I recently scrolled through 2014 in the Privacy Rights Clearinghouse and was pleased to see that the number of incidents was down overall compared to the prior two years. It’s not really a reason to pop a cork, though, because the reported number of records breached represent nearly a third of all records breached, almost 300 million, since the Clearinghouse started keeping track in 2005 (and that number excludes the questionable impact of a reported billion record breach).
As discussed in an earlier post, perimeter breaches of large enterprises with complex infrastructures are inevitable. Focus has to shift from shoving more fingers in the dike of the perimeter and onto reducing the impacts when penetration occurs. The best strategy for that is pervasive, enterprise-wide data-centric encryption of sensitive assets, if not all electronic data. However, few have implemented genuinely enterprise-wide data encryption schemes, at least in part because doing so inevitably meant committing to a single vendor’s products as that has been the only means to gain interoperability. This would seem at odds with the state of encryption technology where algorithms are widely accepted and implemented. Given the appropriate key, data encrypted with AES by one application can be decrypted by another AES-compliant application. Managing and securing these crypto keys while at the same time distributing to a disparate range of applications has been one of the primary obstacles to broader deployment.
Fortunately, that situation is changing with the introduction of the Key Management Interoperability Protocol, or KMIP. Other than being fun to say (kay-mĭp), KMIP establishes the standard for the secure and accurate exchange of cryptographic keys between applications, particularly a centralized key manager and encryption applications that need keys to function. It’s this focus on easy & secure exchange of cryptographic keys that is the difference that contributes to its success where the more complex application programming interface (API) standard PKCS #11 has struggled. KMIP addresses the need for vendor-neutral key management interoperability just as Structured Query Language (SQL) does for relational database integration and as Lightweight Directory Access Protocol (LDAP) emerged as the dominant directory integration standard in place of the more cumbersome X.500.
The KMIP standard was originally submitted to the Organization for the Advancement of Structured Information Standards (OASIS) in 2009, and KMIP Interop has since become a standard feature of the annual RSA Security Conference. At the Interop showcase, different applications demonstrate their compliance with the standard and integration with one another. While the early commercial implementations tended to remain vendor vertical, the last two years have seen increased focus on interoperability between vendors. This gives enterprises confidence that, soon, they can select a single enterprise-wide key management platform, simplifying the work needed to create, manage and, most importantly in the context of data breaches, control the use of keys, with the reasonable expectation that any encryption applications will be able to obtain needed keys from the platform. Equally important, it reduces the risk of vendor lock-in to either the key management platform or the encrypting applications, as either can be switched out with greatly reduced risk.
Look for an announcement to be published next week, showing the date of a Prime Factor’s webinar expanding on the topic of KMIP. In the meantime, check out a replay of a recent webinar featuring Brian Huse, CIO of Arroweye Solutions, discussing his views on Best Practices for Data Protection & Automated Crypto Key Management.