Encryption for Data-at-Rest Leveraging OASIS KMIP
As a universally-accepted best practice, there is no substitute for encryption of data-at-rest as the last line of defense. For many companies, it’s like having an “easy” button. All data, known or unknown sitting at-rest is encrypted, protected and secure.
Encryption’s value is no longer in question in large enterprises. Rather the broader challenge they face as they look to manage petabytes of data in complex backup environment is, “How do I overcome the substantial costs and time required to manage my encryption keys?” Other concerns might include: What about key storage, key rollover, on-demand key generation, key database, data access policies, key replication, symmetric-key management etc.
Enterprises that are serious about protecting the integrity of their data, their clients’ data and complying with government regulations no longer really seriously dispute the value of encryption. Rather they recognize that data encryption is crucial to preserving their company’s value, its reputation, and even its long term viability.
The Key Management Interoperability Protocol (KMIP) represents a breakthrough from an encryption deployment standpoint. Enterprises can deploy an open source encryption solution that has no dependencies upon existing proprietary key management approaches. Using KMIP, any provider’s encryption methodology that supports KMIP, may communicate with a KMIP server to obtain the keys it needs to encrypt data.
The KMIP standard effort is governed by the OASIS standards body. OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence, and adoption of open standards for the global information society. The OASIS KMIP Technical Committee works to define a single, comprehensive protocol for communication between encryption systems and a broad range of new and legacy enterprise applications, including email, databases, and storage devices. By removing redundant, incompatible key management processes, KMIP will provide better data security while at the same time reducing expenditures on multiple products.
The big advantage over other encryption key management techniques is that rather than each encryption vendor needing to provide and manage a proprietary key management solution, KMIP provides the keys that each encryption methodology needs. In this way, enterprises have the flexibility to deploy encryption at whatever layer they need without seeing their costs or complexity rise significantly. HPE Security recommends customers leverage our HPE Enterprise Secure Key Manager (ESKM) with KMIP standardized interoperability for data-at-rest, and our data-centric security solution – HPE SecureData (stateless key management) for data-in-motion and data-in use.
Advantages to using KMIP
Here are three important advantages to use KMIP encryption methodologies.
#1 – An enterprise only needs one key manager. The Key Manager works across all encryption key offering thus reducing the complexity and cost alone. Users only have to learn one graphical user interface (GUI).
- Our HPE ESKM key management solution is perfect for addressing this single user GUI desire and benefit.
#2 – Enterprises can deploy encryption at whatever layer they need. By decoupling and centralizing key management, the cost and complexity are far less than if each layer or application had their own encryption key management.
- Unlike stateless key management, the HPE ESKM appliance vaults keys, which can offer a different set of advantages and provides the last line of defense – encryption for data-at-rest.
#3 – Business processes are unaffected. By obtaining the encryption key from the same source, processes like backup and replication that leverage deduplication can occur uninterrupted. Data optimization and movement processes can request the keys it needs to safely and securely decrypt and then re-encrypt data.
- Our HPE ESKM solution for symmetric key management automates key replication during key generation, and can accelerate enterprise key management time to value.
Leveraging KMIP interoperability between multi-vendor products reinforces the reality of choice of vendor solutions for CIOs, CSOs and CTOs, enabling products from multiple companies to be deployed as a single enterprise security solution that addresses both their current and future requirements.
Industry standards are importance to HPE
For HPE, customer adoption of key management integration using OASIS KMIP further enables encryption to be embedded into more mainstream applications and systems to simplify interoperability. Industry standards are of the utmost importance to HPE and today we have one of the most robust partner integration portfolios available in the market. Our HPE Enterprise Secure Key Manager (ESKM) solution supports FIPS 140-2 and Common Criteria Evaluation Assurance Level (EAL2+) standards. HPE ESKM has KMIP standardized interoperability and HPE Secure Encryption to enable you to protect and ensure continuous access to business-critical, sensitive, data-at-rest encryption keys, both locally and remotely.