Last updated: 06 February 2019
In today’s business world, the encryption of an organization’s sensitive data-at-rest must now be a fundamental component to any successful cyber security strategy. Whether the goal is compliance or securing data in the event of a possible breach or attack, encryption as well as access management, must be a part of an organization’s overall defense. The growth of data has led to an associated use of encryption in almost every industry. This reciprocal relationship has resulted in an increased number of encryption keys that an organization must manage. This can seem like a complex task, especially if they are operating in an environment where they are using various vendor technologies and need a solution that will allow them to manage keys generated by the different systems. The Key Management Interoperability Protocol (KMIP), provides a technology solution for this common issue that organizations are currently faced with.
The KMIP standard has been around since 2007 and was developed to help organizations address the challenge of dealing with the proliferation of keys generated by disparate tools and technologies. Since its inception, encryption use cases have continued to grow, which has strengthened the need for an industry standard like KMIP.
The Organization for the Advancement of Structured Information Standards (OASIS), is the global non-profit consortium that continually works on the development, convergence and adoption of the Key Management Interoperability Protocol — which is a technology standard commonly known as KMIP. KMIP provides a standard means of communication between encryption systems that need to consume keys and the key management systems that create and manage those keys. By utilizing a key manager that leverages the KMIP technology standard, an organization can use a single centralized platform to manage keys from different vendors’ encryption technologies and unify their key management policies and workflows.
It’s sometimes difficult to envision how much effort is involved when it comes to managing your sensitive data and where it exists. Databases, CRM/ERP systems, various commercial and in-house applications are several examples where the proper management of sensitive data needs to be considered. Where there are more dispersed data repositories (as well as different security concerns among lines of business consuming these repositories), a KMIP-compliant key manager can help bring all this disparate effort under one umbrella from a policy management viewpoint. Centralizing encryption keys makes it easier to apply uniform policies around key rotation, back up and overall lifecycle management, as well as meet internal audit requirements and industry/govt. regulations.
Gemalto’s enterprise key manager, SafeNet KeySecure, is a KMIP-compliant solution that enables a single, centralized platform for managing cryptographic keys and applications. With SafeNet KeySecure, administrators can simultaneously manage multiple encryption systems and endpoints, along with the associated keys through a single, centralized key management platform. Additionally, SafeNet KeySecure can also define access management to those keys (using standards such as AD or LDAP) to ensure appropriate access and permissions to sensitive data.
Gemalto implemented KMIP v1.0 into SafeNet KeySecure, back in 2010 and since then has continued to adopt the evolving technology standard in the product. In order to leverage the latest KMIP specification, Gemalto has recently licensed Cryptsoft’s KMIP technology for use in SafeNet KeySecure. The standard’s next major version (KMIP v2.0), will deliver a wider range of new features including changes to increase performance and scalability, functionality to deliver and integrate with security administration controls and improvements for authentication, key rollover and cloud infrastructure integration. The new version will enable implementers to deliver encryption key and security object management solutions that are more robust and efficient whilst meeting existing and emerging cybersecurity requirements.
The standard has significantly evolved since its early days, when most KMIP implementations were largely done by storage vendors, with self-encrypting drives creating a demand for centralized and unified key management. With the storage landscape continually evolving, organizations that are using an EKM like SafeNet KeySecure are able to support KMIP implementations across a broad range of technologies, including hyperconverged and virtualized infrastructures. With the adoption of KMIP by application vendors, SafeNet KeySecure is also capable of managing the cryptographic material of any data-generating application that employs the KMIP standard (such as MongoDB, Commvault, DB2 and many others). This enables security teams to uniformly view, control, and administer cryptographic policies and keys for all their organization’s sensitive data—whether it resides in the cloud, in storage, in databases, or virtually anywhere else.
Gemalto has an expansive ecosystem of technology partners that integrate with SafeNet KeySecure via KMIP to provide organizations with powerful encryption and key management solutions. Learn more about Gemalto’s KMIP interoperability partners and view our other helpful resources including Benefits of Enterprise Key Management for Storage Solution Brief and Enterprise Encryption Key Management.