RSA Security is sending its centralized key management software to places it hasn't gone before, such as databases and file systems and eventually, mobile devices.

Under RSA's new enterprise-wide data protection initiative, the company is signing up partners to integrate its RSA Key Manager software with their encryption products. The first such partner under the new RSA Key Manager Partner Program is Protegrity, which sells database and file-system encryption software.

"Our strategy is for helping companies protect data across the enterprise from its birth to death, or when it's first acquired to its final deletion," says Chris Parkerson, senior product marketing manager for RSA. "And we're partnering with companies who are [strong] in areas where we don't have the expertise."

The lack of simple and centralized key management solutions for issuing, revoking, and managing keys has been a key obstacle in the widespread adoption of encryption in the enterprise. And RSA and other encryption software companies traditionally had been part of the problem, with encryption solutions specific to applications or platforms, for instance.

"We've taken a piecemeal attitude about encryption: data on that storage device there, this database here. When you start to share that data, it becomes extremely complex and difficult to make sure the data is encrypted at all stages," says Paul Stamp, senior analyst for Forrester Research. "The risk is not being able to recover data in the event a key is lost. If you don't know what's encrypted and where, it will be hard to get hold of the key" for legal discovery or regulatory audits.

And regulatory pressures, of course, are driving many encryption initiatives these days. RSA says its initial targets for its enterprise data protection initiative are the retail and hospitality industries, which are under pressure to comply with Payment Card Industry (PCI) standards. Aside from providing centralized key management for encrypted data at rest, RSA is also looking to sign partners in the mobility space, namely laptop and mobile-device encryption, as well as point-of-sales, Parkerson says. Nothing's official there yet, but RSA hopes to name partners by year-end.

"To make an enterprise data protection solution work, you need to centrally manage all keys, identities, associated credentials, and access policies," RSA's Parkerson says. "We're making that easier." RSA and Protegrity are building APIs to integrate their products so organizations that run Protegrity's Defiance DPS database encryption product and VPDisk, its file system encryption package, will be able to manage encryption keys with RSA Key Manager. The integrated versions of Defiance DPS and VPDisk will be available later this year.

"One of the obstacles to organizations adopting a culture of security is not having a common way to manage keys," across the enterprise, says Paul Giardina, senior vice president of marketing for Protegrity.

Joseph Foran at FSW can relate to that. "Not having a centralized key management system has been a huge problem for us," says Foran, director of information technology for FSW, a Bridgeport, Conn.-based healthcare and social services nonprofit, which uses RSA SecureID systems for communicating with state agencies.

FSW, which operates under HIPPA regulations, is currently considering adopting key management for its deaf services program, where interpreters would need to be authenticated and authorized to access personal information on nonprofit clients. "We don't have a real central management option for the keys themselves... we can manage the token cards, but not the keys. That's been a gray area," Foran says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Companies mentioned in this article: