nCipher Brings Key Management Software to i5/OS
March 6, 2007 Alex Woodie
nCipher, an English provider of encryption solutions, last week announced that its encryption key management software, called keyAuthority, now supports the i5/OS server. The new capability is the result of collaboration with i5/OS encryption expert Patrick Townsend & Associates, and the primary benefit is allowing System i shops to manage and maintain cryptography keys for local and remote i5/OS servers in the same place that keys for other platforms are managed.
In the olden days, electronic encryption was primarily the residence of banks and government organizations that required a high degree of data security, says Richard Mould, nCipher’s vice president of marketing. These organizations had large IT staffs, and they learned how to adapt their manual processes necessary to maintain a large number of encryption keys within a secure framework.
Today, that profile of the typical encryption user is changing, thanks to new legislation such as HIPAA and the Payment Card Industry (PCI) data security standard. According to Moulds, PCI is posing huge challenges to companies in the retail sector. “These organizations just don’t have the bench strength and experience dealing with the technology,” as banks and government institutions do, he says.
Also driving the need for tools that automate the handling of encryption keys is the changing nature of security, Moulds says. “What’s happening now, rather than making sure if any particular device is secure, it’s making sure the data is secure, because data moves around,” he says. “If data moves around, the key that encrypts it on an AS/400, may need to show up on a Windows box thousand of miles way. The key has to move with the data, so key management isn’t a function of a particular platform–it’s an uberapp, a mothership to look down across platforms. That’s the layer that we provide for Pat Townsend.”
Technically, the changes that bring together Pat Townsend’s i5/OS encryption products, called Alliance, with keyAuthority, were made by Pat Townsend. “We have a key management protocol,” Moulds says. “Pat has supported that with his product. So the keys used with his encryption software, we can mange remotely.”
The partners are targeting Pat Townsend customers and other companies facing PCI mandates in the retail sector, an iSeries industry stronghold. In some retail sectors, such as fast food, chains don’t deploy any IT professionals to individual stores, making remote key management from regional or corporate headquarters a high priority.
KeyAuthority is a relatively new product in nCipher’s arsenal. Most of the publicly traded company’s revenue stems from its cryptographic hardware, called Hardware Security Modules. These FIPS-certified devices offload processor-intensive encryption workloads from primary servers, and also provide another layer of security around encryption keys, which are useless if handled carelessly.
The problem with keys is they’re natural numbers, meaning they have a natural fingerprint, Moulds says. “These days you don’t try to break encryption by reverse engineering. You don’t try to crack the algorithm. With AES, technically it’s not feasible to crack the algorithm itself. You try to get to the key,” he says. “Finding keys in a software-based system is not difficult. We get around it by utilizing tamper-resistant HSMs.”
In addition to performing encryption workloads, these HSMs store the encryption keys. They’re essentially epoxy resin-coated “lockboxes that applications go to get the keys,” Moulds says. The HSMs feature PowerPC chips running a proprietary operating system with a “very tight API.” They’re available in two form factors: a smaller, single-server device that plugs into a PCI bus, and a larger network appliance that works with multiple servers.
In an iSeries environment, organizations would likely rely on Pat Townsend’s software to store and process keys on the iSeries. The HSMs don’t currently work with the iSeries, although that feature should be available soon, according to Moulds. The HSMs are important for employing encryption on other platforms, however.
An organization typically won’t manage all encryption keys with keyAuthority. Users may choose to store keys for less sensitive applications, such as encryption for e-mail, directly on the end-point that is doing the encryption, Moulds say. But for the most critical and sensitive applications, large organizations rely on keyAuthority for managing and maintaining them, such as monthly key replacement schedule.
Getting access to the goods within keyAuthority is no simple task. While the product runs on Windows 2000 Server and Windows Server 2003, which Moulds admits are not the most secure operating systems on the planet, nCipher has bolstered security through strong authentication utilizing smart cards and other security tools. The product can also be set up to require, say, three of five managers to log in before keys can be accessed or changed, “just like it takes two generals to fire a nuclear missile,” Moulds says. “In addition to being a security management product, the system itself has to be secure.”
Another benefit of implementing an encryption key management product like keyAuthority is that it’s easier to achieve separation of duty, an important element of the Sarbanes-Oxley Act. “If you’re going to encrypt a database, you don’t really want the DBA doing that. He’s the super user,” Moulds says. “One of the nice things about encryption from a security perspective is that encryption creates the capability to separate duty.”
The integration between Pat Townsend’s Alliance software and nCipher’s keyAuthority software is available now. Pricing for keyAuthority starts at about $30,000. The PCI-based HSM starts at about $4,000, while the network-based HSM starts at about $20,000. For more information, visit www.ncipher.com.