This article can also be found in the Premium Editorial Download "Storage magazine: What you need to know about data storage provisioning."
Download it now to read this article plus other related content.
All of these features are required by the FIPS standard. Systems from Decru, nCipher, NeoScale and Vormetric satisfy these requirements if you're using the vendor's product throughout your enterprise. As open APIs and other standards are adopted, the benefits derived from these standards should extend to management of all storage keys throughout the enterprise. For now, however, managing keys from other systems requires API-level support from storage product vendors that produce encryption keys, which could take a while. For example, Decru and Cisco Systems Inc. have announced a development relationship, but it may be years before all Cisco products that use keys can be managed through Decru's Lifetime Key Management (LKM) system.
There have been some attempts to enable interoperability among cryptographic engines. For example, Sun Microsystems Inc. has proposed the Simple Key Management for Internet Protocol (SKIP) to the Internet Engineering Task Force to enable secure distribution of information among devices, which could include encryption keys. Other standards are also under development by the National Institute of Standards and Technology, which created FIPS 140-2. Those standards will define acceptable key establishment, agreement and transport schemes based on ANSI documents, which will allow secure storage systems to exchange data. The ANSI documents are currently in draft form, but are expected to be approved shortly.
The biggest differentiator
among the key management vendors profiled here isn't how they manage keys. Because none of the vendors currently has any real compatibility with other products, the primary differentiator is the type of encryption supported. If you require inline, wire-speed Fibre Channel encryption, consider Decru or NeoScale. If you only need to encrypt a few folders on a network share, rather than the whole file system, Vormetric may be your ideal candidate. If you want to implement a key management solution that covers more than just storage encryption keys, nCipher is the strongest candidate.
This was first published in October 2006