Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘KMIP’

The CIA and the Encrypted Enterprise

Friday, October 29th, 2010

The international horse show wasn’t the only event in Washington DC this week; I participated in the Virtualization, Cloud, and Green Computing event in our nation’s capital. One of the guest speakers was Ira “Gus” Hunt, CTO at the CIA. If you haven’t seen Gus speak, you are missing something. He is very strong on the technical side and extremely energetic and entertaining.

Gus focused on cloud computing activities at the CIA (I’ll blog about this soon), but I was intrigued by one of his slide bullets that referred to something he called the “encrypted enterprise.” From the CIA’s perspective, all data is sensitive whether it resides on an enterprise disk system, lives in a database column, crosses an Ethernet switch, or gets backed up on a USB drive. Because of this, Hunt wants to create an “encrypted enterprise” where data is encrypted at all layers of the technology stack.

The CIA is ahead here, but ESG hears a similar goal from lots of other highly regulated firms. When will this happen? Unfortunately, it may take a few years to weave this together as there are several hurdles to overcome including:

  1. An encryption architecture. Before organizations encrypt all their data, they have to understand where the data needs to be decrypted. For example, remote office data could be encrypted when it is sent to the corporate data center, but it needs to be decrypted before it can be processed for large batch jobs like daily sales and inventory updates. There is a balancing act between data security and business processes here demanding a distributed, intelligent encryption architecture that maps encryption/decryption with business and IT workflow.
  2. Key management. Most encryption products come with their own integrated key management system. Many of these aren’t very sophisticated and an enterprise with hundreds of key management systems can’t scale. What’s needed is a distributed secure key management service across the network. Think of something that looks and behaves like DNS with security built in from the start. The Key Management Interoperability Protocol (KMIP) effort may get us there in the future as it is supported by a who’s who of technology vendors including EMC/RSA, HP, IBM, and Symantec, but it is just getting started.
  3. Technical experience. How should I encrypt my sensitive Oracle database? I could use Oracle tools to encrypt database columns. I could encrypt an entire file system using Windows EFS or tools from vendors like PGP. I could buy an encrypting disk array from IBM, or I could combine EMC PowerPath software with Emulex encrypting Host-based Adapters (HBAs). Which is best? It depends on performance needs, hardware resources, and financial concerns like asset amortization. Since there is no “one-size-fits-all” solution here, the entire enterprise market is learning on the fly.

A lot of the technical limitations are being worked on at this point, so the biggest impediment may be based upon people and not technology. We simply don’t have a lot of experience here, so we need to proceed with research, thought, and caution. To get to Gus Hunt’s vision of the “encrypted enterprise,” we need things like reference architectures, best practices, and maturity models as soon as possible. Look for service providers like CSC, HP, IBM, and SAIC to offer “encrypted enterprise” services within the next 24 months.

IBM: An Encryption Key Management Leader

Thursday, September 9th, 2010

While many folks were sunning themselves at the beach this past summer, IBM introduced some pretty important security technology: the Tivoli Key Lifecycle Manager (TKLS). Basically, the TKLS products are designed to create, manage, secure, and store encryption keys as a service.

What’s so special about this? First, key management is one of those IT security disciplines that will go from relatively esoteric to an enterprise requirement in the next year or so. Why? More and more data is being encrypted each day, so key management is becoming increasingly important. Stolen encryption keys could compromise the confidentiality of sensitive data while lost encryption keys could transform critical data into meaningless ones and zeros. Pretty soon, all large enterprises will have something resembling TKLS.

As far as IBM TKLS goes, it looks good to me because:

  1. It is one of the first products built with the KMIP standard. The Oasis Key Management Interoperability Protocol(s) is at the heart of TKLS. IBM has already tested TKLS interoperability with key management products from HP, RSA, and SafeNet. This gives distributed organizations the ability to create a federated key management architecture without mandating one vendor technology or another.
  2. IBM took an architectural approach. Yes, TKLS is mainly linked to storage encryption today, but the product is built with other encryption in mind (laptops, file systems, databases, applications, etc.). By offering TKLS support on System z, IBM will gain a beach head at large organizations that will then build a TKLS architecture from the data center to the distributed network.
  3. TKLS is a comprehensive solution. Many key management systems are built for symmetric key management alone. Alternatively, TKLS is designed for management of symmetric and asymmetric keys as well as digital certificates. Again, enterprises will appreciate this more complete solution.

In general, neither key management nor TKLS will get much visibility or industry recognition — key management is just a bit too geeky for most IT folks. Nevertheless, next-generation cloud computing will depend upon ubiquitous trust and data security. IBM gets this more than most. Think of TKLS as its part of its security plumbing for a smarter planet.

Symantec Moving to Define an Encryption Architecture

Thursday, April 29th, 2010

Today, Symantec announced that it is acquiring two encryption companies: GuardianEdge and PGP. Some will see this as a late counter-punch to Check Point‘s acquisition of PointSec, McAfee‘s acquisition of SafeBoot, and Sophos‘s acquisition of Utimaco. In other words, Symantec is finally getting in the full-disk encryption game, primarily on laptops.

Wrong interpretation. Symantec does get endpoint encryption technology, but there is a lot more here than meets the eye. In my humble opinion, Symantec also gets:

  1. A killer install base. Between the two companies, Symantec gets a foothold in the enterprise and midmarket across the globe. Symantec also bolsters its federal government business, where encryption is a very big deal.
  2. Encryption beyond PCs. Check Point, McAfee, and Sophos bought good companies, but the focus in all cases is on endpoints–PCs, mobile devices, USB keys, etc. Symantec gets this, but also gains encryption technology for file systems, e-mail, mainframes, etc. This gives Symantec a leg up.
  3. A leading key management platform. A wise man once said, “encryption is easy, key management is hard.” PGP recognized this and built a great key management platform to manage encryption keys for mobile devices, PCs, e-mail, mainframes, etc. Symantec also gets a seat at the KMIP and IEEE encryption standards table.
  4. An encryption and key management play. In discussing these deals, I haven’t seen anyone mention the added value Symantec gets from PGP’s recent acquisitions of TC Trust Center and Chosen Security. Symantec gets a root CA capable of offering PKI as a service. This gives a tremendous opportunity. Symantec can become an identity broker in the cloud for enterprise authentication, B2B trust, consumer identity protection, etc. Imagine what Symantec can do if it ships every copy of endpoint security software with an X.509 certificate. In my mind, this opens up a whole host of possibilities.

In the next few years, large organizations will realize that encryption technologies have become ubiquitous across the enterprise with no central management. This could be a real problem for data restoration, especially in a disaster recovery situation. At that point, they will look for partners to bring order, processes, and central control to this chaos. As of today, Symantec is extremely well positioned for this burgeoning–and extremely critical–market opportunity.

CA Enters Encryption Key Management Market

Wednesday, November 11th, 2009

CA entered the key management market this week, joining others such as HP, IBM, EMC/RSA, PGP, and Thales. CA’s announcement was relatively quiet, but it is still significant because:

  1. CA joins the KMIP initiative. CA becomes another leading technology vendor to join the Key Management Interoperability Protocol (KMIP) group within OASIS. The group hopes to have a specification ratified soon and working product next year. CA’s engineers will focus on application key management as part of a holistic key management architecture.
  2. CA anchors key management to System z. While many vendors have key management appliances, the bulk of the market activity I see remains on the mainframe. CA will support IBM’s TS1120 and 1130 tape drives, interoperate with RACF, TopSecret, and ACF2, and all the mainframe storage facilities as well. Finally, CA key management is part of its “Mainframe 2.0″ initiative to simplify and modernize mainframe operations.
  3. CA understands the link between key management and identity. Many key management leaders are focused on storage alone, while others only care about PKI. CA is one of the few vendors to play in both the infrastructure and identity side of IT. Yes, the obvious link here is PKI, but the combination of encryption, key management, and identity could also be used for entitlement management and data security. For example, a contractor may have rights to a data file for a limited period of time only before the encryption key expires.

With its focus on the mainframe, CA didn’t get much attention with this announcement, but large enterprises — especially in financial services, defense, law enforcement, and intelligence — will recognize the value here right away.

In the meantime, this announcement also helps the rest of us who care about the confidentiality, integrity, and availability of our data.

Search
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site