An industry standard for managing encryption keys, which commenced in fall 2010, is about to get a makeover and a big new supporter.
The specification is KMIP—Key Management Interoperability Protocol—which is designed as a uniform way for applications and storage devices to create, share, and destroy encryption keys with security management servers. It’s in version 1.2 and has commercial support from most major storage and security companies except EMC and its RSA arm, both now part of Dell Technologies.
But its situation should drastically improve next year.
Versions 1.3, 1.4, and 2.0 are all in progress, explained Tony Cox, chairman of the KMIP committee, which is governed by the Organization for the Advancement of Structured Information Standards, better known as OASIS in the standards world.
Version 1.3 is in final public review, which should be complete later this year or early in 2017, Cox said. It simplifies key registration to cloud services, and that will help with managing mobile devices, he explained. Next up is 1.4, due another 6-8 months later, with tweaks to several existing attributes. A larger change will arrive with 2.0 yet another 6-9 months after 1.4. The 2.0 version is still in development but will probably have precision access control and will see the removal of deprecated features, Cox added.
Precise access control is something that committee members requested on behalf of defense and intelligence industry clients—”three-letter agencies in interesting areas,” Cox explained.
SEE: Encryption Policy (Tech Pro Research)
OASIS routinely updates a list of KMIP-compliant products, and the Storage Networking Industry Association (SNIA) has its own list, although both lists have some gaps. “It’s taken a little while for the vendors to get the message. It’s a bit of chicken-and-egg,” Cox said about the standard’s relatively slow adoption and the dance between companies offering a technology and customers asking for it.
Dell’s EMC and RSA divisions both have representatives on the committee, most notably RSA Chief Security Architect Robert Griffin, but they do not yet have products with the standard baked inside. That’s going to change. “KMIP is a very useful standard to interface a product implementing data-at-rest encryption with an existing key management infrastructure already deployed in the customer environment. Dell EMC has implemented data-at-rest encryption across most of its products and based on customer demand, KMIP is on the roadmap for several of Dell EMC’s major products in 2017,” a company spokesperson said.
SEE: Why citizens need encryption as a fundamental human right (TechRepublic)
Meanwhile, Cox, whose Brisbane, Australia-based company Cryptsoft is a major key management provider, also said he envisions KMIP being used beyond its namesake purpose. It could be just as useful for products in the so-called Internet-of-things as for encrypted enterprise applications, he noted.
“That’s the funny thing. My marketing guys hate it when I say this. It’s actually a specification for the management of stuff,” Cox continued. “There is enough functionality and flexibility in the specification to allow it to cater to pretty much anything.”
Cox said he’d like to rebrand the specification to reflect that possibility, but OASIS doesn’t allow technical committees to change their charters with starting over. For now, he lamented, most companies regardless of their field use proprietary key management systems to connect with information silos.