One of the main reasons organisations have generally shied away from the adoption of storage encryption technology is the increase in administration overhead that comes with encryption key management, which is crucial to protect and access data effectively.
Key management means protecting encryption keys from loss, corruption and unauthorised access. Key management system software is available from numerous vendors, including EMC/RSA Security, IBM, Microsoft and Sun Microsystems.
According to Simon Daykin, technical architect at IT services provider Logicalis, 90% of key management is about having clear processes in place. Only 10% is about installing the right software.
Among the processes to control key management:
- Ensuring keys are kept securely
- Changing the keys regularly
- Managing how and to whom keys are assigned
- Deciding on the granularity of keys. This means evaluating, for example, whether one key should be used for all backup tapes or whether each tape should be assigned its own key.
Greg Gawthorpe is technical operations manager for IT support and infrastructure at online financial trading house CMC Markets. He said managing encryption keys is a challenge, "but it's not insurmountable". His company encrypts sensitive data at the database level and in all laptops. They also archive backup tapes using BakBone Software's NetVault:Backup.
"If you lose a key, you're in trouble. It's not as simple as just calling a locksmith," Gawthorpe said. "And you can't just write keys on a bit of paper, so we use key management software. But you have to ensure you limit access to as few people as possible and ensure they have restricted access."
Key management occurs in other areas of CMC Markets' IT systems, but each is managed by specific groups within the IT team, with database encryption keys looked after by database administrators, for example.
Such a situation demonstrates a major challenge of key management: a lack of unified tools that can reduce the management overhead. The problem at the moment is that keys and key management software from different vendors aren't interoperable. So, if a key management system is purchased from one supplier, such as IBM, it can't manage keys from another supplier, such as Seagate, because each vendor implements encryption in a slightly different way.
In an attempt to resolve this issue, a coalition of vendors led by Hewlett-Packard, IBM, EMC/RSA Security and Thales Group, have submitted the Key Management Interoperability Protocol standard to the Organization for the Advancement of Structured Information Standards (OASIS). The hope is that it will be adopted by the end of this year.
For more on key management, check out our special report on storage encryption.