of this year. If adopted, KMIP would mean users could attach almost any encrypting device to one preferred key management system, regardless of the vendors involved. Brocade Communications Systems Inc., LSI Corp. and Seagate Technology Inc.are also in the KMIP group.

The project to draft the spec began in late 2007 and includes more than 100 pages of instructions that would standardize how disk drives, tape drives, laptops, mobile devices, network switches and applications request encryption keys from key management applications.

Although encryption algorithms such as AES 256 are already standardized, individual devices request keys from key management systems in different ways. That means some IT shops must maintain multiple systems for encryption on different devices. "In a tough economic environment, customers are very cost constrained, but they still have regulatory requirements to meet," said Mark Schiller, director of the Security Program Office for HP Secure Advantage. "Encryption across the enterprise today takes extra manual effort."

More on storage security
Hifn offers NIC with compression and encryption

Jingle bell storage: What to buy a geek for the holidays

CommVault, McAfee partner to integrate storage and security management solution

Brocade bolsters security with fabric-based encryption switch
This isn't the first specification proposed for key management. The Institute of Electrical and Electronics Engineers (IEEE) approved a standard in January 2008 for managing encryption on storage devices. But Jon Oltsik, a senior analyst at Milford, Mass.-based Enterprise Strategy Group, said KMIP focuses on a wider variety of devices and imposes clearer rules on methods of key management communication than other standards.

"This is a superset of any standards activities that have already been in place, [and] recognizes the limitations of other standards," Oltsik said.

The problem of administering multiple data security systems is mostly limited to the high end of the market today, but Oltsik said that the problem will become more widespread as new technologies, such as LTO-4 tape drives with built-in encryption, gain acceptance.

A proposed standard is never a guarantee that anything viable will see the light of day, but Oltsik said the players involved will command a strong following for KMIP. "They are going to dominate the way this is done," he said. "Particularly in the storage world, I don't see anyone not going along with this."

Dig Deeper on Data backup security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.