Sun Microsystems Inc. has released an open-source protocol for enterprise encryption key management, a week after a consortium led by other major vendors submitted a standards protocol to the Organization for the Advancement of Structured Information Standards (OASIS).
Sun's protocol has been part of its self-encrypting tape drives for more than a year. Company executives say their protocol is more advanced than the specification submitted to OASIS by a group led by EMC Corp./RSA, Hewlett-Packard Co., IBM Corp. and Thales Group. A Sun spokesperson described the OASIS submission as a "low-level binary protocol for communication, rather than [the] more advanced XML solution used in the latest OASIS and current IEEE 1619.3 discussions." The IEEE has also drafted its own key management standard, which it released early last year.
The OASIS consortium claimed last week that its protocol will address a wide variety of devices, including disk drives, tape drives, laptops, mobile devices, network switches and applications, while the IEEE standard focuses on enterprise storage devices. Analysts said the OASIS spec imposes clearer rules on methods of key management communication than other standards do.
Robert Griffin, director of solution design for the Data Security Group at RSA, The Security Division of EMC, said representatives from the consortium and Sun will work together to try and blend the two proposed standards. Because they work at different levels, it might be possible to "nest" one into the other, he said.
Sandy Stewart, engineering director for Sun's Key Management System, said the timing of that invitation was the problem. The consortium first got together more than a year ago, but Sun claims it was only in the last month and a half that it was approached by the other vendors to participate.
"To be frank, this was sprung on us at the last minute and we're still going over the details," Stewart said. But he said there have already been meetings between the vendors this week, and Sun plans to work with the consortium and OASIS to sort out the protocols.
According to Eric Burgener, a senior analyst and consultant at Hopkinton, Mass.-based Taneja Group, all of the vendors are actually late to this discussion. "I'm disappointed that it's taken as long as it has for the industry to address the key management standards issue," he said, noting that "we're years away" from a standard that could be adopted in the marketplace. "Even if OASIS adopted a standard tomorrow, it would still take about 12 months for vendors to build and ship products," he said.