A promising new key management standards effort

At ESG, we have this concept called ubiquitous encryption. As more and more encryption technologies are baked into products and enter the enterprise, data will likely be encrypted everywhere--on hard drives, networks, database columns, file systems, tape drives, portable media, etc.

Good news for data confidentiality and integrity but all of this encryption means tons of new encryption keys to create, protect, and manage. This situation has scared me for a while. If encryption keys are stolen, they can easily unlock secret data. If encryption keys are lost, critical data can turn into useless 1s and 0s.

Of course, what's needed is enterprise class hardened key management. Several companies have early product offerings, but without key management standards, this critical security task could become a proprietary mess. There are several ongoing standards efforts, but none had the momentum necessary to drive the market.

I am quite happy to say that I am not the only one to recognize this gap. This morning, industry leaders including Brocade, EMC, HP, IBM, LSI, RSA, Seagate, and Thales announced a new standard called the Key Management Interoperability Protocol (KMIP). Rather than maintain control, the group plans to submit KMIP to OASIS (Organization for the Advancement of Structured Information Standards) for advancement through the organization's open standards process. This allows other vendors like Check Point, Entrust, McAfee, Microsoft, Network Appliance, Oracle, PGP, Symantec, Trend Micro, and Verisign to join the effort.

Yes, there is still a lot of work ahead and we can all think of plenty of standards that never saw the light of day. Nevertheless, I believe this is a significant development and one of few positive data security/privacy developments recently. I encourage other vendors as well as government agencies such as NIST and the NSA to participate aggressively before we are all buried in a sea of neglected and insecure encryption keys everywhere.