Home

Wikitip

Extending Enterprise Key Management to Storage

(Source http://xml.coverpages.org/ni2009-02-27-a.html)

Brocade, EMC/RSA, HP, IBM, LSI, NetApp, Seagate, and Thales e-Security launched an initiative with OASIS to address the requirements for interoperable key management features for enterprise storage.

KMIP (key management interoperability protocol) "establishes a single, comprehensive protocol for communication between enterprise key management servers and cryptographic clients. By defining a protocol that can be used by any cryptographic client, ranging from a simple automated electric meter to very complex disk-arrays, KMIP enables enterprise key management servers to communicate via a single protocol to all cryptographic clients supporting that protocol. Through vendor support of KMIP, an enterprise will be able to consolidate key management in a single enterprise key management system, reducing operational and infrastructure costs while strengthening operational controls and governance of security policy. KMIP addresses the critical need for a comprehensive key management protocol built into the information infrastructure, so that enterprises can deploy effective unified key management for all their encryption, certificate-based device authentication, digital signature, and other cryptographic capabilities."

Initial supporting entities for KMIP included Brocade, Cisco, EMC/RSA, HP, IBM, LSI, NetApp, Seagate, and Thales e-Security. Additional statements of support have been received (corporate or individual) from Algorithmic Research (Arx), Axway Software, BeCrypt, CipherOptics, Dajeil, Election Systems and Software, Emulex, Lexmark International, MIT, Mitre Corporation, NIST, Oracle, PayPal, PGP Corporation, Quantum, Red Hat, SafeNet, Skyworth TTG, Sun Microsystems, Symantec, US Department of Defense (DoD), Valicore, Venafi, Verisign, and others.

The OASIS KMIP Technical Committee "will develop specification(s) for the interoperability of key management services with key management clients. The specifications will address anticipated customer requirements for key lifecycle management (generation, refresh, distribution, tracking of use, life-cycle policies including states, archive, and destruction), key sharing, and long-term availability of cryptographic objects of all types (public/private keys and certificates, symmetric keys, and other forms of "shared secrets") and related areas."

The problem addressed by KMIP, according to the published FAQ document, is "primarily that of standardizing communication between encryption systems that need to consume keys and the key management systems that create and manage those keys. Being able to encrypt and retain access to data requires that encryption keys be generated and stored. To date, organizations deploying encryption have not been able to take advantage of interoperability across encryption and the key management systems. By defining a low-level protocol that can be used to request and deliver keys between any key manager and any encryption system, KMIP enables the industry to have any encryption system communicate with any key management system. Through this interoperability, companies will be able to deploy a single enterprise key management infrastructure to manage keys for all encryption systems in the enterprise that require symmetric keys, asymmetric keys pairs, certificates and other security objects..."

Planned deliverables from the OASIS KMIP TC include: (1) Revised KMIP Specification which defines the normative expression of the protocol, including objects, attributes, operations and other elements; (2) Updated KMIP Usage Guide which provides illustrative and explanatory information on implementing the protocol, including authentication profiles, implementation recommendations, conformance guidelines and security considerations; (3) Revised document for KMIP Use Cases and Test Cases which supplies sample use cases for KMIP, test cases for implementing those use cases, and examples of the protocol implementing those test cases; (4) Updated KMIP FAQ Document to provide guidance on what KMIP is, the problems it is intended to address, and other frequently asked questions.

View Another Wikitip

Featured Case Study

Financial giant goes green

The corporate IT group of a very large, worldwide financial organization with 100,000 employees, has initiated an ongoing “greening” process. This is focused largely on reducing energy use both to decrease the corporation's carbon footprint while creating a net savings in operational costs over the lifetime of new, more energy-efficient equipment, including new storage systems. This effort is not viewed by the IT administration as a one-time project but rather as a perpetual process of evaluating new technology in part on its energy efficiency and introducing it into the corporate data centers to replace aging systems as appropriate.

read more...

Featured How-To Note

Planning a Green Storage Initiative

Fluctuating energy prices have heightened electricity and energy consumption as a major issue within the technology community. IT is a significant consumer of energy and IT energy costs have been rising disproportionately because of continued investment in denser IT equipment. Estimates from the EPA and others indicate that IT will account for 3% of energy consumption by 2012. While technology changes have decreased footprint, power loading (amount of power required for a square foot of data center space) and heat load (the amount of heat that has to be removed from a square foot of data center space) have both escalated dramatically. The result is higher energy costs to provide power and extract heat from the data center, and lower utilization of data center floor space because of power and cooling limitations. The technology trends are toward higher heat and power loading, which will exacerbate the problem.

read more...