Manage Learn to apply best practices and optimize your operations.

Encryption key management: The stumbling block to securing data

Data encryption is showing up in tape libraries, disk drives and backup software, but the technology is hindered by the lack of a single standard for managing encryption keys.

While organizations are encrypting data in more places, the lack of standard encryption key management is a stumbling block to securing data.

The options for encrypting data have expanded in recent years. Encryption started as a feature inside network devices sold by companies such as NetApp/Decru and NeoScale Systems Inc. (now owned by nCipher Plc). It didn't catch on there, but began showing up in backup software. Disk makers Fujitsu and Seagate Technology now sell self-encrypting hard drives, Brocade Communications Systems Inc. and Cisco Systems Inc. offer encryption in Fibre Channel (FC) switches, and encryption is native in enterprise tape libraries from IBM and Sun Microsystems Inc. and in LTO-4 tape drives.

EMC Corp., Fujitsu, Hitachi Data Systems, IBM and LSI Corp. support disk-based encryption within storage arrays.

However, these vendors have separate systems for managing the keys needed to read encrypted data. Those keys must be stored, protected, backed up and tracked -- a process that becomes more unwieldy as an organization adds encryption in different places.


 Storage encryption products: In an era of increasing regulation on corporate data, keeping sensitive information secure is moving up the priority list for data storage professionals. Encryption products are being deployed in new areas of IT, and key management is receiving more attention from the industry. Read our storage encryption product roundup for more information.

"The way the winds are blowing, all end points [disk drives, tape drives, etc.] are adding an encryption chip in everything," said Arun Taneja, founder and consulting analyst at Hopkinton, Mass.-based Taneja Group. "Five years ago, when network-based encryption devices were hot and heavy, I felt the network would be the place to do encryption. I didn't realize the industry would find a way to basically put the chip in every end device at almost zero cost. Given that they've done that, now I'm thinking if that's true then maybe that's where encryption will get done."

Storage administrators show growing interest in encryption

A purchasing survey conducted by this spring shows interest in encryption on the rise among storage administrators. For the first time, most of the respondents said they were encrypting data. Those with no encryption plans dropped from 57% in the spring of 2008 to 49% in 2009. Adoption ticked up in the backup application from 16% to 19%, in security devices from 10% to 14%, and in hard drives and tape drives from 8% to 10%. Array-based encryption buying plans decreased from 9% to 8%.

Recent research by New York City-based TheInfoPro (TIP) Inc. also found encryption on the increase, although TIP's interviews with Fortune 1000 storage admins indicate that it was driven by adoption of LTO-4 drives with built-in encryption.

According to TIP, the adoption rate of encryption among large enterprises has risen from 18% in 2007 to 37% early this year.

"That's a substantial jump," said Rob Stevenson, TIP's managing director of storage research. "We saw a spike in encryption last year as people started to adopt LTO-4. Everyone that had it in their pilot or eval plans at the end of 2008 has essentially moved into production."

Stevenson said that approximately 60% of those using encryption are doing it in tape drives, primarily enterprise libraries with native encryption from IBM and Sun Microsystems Inc. Even with the surge, TIP's research suggests encryption would be more prevalent with better key management. "Sixty-five percent say key management is extremely important," he said.

Key management remains the stumbling block

Key management becomes more important as encryption becomes more commonly implemented. It also becomes more of a stumbling block with encryption happening in multiple devices from different vendors, and no single standard for managing the keys.

"It's the key management that still continues to be an issue," Taneja Group's Taneja said. "Key management will be a bigger issue when you have a gazillion drives and each has its own key management. How do you manage the keys?"

Jon Oltsik, a senior analyst at Milford, Mass.-based Enterprise Strategy Group (ESG), calls the key management market immature, with most key management systems bundled with encryption devices.

"That was OK a few years ago," he said. "But, as you can imagine, the more encryption you do, the more key management systems you have, then all of a sudden you have the operational and security challenges of managing multiple systems. We're still in the early evolution of heterogeneous key management systems. They don't talk to each other, there are no standards and they won't scale."

Play now:
Download for later:

Key management basics with Jon Oltsik

  • Internet Explorer: Right Click > Save Target As
  • Firefox: Right Click > Save Link As

Encryption standards coming from vendors

But help may be on the way. Earlier this year, a coalition of vendors led by Hewlett-Packard (HP) Co., IBM, EMC/RSA Security and Thales Group submitted a standard for interoperability between key management systems and encryption devices to the Organization for the Advancement of Structured Information Standards (OASIS). The spec is called the Key Management Interoperability Protocol (KMIP), and the collaborating vendors would like to see it become an industry-wide standard by the end of this year.

If adopted, KMIP would allow users to attach almost any encrypting device to one preferred key management system, regardless of the vendors involved. Brocade, LSI and Seagate are also in the KMIP group.

In addition, Sun has released an open-source protocol for enterprise encryption key management to OASIS. Sun's protocol has been part of its self-encrypting tape drives for more than a year, and company executives claim the Sun protocol is more advanced than the KMIP spec. Still, representatives from the two groups said they'll work together to blend the proposed standards.

ESG's Oltsik said the KMIP effort is a step in the right direction. "I'm encouraged because those are the companies you want to work on a standard together," he said. "Those are the ones who will most likely play in this area."


Dig Deeper on Data storage compliance and regulations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.