This article can also be found in the Premium Editorial Download "Storage magazine: Betting on an enterprise-level virtual tape library (VTL)."
Download it now to read this article plus other related content.
As locking up data becomes common in more enterprises, keeping track of encryption keys is turning into storage managers' next big headache. Various encryption methods have spawned numerous keys that need to be kept safe, rotated and retired appropriately. With disparate key management systems throughout the data center, it's easy to end up with a piecemeal approach to encryption and siloed key management. But vendors are jumping on board with related products, and an emerging standard promises to ease encryption key management.
Leading the pack is RSA, EMC's security division, which in April released RSA Key Manager (RKM) for the Datacenter, the latest version of its enterprise key manager product. The product aims to centralize key management with support for a variety of encryption methods and apps, including Oracle 11g, EMC PowerPath, SAN encryption and tape encryption. RSA announced partnerships with Cisco and Brocade earlier this year.
Katie Curtin-Mestre, director of product marketing for the data security group at RSA, compares encryption to replication. "I don't ever think there's going to be one universal way to encrypt," she says. "We're going to support a lot of different technologies in the data center because there isn't necessarily one technology that can do the job for all the customers."
"RSA is doing a great job pushing the key management agenda
| and signing up third parties for integration," says Jon Oltsik, senior analyst at Enterprise Strategy Group, Milford, MA. But he says key management is still an "immature technology. There are very few people who need the interoperability that we'll see in the future for key management."
RSA partner Cisco offers its own key management product and supports RSA's key manager. "The direction for encryption is integrated solutions," says Doug Anderson, product manager for Cisco Storage Media Encryption (SME). Anderson also mentions IEEE 1619.3, a key management standard that's still in committee. "Eventually, we would like to all have that as the common lingua franca," he says, predicting that it's still two or three years down the road. "We're looking forward to interoperability."
Harvey Ewing, senior director of IT security at Carrollton, TX-based hotel chain Accor North America, needed to centralize keys for 1,200 locations when Accor began using RSA's key manager product in 2006.
"My goal was to provide each property with its own key. Then if there was a breach at any place, it wouldn't affect the others," he says. "The back-end system here needed to know what keys were being used where, and who had access."
Accor's challenges in setting up centralized key management were related mainly to integration, incorporating in-house and third-party apps to encrypt and decrypt customer data at any point in the enterprise.
Key management is more than an operational challenge, says Oltsik. "The difference is that this could be a data loss problem," he says. "If you have multiple key management systems, each one needs to be secure and administered properly and backed up. One mistake and you may lose all your data."
Building a centralized key management system took Accor North America a few years, but Ewing says the foundation is now laid for an infrastructure that protects all customer data. "Enterprise-wide encryption takes a long time," he says. "There are a lot of gotchas."
This was first published in August 2008