The evolving key management standard is gaining traction in the cloud as a way to ensure security across varied infrastructures.
The need to protect data at rest is expanding the use of encryption for storage systems, and the movement of data to the cloud is pointing up the need for a standardized way to manage encryption keys across diverse infrastructures.
The Key Management Interoperability Protocol is emerging as the standard for this job, with vendors beginning to incorporate KMIP in their products and customers making plans to use it. In a recent survey by Thales e-Security, 27 percent of organizations surveyed (11 percent of which were government organizations) said the standard is important for data storage now, and 33 percent expect to be using it in the next 12 months. Cloud-based applications and storage are the primary drivers for its adoption.
The only get-out-of-jail card you have is if the data is encrypted.
-- Richard Moulds, Thales eSecurity
Cryptography is becoming a commodity, said Richard Moulds, vice president of product strategy for Thales, a corporate member of the technical committee that developed the protocols. But while encryption becomes easier, the essential job of managing the keys that encrypt and decrypt data across an enterprise remains a challenge.
“Encryption 10 years ago was all about the Internet,” Moulds said. “Now it’s all about data at rest,” because that’s where breaches are exposing personal and other extensive data in wholesale volumes. Government and industry regulations mandate encryption of this data, and most states require disclosure of breaches that expose personally identifiable information. “The only get-out-of-jail card you have is if the data is encrypted. So the encryption of data at rest has taken off.”
But as with many technologies, it often is adopted in silos with different parts of the enterprise deploying their own solutions that do not talk to each other. The need for interoperability to enable use of this data spurred development of KMIP by OASIS (Advancing Open Standards for the Information Society) in 2009.
Version 1.1 of the KMIP protocols and profiles were adopted as an OASIS standard in February, and 14 companies participated in a “plugfest” at the RSA conference that same month, demonstrating interoperable communication between key management servers and clients using KMIP.
KMIP defines a low-level protocol used for request and delivery of keys between any key management server and encryption system, using standard formats for naming keys and identifying their attributes. Attributes can be policies defining the use of keys and are passed along with them. Use profiles included in the standard define what authentication must be used in requesting keys to ensure confidentiality and integrity. KMIP is available without royalty from OASIS.
By abstracting the task of managing keys from the applications that use them, the standard allows keys to be managed within the enterprise for data and applications encrypted in the cloud, and with products from different vendors.
“It isn’t a pile of new intellectual property,” Moulds said of KMIP. “It’s a standard way of doing things. This requires a common set of definitions, naming and syntax,” so that different products can use the same language. It is a complex protocol because of all of the variables, “but it’s not a particularly technological problem,” he said.
Although OASIS says the standard addresses a broader scope of uses than other industry standards, KMIP still is maturing and to date it is being incorporated primarily in storage products, Moulds said. But it is beginning to be referenced in RFIs for new technology such as smart electric meters in the power industry, where it could be used to future-proof the security of widely distributed systems that are intended to remain in place for decades.
NEXT STORY: Ranking the world's best big data supercomputers