Skip to main content

IBM Centralizes Management of Encryption Keys Via KMIP

Encrypt extensively—but think through carefully how to do it

Tivoli Beat - A weekly IBM service management perspective.As enterprise IT strives to improve security, one of the most important and versatile technologies available is strong encryption.

Through encryption, IT can ensure that data is protected from prying eyes wherever in the infrastructure it may exist—from backup tapes to disk arrays to end-user laptops. Even in the event an asset leaves the organization physically—a failing hard drive, for instance—the fact that data has been encrypted on that drive will certainly help protect the organization from any potential security breach.

Encryption, however, requires a certain amount of careful consideration if it's going to be implemented optimally. What if encryption keys are lost? In this unfortunate circumstance, the data they encrypt may be lost as well. Encryption is also a relatively computationally-intensive task; if responsibility for it is not offloaded from production servers, service levels could drop.

The question of whether encryption-driven security measures up to the stringent terms of government regulations must also be asked and answered. And while specific solutions may include their own proprietary forms of encryption key management, that approach implies more complexity as well.

Today, however, organizations are often reluctant to multiply management complexity any more than is necessary. They seek, instead, a more elegant, unified design.

IBM Tivoli Key Lifecycle Manager 2 supports both IBM and non-IBM solutions via KMIP

“IBM has led the IT industry in developing and promoting an exciting new security standard: Key Management Interoperability Protocol (KMIP).  KMIP represents a fundamentally new approach—an open standard designed to support the full lifecycle of key management tasks from key creation to key retirement.”For these reasons, IBM has led the IT industry in developing and promoting an exciting new security standard: Key Management Interoperability Protocol (KMIP). KMIP represents a fundamentally new approach—an open standard designed to support the full lifecycle of key management tasks from key creation to key retirement.

Goodbye, proprietary complexity. Given KMIP-compatible tools, organizations will be able to manage their many encryption keys from a single point of control—improving security, simplifying complexity and achieving regulation compliance more quickly and easily. That's a huge improvement over the current approach of using many different encryption key management tools for many different business purposes and IT assets.

Of course, obtaining that central point of control will require more than just an open standard. It will also require a dedicated management solution designed to capitalize on it. In that area, IBM delivers as well via IBM Tivoli Key Lifecycle Manager (TKLM) version 2.

This simple, robust solution gives organizations the power to manage keys centrally, at every stage of those keys' lifecycles. TKLM does key serving transparently for encrypting devices as well as key management, hence adding to its simplicity. Furthermore, it's exceptionally easy to install and configure, requiring only an afternoon. And because it demands no changes to applications and servers, it's a seamless fit for virtually any IT infrastructure.

The industry support for KMIP is large—and growing fast

Thanks to its support for KMIP, TKLM 2 now delivers dramatically more business value than ever before.

While earlier versions supported key management functions for a variety of IBM tape drives and disk arrays, the new version supports them for a broad range of non-IBM solutions as well, as offered by IBM partners including Emulex, Brocade and Thales.

And that list of partners is only going to get bigger and bigger. There are in fact already nearly thirty companies participating on the OASIS KMIP technical committee, including Cisco, EMC, Hewlett-Packard, Oracle, Red Hat and many others. In the future, as KMIP is inevitably integrated into relevant solutions, TKLM 2 will support key management for them as well—actually increasing its value proposition over time. TKLM 2 should thus ultimately be able to support the complete range of encryption key management functions for all necessary IT assets and data repositories—enterprise-wide coverage, all via its intuitive interface and a lightweight architecture.

New role-based management means organizations can tailor TKLM for a perfect fit

And in TKLM 2, there are number of other exciting features that complement its KMIP support. One of the most striking from an IT manager's standpoint, for instance, is role-based access control. This gives managers exceptional flexibility and power in using TKLM to accomplish necessary tasks, because multiple administrators can be defined, each with different permissions corresponding to job roles and responsibilities.

More specifically, fifteen different permission clusters can be grouped into different roles; for the customer's convenience, IBM is also including a set of default roles (these can be modified to suit local requirements). When assigned to these roles, IT team members are empowered to use TKLM in a secure and natural fashion that reflects the contexts of their jobs.

Similarly improved granularity is evident in the solution's newly-improved device management features. Different devices can be grouped into logical categories; devices and groups of devices can also be assigned different administrators with different job roles. It is also possible to define permissions correlating devices and encryption keys (though by default, devices can only access their own keys or the keys associated with their own groups.)

Business benefits as diverse as the technical strengths

Together, these new features translate directly into a number of impressive new business benefits for organizations using TKLM 2.

Consider, for instance, how naturally duties can be separated among IT staff. Through tailored role-based management, each team member can take full advantage of the power and security of TKLM to lock down appropriate data or assets, yet in a manner that introduces few or no new security or management complexities.

Agility in fulfilling new business strategies or deploying new services is also improved. TKLM 2 makes it easy to separate environments from production environments, by creating different administration and device groups for each. And once the service is up and running, key management is addressed in a far more streamlined, accelerated fashion than before. Instead of the IT team having to lock down all the relevant assets for a new service on a case-by-case basis, via the proprietary tools that came with those assets, a single centralized solution is used for a faster and more complete response. This helps the organization bring the service to customers more rapidly, for a more competitive business posture.

For advanced architectures in which a shared IT infrastructure is used by multiple tenants—such as a public cloud—essentially the same arguments apply. TKLM 2, in this scenario, is helping to lock the cloud's resources down in such a way that each tenant can only access the resources determined by its logical privileges.

For clients, that means they're getting the robust security they need to leverage the cloud for essential business functions. And for the host organization that owns the cloud, it means not just simpler management and superior security for every service in the cloud, but improved customer satisfaction as well—and the improved business bottom line that will likely follow as a result.

We're here to help


Easy ways to get the answers you need.

Or call us at:
Priority code:

Pulse 2010 Virtual Experience

Pulse 2010 - Virtual conference. March 16, 2010

Attend sessions, breakouts and demos and find Pulse assets full of hints and tips, user experiences and key technical content that you can't get anywhere else.

IBM Redpaper™


Tivoli Key Lifecycle Manager for z/OS: Migration Guide for the IBM Encryption Key Manager

Featured community

Featured community

Leverage and contribute to the collective wisdom around Tivoli