Will Joint Spec Help Secure Enterprise Data?

UPDATED: Encrypting enterprise data and applications promises to soon become easier thanks to a joint specification related to encryption “key management” agreed to this week by four major vendors in the field.

Key management refers to generating, exchanging, storing, safeguarding, using, vetting and replacing the cryptographic keys that provide access to encrypted files or data.

The four are IBM (NYSE: IBM), Hewlett-Packard (HP) (NYSE: HPQ), RSA, the security division of EMC (NYSE: EMC) and Thales, formerly known as nCipher.

Their proposed Key Management Interoperability Protocol (KMIP) will make it easier and less costly for enterprises to implement encryption because right now there are no common standards, and each encryption vendor has a proprietary key management system. This means a large enterprise, which uses products from multiple vendors, will end up with several different key management systems.

Standardizing key management protocols will make it easier to secure data, which PGP CEO Phil Dunkelberger has said is going to be an important development for security this year.

The KMIP protocol will bring enterprise storage on par with end-user storage, for which the storage industry has developed standardized encryption protocols, Michael Willett, senior director for security at storage vendor Seagate Technology (NASDAQ: STX), told InternetNews.com.

The promise of end-to-end encryption

Storage management vendors are beginning to offer self-encrypting drives with encryption engines built into the drives’ circuitry, Willett said. “Now with this key management standard, enterprise IT people will be able to buy one set of protocols and manage a variety of clients with a common key management system. And you’ll have end-to-end encryption from the low-level management interfaces for hard drives to the top end storage in the data center.”

HP, IBM, RSA and Thales have done interoperability testing of their key management products over the past year while developing the KMIP protocols, Mark Schiller, the director, HP Security Office, told InternetNews.com. “We wanted to create a completed specification and use that as a starting point in an industry-wide standards body,” he explained.

The group has obtained support from Seagate, LSI, and Brocade (NASDAQ: BRCD), and Schiller said other participants are in the pipeline. “We’ve invited all the major industry players to join us, including Microsoft (NASDAQ: MSFT),” he added.

The KMIP specification has been submitted to OASIS, the Organization for the Advancement of Structured Information Standards, a not-for-profit consortium that drives open standards.

OASIS spokesperson Carol Geyer told InternetNews.com by e-mail that it posted a draft KMIP Technical Committee charter on its site yesterday for member review. Members have until February 26 to comment on this.

The next step is to respond to comments and then submit a final charter, after which OASIS will issue a Call for Participation. That will happen between March 5 and March 10, Geyer said. The proposers of KMIP are planning their first committee meeting for April 24.

HP’s Schiller expects the first products incorporating KMIP to hit the market within six months to a year.

Update provides correct company affiliation for Phil Dunkelberger

News Around the Web