Managing the Keys to the Kingdom
by Eric Hibbard on Sep 29, 2010
As data privacy and confidentiality requirements continue to increase, more and more organizations are turning to, or considering use of encryption in conjunction with storage. This has been especially true for tape-based storage, but an increasing number of sites are also looking to disk-based encryption for basic protections. Implied in all but the simplest of these implementations is the need for some level of key management, which ISO defines as the “administration and use of generation, registration, certification, deregistration, distribution, installation, storage, archiving, revocation, derivation and destruction of keying material in accordance with a security policy.” It is often argued that key management is the most complex element of an at-rest encryption solution.
Key management is not a new concept, but it is difficult to implement correctly. At a conceptual level, the multi-part ISO standard, ISO/IEC 11770 “Information technology — Security techniques — Key management”, and the multi-part NIST Special Publication 800-57 “Recommendation for Key Management” provide important guidance on key management. These standards focus on what to do, but they don’t address the how component (like protocols). As a result, many of the existing key management products rely on proprietary mechanisms and protocols, which in turn, means that encryption products (clients to the key management products) implemented one or more of these proprietary protocols.
Both the IETF Provisioning of Symmetric Keys (keyprov) and the OASIS Enterprise Key Management Infrastructure (EKMI) activities were expected to relieve this situation. As time passed and these specifications grew more complex, other organizations like the Trusted Computing Group and the IEEE Security in Storage Work Group entered the key management space with an eye to developing more narrowly scoped key management protocol specifications for just storage technologies. In 2009, yet another organization, the OASIS Key Management Interoperability Protocol (KMIP) Technical Committee, entered the scene and further disturbed the key management waters.
Fast-forward about 18 months and we find the OASIS putting the finishing touches and approval on the KMIP documents, which include a protocol specification, use cases, and interoperability profiles. Probably more telling is that the major key management vendors are all busy with their KMIP implementations, including interoperability testing. In addition, several storage vendors have either implemented or announced support for KMIP in their storage products that employ some form of at-rest encryption. Hitachi’s position on KMIP is that it intends to use the protocol on Hitachi storage products that could benefit from the use of external key management solutions.
Encryption and key management are popular topics with customers, but it’s not clear that this interest is translating into requirements (i.e., impacting purchase decisions). Do you require KMIP when defining your at-rest encryption requirements?