Risk
6/25/2008
07:30 PM
50%
50%

Tech Road Map: EKMI

Oasis' open Enterprise Key Management Infrastructure initiative promises less-complex encryption. But will vendors get on board?

STRENGTH IN COMPLEXITY
There are, of course, obstacles that must still be overcome by EKMI proponents. For example, the proposed components are somewhat simple by design, which concerns some encryption purists who prefer more complex protocols, on the logic that they're more difficult to break into.

In addition, enterprises deploying an extremely sensitive system of this type that houses the keys to the kingdom will need to pay great attention to detail when hardening platforms and operating systems, a step strongly recommended by the Oasis technical committee. Failover and redundancy must also be considered during deployment to ensure availability.

Assigning these functions to an open set of protocols is asking for quite a big change in both technology and mind-set.

Then there are the problems associated with any open standard. Although published and commented on, some of the technological specifications that have been in use since the inception of the Internet aren't always implemented in, shall we say, strict adherence to their original guidelines. Integrating EKMI into the required clients for encryption of applications, endpoints, backup systems, and so on will require the cooperation of major application vendors. These entities--some of them fierce competitors--historically haven't been the most collaborative of groups. Not surprisingly, as of press time, there have been no large-scale public endorsements of EKMI, though Oracle is a member of Oasis.

THE LOWDOWN
THE PROMISE
The Enterprise Key Management Infrastructure initiative is intended to improve information security through more effective deployment and management of enterprise encryption. Automating the interaction between encryption clients and a key management system may lead to reduced administrative overhead, a more attractive total cost of ownership for encryption, and softening of some of the concerns around encryption technologies.

THE PLAYERS
EKMI is being driven by Oasis, and a diverse group of well-respected names in security and top-tier organizations is represented on the technical committee--for example, Red Hat, Wells Fargo, and the U.S. Department of Defense. The project would likely benefit from a more public endorsement from major encryption vendors, including Entrust and VeriSign.

THE PROSPECTS
The overall objective is consolidation of key management functions through open standards, combined with the use of APIs and a standard markup language. The drafts should be fully reviewed and published in final form within the next year. Implementation will not be a short-term project, and EKMI is not suited to every environment. Larger encryption infrastructure deployments will benefit the most.
This reticence could create a delay in full implementation of EKMI, but we don't see it bringing the entire effort to a halt. The overall concept and design of EKMI are sound, and the open nature of the protocols is very appealing to those who manage the behind-the-scenes aspects of security countermeasures. As a standard, it could be of significant value when combined with the appropriate systems. The Oasis technical committee consists of a variety of individuals and organizations with impressive backgrounds in encryption and information protection, including the committee chair, Arshad Noor of StrongAuth. The diversity of the membership, ranging from software development companies to financial institutions and large government agencies, reflects the current push to adopt encryption for protecting valuable information.

Also working in EKMI's favor are recently publicized breaches and the trend for more statutory controls on the privacy of personal information, both of which are driving organizations to apply stronger data protection. We must now assume that all perimeter defenses are vulnerable, if not because of flawed technologies, then by way of the redefinition of the perimeter: The simple model of "inside, outside, and DMZ" is no longer viable as partner connectivity grows and customer-level access is increased.

Encryption represents a final level of protection. Even if data is lost or stolen, it's of no value to the holder without the decryption key. EKMI is a valuable component in the operational and management aspects of encryption, and organizations with complex encryption requirements ought to start putting pressure on their application and security vendors to support the initiative.

For now, we recommend following updates on the Oasis Web site or, if possible, joining the organization to provide input. As you purchase new security systems, those with less-proprietary interfaces will best lay the groundwork for EKMI.

David Brown is a managing consultant, security solutions, at Forsythe and has more than 20 years of experience in information security and related IT fields. Write to him at dbrown@forsythe.com.

Photo by Jupiterimages

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7437
Published: 2015-03-29
Multiple integer overflows in potrace 1.11 allow remote attackers to cause a denial of service (crash) via large dimensions in a BMP image, which triggers a buffer overflow.

CVE-2013-7438
Published: 2015-03-29
Multiple buffer overflows in pbm212030 allow remote attackers to cause a denial of service (crash) or possible execute arbitrary code via a crafted PBM image, related to (1) stream line data, which triggers a heap-based buffer overflow, or (2) vectors related to an "internal intermediate heap-based ...

CVE-2014-5427
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

CVE-2014-5428
Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

CVE-2014-9205
Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.