At the Cutting Edge of Key Management
Brian Tokuyoshi - Senior Product Marketing Manager
I recently attended the 2010 IEEE Key Management Summit, an event that brought together the leading industry pundits talking about the topic of key management. I had a number of interesting discussions with vendors, researchers and customers throughout the conference. In this blog, I’ll summarize some of the things that I saw and offer up a couple of opinions of my own.
The IEEE Key Management Summit was held the first week of May at North Shore Lake Tahoe, Nevada. This event attracts a technical audience, with heavy participation from the leadership of the standards group such as OASIS KMIP, IEEE 1619.3, and IETF KeyProv.
This is the second such conference, the first of which was held in back in 2008. That inaugural event had a number of healthy and loud discussions, where there were clearly differences in philosophies between the pragmatists (“This is a problem that exists now, we need to do something immediately”) and the academics (“We acknowledge there is a problem, but we can’t rush the solution and we need time to fully explore the ramifications of each approach”). The pragmatists tend to believe that a solution comes about by taking action first and making iterative improvements to fix any deficiencies. The academics believe that a good solution can withstand the crucible of public scrutiny through a review process which leads to a better solution done right the first time. As such, the discussion was both insightful and sometimes inflammatory, but always interesting.
In the time that’s passed since the first event, the market has changed. Some vendors in the key management space changed ownership. The KMIP standard emerged and is on track towards a public review. And while there are still many key management issues that need to be solved, the event had more camaraderie and a sense of working towards common goals.
What’s unchanged is that the problem hasn’t gone away. Everyone in the room still agrees that there’s pressing need to protect data and that many enterprises do not have proper tools to manage the keys in a large heterogeneous environment.
The question, though, lies on where to start and what needs to be done to solve the issue. Some believe that the most important issue is to address key management for storage, since it’s a mature market that requires solutions now. Some believe that applications that need keys is the highest priority, since this work is ongoing right now as many companies struggle to bolt on encryption to decades of existing data and code. And there’s some that think that we might have made a big mistake going down the road of using public key in the first place, and it might be better to start over again.
I believe though that no matter where the technology and market goes, there are some basics that need to be addressed. First, any true key management platform needs to be able to address the problem that organizations have right now, which means that it must be able to handle asymmetric and symmetric keys. We should be open to new approaches, but being able to tackle the tough problems that organizations face today must be the foundation. That’s really what enterprise key management is all about – it’s being inclusive of the variants that may exist and bringing tools to help manage it all. Solutions in this space need to address existing keys for the foreseeable future.
Second, I think the various discussions going on now about how to link a key repository to an application are all equally valid, because that’s really an area that’s been ignored for too long. It’s similar to the broadband issues of the '90s – it doesn’t matter how good your infrastructure is if you can’t take care of that last mile.
The approach that PGP Corporation took was to first look at how to build the best key management environment first, and design different ways to handle the integration to account for emerging standards. We had a good head start, since we already managed a large number of keys for the PGP application stack, such as our PGP Whole Disk Encryption and PGP Desktop Email products. Using that base, we created general purpose key containers to help manage and tag the keys appropriately for different use cases.
Next, we created various ways to perform application integration through a general purpose agent, an API and an SDK. We thought that made sense, and we needed that in order to handle the different types of integration that our customers needed. In addition, we created an adaptable interface that allows us to add support for various standards as they solidify, allowing us to support different protocols in the future.
At the IEEE Key Management Summit, Landon Noll of Cisco Systems gave an excellent talk about the state of key management, and he has a lot of insightful thoughts about the different problems with application integration. He points out the issues far more eloquently than I can, and it’s definitely worth your time to listen to his talk about when to use a particular approach and its ramifications.
In general, I’m pleased to see the direction where key management is going, and based on the feedback from our customer base, I think that we made the right decisions on the approaches we took to build PGP Key Management Server. We think that the work that is going on with the key management community will be important for broader adoption of these technologies. I think that we’ve made a lot of progress as an industry as well, because there are a number of issues that we need to work on together to ultimately make encryption products easier to manage.
With all of the progress that’s been made in the last two years, I simply can’t wait to see where the market be when it’s time for the next IEEE Key Management Summit.
The full archive (with slides and video) for the 2010 IEEE Key Management Summit is available from this link.
To get more technical detail on the PGP Key Management Server, look for the June 15th webcast available on BrightTalk.