KMIP (Key Management Interoperability Protocol) Provides Relief for Encryption Key Nightmares in Large Enterprises
Encryption's value is no longer in question in large enterprises. Rather the broader challenge they face as they look to manage petabytes of data in complex backup environment is, "How to overcome the substantial costs and time required to manage encryption keys?" An answer to these concerns is finally at hand in the form of the newly available Key Management Interoperability Protocol (KMIP).
The Impetus to Encrypt Data
Enterprises that are serious about protecting the integrity of their data, their clients' data and/or complying with government regulations no longer really seriously dispute the value of encryption. Rather they recognize that data encryption is crucial to preserving their company's value, its reputation, and even its long term viability.
Global Payments (NYSE: GPN) can attest to how a data breach can affect a company's valuation. In April 2012 Visa dropped it as a transaction processor after it was discovered that Global Payments was guilty of a massive data breach affecting approximately 1.5 million credit cards. While Global Payments continued to process Visa transactions after the breach, its stock price dropped 12% the day it was removed from Visa's registry and remains nearly 10% below the pre-breach price almost one (1) year later.
Public perception may also take a blow. Shortly after it was dropped from Visa's registry, Global Payments CEO Paul Garcia remarked, "This could give our partners some pause knowing that they are doing business with someone who experienced a breach."
On a personal level, confidential medical records of Nydia Velazques, a candidate for the US House of Representatives, contained information about her recent suicide attempt. These records were unbeknownst to her accessed and sent to the press the night before the 1992 primaries. While she did go on to win, the inadvertent release of that information resulted in her winning by a very narrow margin.
Companies can even go out of business if critical intellectual property is accessed by a competitor. American Superconductor (NASDAQ: AMSC) uncovered through a routine maintenance check that the Chinese company Sinovel stole the software for its wind turbine software designs.
The damage done, American Semiconductors' revenue decreased 80% in 6 months as a result of sales it lost to Sinoval with its stock price now at ~10% of its pre-breach value. This loss of revenue and corporate value confirms an April 2011 report that 85 percent of an organization's value is tied to intangible brand assets and intellectual property.
These examples illustrate the real-world risks that organizations run as a result of not encrypting their data. Yet much corporate data remains unencrypted and at risk for two practical reasons.
Multiple Layers at Which to Encrypt Data
The good and bad news is that enterprises have the flexibility to encrypt data at multiple layers within their infrastructure. Data may be encrypted within applications, file systems, device drivers, disk drives, network switches, storage appliances and even mobile devices.
The problem with encrypting data at different places is that encryption becomes complex to manage so enterprises tend to agree upon a layer (such as the storage appliance layer) at which to encrypt data. However this rarely works since regulatory requirements may dictate they encrypt data elsewhere.
For example, the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) dictate that fields such as credit card numbers and sensitive patient information be encrypted within the customer record itself.
Proprietary Encryption Methodologies
Even assuming an enterprise does limit where data may be encrypted, it must use proprietary methods to encrypt data at each layer. This has a negative ripple effect across the environment.
If encrypting data at the application layer, this prevents the efficient deduplication of the data that often occurs during backups and/or when data is replicated. If data is encrypted on a disk drive, enterprises may not have the flexibility to remove the disk drive and place in another storage device which can then read from it. Or if data is encrypted at the storage appliance layer, different storage appliances may use their own encryption methodology.
Yet the largest challenge enterprises face is simply putting in place a common, central key management algorithm that may be used by any of these various layers. Since most enterprises need to encrypt data at multiple layers, they must also introduce a proprietary key management scheme for each layer. This adds to encryption's cost and complexity.
These specific challenges have collectively stood in the way of encryption's broader adoption. Of these, the lack of availability of a cost-effective and centralized key management that spans these various layers at which encryption may occur remains the biggest obstacle to encryption's universal adoption. This is where KMIP is poised to solve this long standing challenge to encryption's broader adoption.
KMIP Lays Foundation for Viable Enterprise Encryption Solution
The Key Management Interoperability Protocol (KMIP) represents a breakthrough from an encryption deployment standpoint in that enterprises may deploy an open source encryption solution that has no dependencies upon existing proprietary key management approaches. Using KMIP, any provider's encryption methodology that supports KMIP may communicate with a KMIP server to obtain the keys it needs to encrypt data.
The big advantage this presents over current encryption key management techniques is that rather than each encryption vendor needing to provide and manage a proprietary key management solution, KMIP provides the keys that each encryption methodology needs. In this way, enterprises have the flexibility to deploy encryption at whatever layer they need without seeing their costs or complexity rise significantly.
While it is a prerequisite that any encryption methodology they use support KMIP, it is logical to conclude that enterprises will at some point require providers to support KMIP in their encryption offering for the following reasons.
First and foremost, enterprises will only need to implement one key manager instead of specific key managers. In this way enterprises may centrally administer their encryption keys since one encryption key manager will work across all encryption key offerings. These reductions in complexity and cost alone will make it an imperative for encryption providers to develop and offer support for KMIP at some level.
Second, enterprises may deploy encryption at the layer where it is needed. While deploying encryption at different layers in the infrastructure still incurs costs, by decoupling and centralizing the encryption key management the cost and complexity are far less than if each device and/or layer has its own form of encryption key management.
Third, existing business processes are unaffected. By all encryption methodologies obtaining their encryption key from the same source, processes such as backup and replication that leverage deduplication may occur uninterrupted. These data optimization and movement processes may now request the keys necessary to safely and securely decrypt and then re-encrypt data.
KMIP Needs to Mature but It is the Future
KMIP still faces challenges on multiple fronts. It needs to displace existing proprietary solutions. More providers of encryption solutions need to implement and support it. Support, training and best practices for KMIP deployments need to emerge.
However three factors are working strongly in KMIP's favor. Encryption is still not widely adopted by enterprises. Enterprises have more data than ever that they need to encrypt as they do not want to face the dire consequences should their data end up out in the open. Finally, enterprises know existing approaches are cost-prohibitive and they need an easier, more cost-effective means to encrypt their data.
These factors coupled with the fact that KMIP is gathering momentum as the open source platform of choice should drive KMIP's maturity and adoption among encryption solutions providers. Assuming that occurs as it appears poised to be, enterprises are waiting with open arms to adopt it.
The Impetus to Encrypt Data
Enterprises that are serious about protecting the integrity of their data, their clients' data and/or complying with government regulations no longer really seriously dispute the value of encryption. Rather they recognize that data encryption is crucial to preserving their company's value, its reputation, and even its long term viability.
Global Payments (NYSE: GPN) can attest to how a data breach can affect a company's valuation. In April 2012 Visa dropped it as a transaction processor after it was discovered that Global Payments was guilty of a massive data breach affecting approximately 1.5 million credit cards. While Global Payments continued to process Visa transactions after the breach, its stock price dropped 12% the day it was removed from Visa's registry and remains nearly 10% below the pre-breach price almost one (1) year later.
Public perception may also take a blow. Shortly after it was dropped from Visa's registry, Global Payments CEO Paul Garcia remarked, "This could give our partners some pause knowing that they are doing business with someone who experienced a breach."
On a personal level, confidential medical records of Nydia Velazques, a candidate for the US House of Representatives, contained information about her recent suicide attempt. These records were unbeknownst to her accessed and sent to the press the night before the 1992 primaries. While she did go on to win, the inadvertent release of that information resulted in her winning by a very narrow margin.
Companies can even go out of business if critical intellectual property is accessed by a competitor. American Superconductor (NASDAQ: AMSC) uncovered through a routine maintenance check that the Chinese company Sinovel stole the software for its wind turbine software designs.
The damage done, American Semiconductors' revenue decreased 80% in 6 months as a result of sales it lost to Sinoval with its stock price now at ~10% of its pre-breach value. This loss of revenue and corporate value confirms an April 2011 report that 85 percent of an organization's value is tied to intangible brand assets and intellectual property.
These examples illustrate the real-world risks that organizations run as a result of not encrypting their data. Yet much corporate data remains unencrypted and at risk for two practical reasons.
Multiple Layers at Which to Encrypt Data
The good and bad news is that enterprises have the flexibility to encrypt data at multiple layers within their infrastructure. Data may be encrypted within applications, file systems, device drivers, disk drives, network switches, storage appliances and even mobile devices.
The problem with encrypting data at different places is that encryption becomes complex to manage so enterprises tend to agree upon a layer (such as the storage appliance layer) at which to encrypt data. However this rarely works since regulatory requirements may dictate they encrypt data elsewhere.
For example, the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) dictate that fields such as credit card numbers and sensitive patient information be encrypted within the customer record itself.
Proprietary Encryption Methodologies
Even assuming an enterprise does limit where data may be encrypted, it must use proprietary methods to encrypt data at each layer. This has a negative ripple effect across the environment.
If encrypting data at the application layer, this prevents the efficient deduplication of the data that often occurs during backups and/or when data is replicated. If data is encrypted on a disk drive, enterprises may not have the flexibility to remove the disk drive and place in another storage device which can then read from it. Or if data is encrypted at the storage appliance layer, different storage appliances may use their own encryption methodology.
Yet the largest challenge enterprises face is simply putting in place a common, central key management algorithm that may be used by any of these various layers. Since most enterprises need to encrypt data at multiple layers, they must also introduce a proprietary key management scheme for each layer. This adds to encryption's cost and complexity.
These specific challenges have collectively stood in the way of encryption's broader adoption. Of these, the lack of availability of a cost-effective and centralized key management that spans these various layers at which encryption may occur remains the biggest obstacle to encryption's universal adoption. This is where KMIP is poised to solve this long standing challenge to encryption's broader adoption.
KMIP Lays Foundation for Viable Enterprise Encryption Solution
The Key Management Interoperability Protocol (KMIP) represents a breakthrough from an encryption deployment standpoint in that enterprises may deploy an open source encryption solution that has no dependencies upon existing proprietary key management approaches. Using KMIP, any provider's encryption methodology that supports KMIP may communicate with a KMIP server to obtain the keys it needs to encrypt data.
The big advantage this presents over current encryption key management techniques is that rather than each encryption vendor needing to provide and manage a proprietary key management solution, KMIP provides the keys that each encryption methodology needs. In this way, enterprises have the flexibility to deploy encryption at whatever layer they need without seeing their costs or complexity rise significantly.
While it is a prerequisite that any encryption methodology they use support KMIP, it is logical to conclude that enterprises will at some point require providers to support KMIP in their encryption offering for the following reasons.
First and foremost, enterprises will only need to implement one key manager instead of specific key managers. In this way enterprises may centrally administer their encryption keys since one encryption key manager will work across all encryption key offerings. These reductions in complexity and cost alone will make it an imperative for encryption providers to develop and offer support for KMIP at some level.
Second, enterprises may deploy encryption at the layer where it is needed. While deploying encryption at different layers in the infrastructure still incurs costs, by decoupling and centralizing the encryption key management the cost and complexity are far less than if each device and/or layer has its own form of encryption key management.
Third, existing business processes are unaffected. By all encryption methodologies obtaining their encryption key from the same source, processes such as backup and replication that leverage deduplication may occur uninterrupted. These data optimization and movement processes may now request the keys necessary to safely and securely decrypt and then re-encrypt data.
KMIP Needs to Mature but It is the Future
KMIP still faces challenges on multiple fronts. It needs to displace existing proprietary solutions. More providers of encryption solutions need to implement and support it. Support, training and best practices for KMIP deployments need to emerge.
However three factors are working strongly in KMIP's favor. Encryption is still not widely adopted by enterprises. Enterprises have more data than ever that they need to encrypt as they do not want to face the dire consequences should their data end up out in the open. Finally, enterprises know existing approaches are cost-prohibitive and they need an easier, more cost-effective means to encrypt their data.
These factors coupled with the fact that KMIP is gathering momentum as the open source platform of choice should drive KMIP's maturity and adoption among encryption solutions providers. Assuming that occurs as it appears poised to be, enterprises are waiting with open arms to adopt it.
Leave a comment