Townsend Adopts KMIP for License Key Interoperability
March 5, 2013 Alex Woodie
Townsend Security is close to shipping a new version of Alliance Key Manager that includes support for Key Management Interoperability Protocol (KMIP), a new standard designed to provide a single method for accessing and managing encryption keys. KMIP support is important for building uniformity into encryption routines. But its usefulness in IBM i environments is limited at this point.
KMIP was first thought up several years ago by a group of security software vendors to provide a standard interface for connecting the encryption key management and generation programs with the encryption routines that consume encryption keys in critical business systems. The standard was deemed necessary due to the proprietary interfaces that various vendors had created to manage the keys. Organizations feared that their adoption of these proprietary interfaces would hinder their ability to switch key management vendors, thereby increasing vendor lock-in.
Townsend Security is one of the vendors utilizing proprietary communication protocols with Alliance Key Manager, its encryption key management system that was first unveiled in December 2008. Deployed as a hardened appliance, Alliance Key Manager provides a secure central repository for creating, managing, importing, exporting, and destroying symmetric encryption keys that organizations use in all major platforms, including IBM i.
Patrick Townsend, CEO of the Olympia, Washington, company, is all in favor of KMIP. “The industry as a whole needed standards around key retrieval. There’s just no question about that,” he tells IT Jungle. “You had a small number of vendors all with proprietary interfaces, and I think customers suffered a bit of pain around vendor lockin because there were no standards.”
While Townsend designed its software in a way that implements key management the proper way, not all vendors have done so, which helps make the case for KMIP, Townsend says. “It will help for a number of reasons,” he says. “It will simplify integration with key management systems. The obvious benefit is there will be more applications that do key management properly. That means that our applications will get more secure over time.”
However, don’t expect IBM i shops to benefit from KMIP any time soon. That’s because many of the places where IBM i shops want to utilize encryption–in the DB2 for i database and LTO tape drives–do not recognize KMIP at this time. A similar issue is faced when accessing keys in Microsoft SQL Server and other enterprise Windows applications.
Townsend explains: “If you look at field proc, which is new in IBM i 7.1, the folks up in Rochester started working on field proc before the KMIP committee was even formed. But that’s not a KMIP standard. There’s nothing within field proc that supports the KMIP standard for encryption key retrieval and encryption. There’s a published API by IBM for field proc. But it does not incorporate and does not use KMIP.”
Likewise, LTO drives also do not recognize KMIP, and use a separate mechanism for accessing encryption keys when a user encrypts his data using the encryption algorithms built into the LTO drives. Townsend points out that IBM was a founding member of both the LTO group and the KMIP committee at IT standards group OASIS; LTO co-founders Hewlett-Packard and the tape division of Seagate (spun out as Certance and now part of Quantum) also were founders of KMIP. And yet even LTO 6, the latest specification of the Linear Tape-Open standard, doesn’t support KMIP.
“So we’re still early phase in KMIP adoption,” Townsend continues. “In these cases, we’re creating key retrieval solutions based on a particular vendor’s interface, and in many cases, that’s not KMIP today. The standard is relatively new. Version 1.1 is adopted and that’s what we’ll support in our release. But still the community of our vendors who are working with the standard, are still developing it. In fact, there is already a draft update to the standard. So this is an ongoing process.”
Townsend Security today sits on the KMIP committee at OASIS, and will assist in helping to drive the standard forward to support additional functionality. Townsend identified several areas that the KMIP committee is looking at in the areas of onboard encryption and decryption, hashing, and digital signatures. “It will take some time–who knows how many years–before the industry as a whole adopts KMIP interfaces in their technology. That needs to happen before enterprise customers really benefit from it.”
KMIP support will be included in Alliance Key Manager version 3.0, which Townsend expects to ship in about 30 days. For more information, see www.townsendsecurity.com.