Thales Key Manager Lowers Barriers to Encryption
June 30, 2009 Alex Woodie
Thales next month will begin delivery of Thales Encryption Manager for Storage (TEMS), a new appliance-based key management offering designed to lower the barriers to encryption by making it easier for organizations to safeguard their encryption keys. By using key management standards, like the new Key Management Interoperability Protocol (KMIP) unveiled earlier this year, TEMS will eliminate the need for organizations to use multiple key management systems for different applications and platforms, the vendor says.
With the tide of data breaches and identity theft around the world continuing to rise, IT shops everywhere are looking to encryption as a way to safeguard their valuable data. Unfortunately, while industry mandates are pushing organizations to employ data encryption, the security practice is not as widespread as it could be, due to the real and perceived difficulties associated with managing the keys that encrypt and decrypt the data, experts say.
The problem is exacerbated by the variety of encryption applications currently in use. Many storage vendors offer encryption as an embedded component of their disk arrays, which makes it relatively easy to get started with encryption. When users want to encrypt or decrypt data, they go to the management interface, enter their specific key, and voila: the data is safe and accessible.
However, the lack of an externally defined key management interface introduces risk, especially when an organization has to juggle multiple and incompatible key management interfaces. If an organization loses the keys to just one of these encryption solutions, they have effectively lost the data they were trying to protect. That’s a scary proposition to any organization, and a real obstacle to the widespread use of encryption.
But it’s not an insurmountable problem. Today, several groups of security experts and IT vendors are addressing the dilemma by proposing and developing a series of standards for the handling and management of encryption keys. Instead of requiring each embedded or stand-alone encryption application to have its own key management interface, the thinking goes, the applications would just support a standard protocol or specification, and basically outsource the key management function to an application or device that’s dedicated to that task.
This is the thrust behind KMIP, a new encryption key management standard that was proposed by a group of vendors in February. KMIP is designed to provide a single, comprehensive protocol for communication between enterprise key management services and encryption systems. In addition to Thales, other backers of the KMIP effort include Hewlett-Packard, IBM, RSA Security, Brocade, LSI, and Seagate.
KMIP is one of the protocols that Thales’ new TEMS offering will support. (It won’t, however, offer KMIP support with the first release of the appliance in July.) Another protocol that TEMS will support is IEEE P1619, a specification by the Institute of Electrical and Electronics Engineers for the encryption of stored data. When it ships next month, TEMS will become the first key management solution with IEEE P1619 support, and it will support the final IEEE P1619 specification when it is released, which is expected to occur early next year.
Because KMIP and IEEE P1619 are so new, they’re not in widespread use. Storage vendors haven’t had a chance to embed support for these protocols into their encryption applications yet. But this shouldn’t slow organizations’ march to standardize their key management tasks, Thales says. To that end, TEMS will also support certain proprietary key management interfaces from storage vendors, thereby allowing customers to get started on the consolidation of encryption key management tasks immediately.
TEMS is platform neutral, according to Thales’ director of product marketing, Kevin Bocek. “TEMS could be used with a storage encryption application that either runs on or handles data from an IBM System i or any other platform,” Bocek writes in an e-mail. “Storage encryption is increasingly being embedded in storage systems, so the host is not directly performing the encryption. For example, you might use a Fibre Channel switch to encrypt data from/to a System i server headed to/from a storage array or tape drive. TEMS would manage the encryption used with the Fibre Channel switch.”
Franck Greverie, Thales vice president and managing director for the firm’s information systems security activities, says TEMS should be considered by any organization that has adopted low-cost and easy-to-use encryption offerings. “The Encryption Manager for Storage [TEMS] is the perfect complement to these systems, providing a single key management infrastructure for the storage environment to ensure that encryption keys are always available, when and where they are needed.”
Thales Group is a €12.7 billion French conglomerate in the aerospace, space, defense, security, and transportation industries. The company acquired U.K.-based nCipher in July 2008 for about $100 million, primarily for its hardware-based encryption offerings, which it added to its information systems security division.
TEMS will be available next month with a starting price of $35,000. For more information, see Thales’ information systems security Web site at iss.thalesgroup.com.