Enterprises are increasingly aware of the need to implement encryption in order to protect their information assets, but this has emphasized the challenges around interoperability and effective key lifecycle management. As a result, a group of storage and security vendors has announced the key management interoperability protocol, which is intended to standardize key management interfaces.
The growing trend towards remote and mobile working, combined with the ubiquity of internet access and the prevalence of removable storage, has created a significant increase in the channels through which data can be lost. Unsurprisingly, this growth in loss vectors has resulted in a torrent of high-profile incidents that have led to valuable data being compromised. The higher visibility of the risks of data loss and the awareness of their effects on the bottom line (especially in this challenging economic environment) have encouraged greater investments from enterprises in information protection technologies, particularly encryption.
However, the increased emphasis on information protection has amplified the problems with implementing enterprise-wide encryption in a heterogeneous environment. The challenges around interoperability between different encryption mechanisms and around effective key lifecycle management have persisted, posing a significant barrier to its wider adoption. So far, the attempts to resolve these concerns have often been ad hoc and have therefore failed to remove obstacles to the wider and deeper adoption of encryption solutions.
This may all change thanks to the welcome introduction of the proposed KMIP standard that has been formulated by a group of prominent enterprise storage and security vendors including Brocade, EMC, HP, IBM, LSI, Seagate and Thales. KMIP is intended to standardize and simplify the interactions between disparate key management mechanisms and encryption methods across the entire IT infrastructure. The long list of vendors which have already committed to the standard will almost guarantee its ratification and make it very likely to emerge as the foremost protocol in this marketplace. However, KMIP is still at an early stage of its development and is many steps away from being adopted by the industry.
Interestingly, Sun Microsystems has also announced its own proposal for a protocol to handle the communication between encrypting devices and key management systems. As one would expect from Sun, this protocol is available as an open-source application programming interface (API), and therefore can be used by hardware and software vendors, as well as resellers, without additional licensing. It is worth mentioning that, while this standard is largely complementary to the KMIP standard, Sun is using it to maintain its position in the key management space by encouraging the adoption of its own API and embedding its technology in a wider range of encryption deployments. Sun’s offering has the advantage of already being available to use, and its open source nature means that anyone can embed it into encryption management solutions. Nevertheless, in the long term, it will struggle to challenge KMIP due to the standard’s broad support from the industry.
Regardless of whether the KMIP participants and Sun compete or co-operate, even the partial adoption of standards for key management and encryption interoperability is an enormous step forward. The standardization of key management interfaces will benefit both customers and vendors as it will remove some of the key inhibitors to the adoption of encryption while making the technology less complex to implement. From a vendor perspective, this will encourage growth and create an opportunity for vendors to finally break into new customer demographics. From the end-user perspective, this process of standardization will make encryption more transparent, less costly and easier to deploy, while simultaneously reducing the risk of vendor lock-in.