After decades of operating in the shadows, encryption is now becoming cool for mainstream organizations. And it may soon become easier to manage, too: OASIS, the Organization for the Advancement of Structured Information Standards, is developing a standard for managing symmetric encryption keys.
Over the years, encryption has been notoriously complex and expensive to deploy, making it seem like overkill for everyday business. But regulatory pressures such as the Payment Card Industry (PCI) standard in retail and HIPAA in healthcare -- as well as high-profile data breaches and laptop thefts -- have driven enterprises to give encryption a second look. (See DR Q&A: nCipher's Alex van Someren.)
Symmetric keys are almost everywhere -- in laptops, applications, PDAs, databases, and many other systems. But each vendor has its own proprietary solution for managing the exchange of these keys, which allow you to share sensitive data among these resources.
"There are a number of software products that can do disk encryption and file encryption on laptops. But key management for symmetric keys is buried in their solutions -- if you buy an Oracle database from Oracle and want to transfer data back and forth with a laptop, you have two different encryption and key management schemes: the laptop vendor's and database vendor's solutions," says Arshad Noor, founder and CEO of StrongAuth, and technical committee convener for the newly formed OASIS Enterprise Key Management Infrastructure (EKMI) Technical Committee, which meets for the first time on January 16.
The OASIS key management standard, basically an API, would let you use a single key management solution on both platforms rather than try to manage separate key systems for each product that have different procedures and processes for the keys. This will make it easier to roll out encryption, he says.
"This simple protocol works across OSes, databases, and applications. And now with Intel and AMD coming out with multicore CPUs, compute power will no longer be a drag on encryption."
Noor uses this analogy to explain the OASIS key management standard: "If you had 100 offices around the world and you had some paper data you had to secure, you'd be looking at buying 100 safes for each office," he says. "Imagine how you'd manage the keys you would need to open all of those boxes, and how you would share that information between offices if you couldn't copy the data."
"That's the problem we're trying to solve -- virtualized keys that grant access with the appropriate authentication and protection but without the transport of data between the offices," he says. It basically encrypts the payload and requires a public key infrastructure (PKI) to protect the messages on the network.
The OASIS initiative originated from open-source code Noor wrote and released publicly several months ago. The specification is tentatively called Symmetric Key Services Markup Language (SKSML).
Ken Adler, founder of PCIfile.org and a member of the OASIS committee, says those enterprises already encrypting their data with symmetric key technology are often not rotating or changing their keys regularly (akin to not changing passwords regularly) because it's just too much overhead and labor. "Because of the lack of a symmetric key management system, they use that one key because it's the only way they can deploy [encryption] themselves," says Adler, who is an auditor. But if that key is stolen or compromised, so is all of the data on those systems, he says.
But the PCI standard requires retailers to rotate their keys at least once a year, so this standard would help those businesses, he adds.
Interestingly, crypto pioneers CIA, Defense Department, and the National Security Agency all have expressed an interest in the SKSML working implementation Noor posted on sourceforge.net a few months ago. So far, the effort has received comments from IBM and VeriSign, and Noor has also confirmed that the OASIS standard doesn't conflict with the IETF's work on key provisioning for authentication credentials. ANSI also has a similar standard, but it's just for the banking industry, he says.
Noor says the goal is to get the standard completed by summer of 2007. Then it's up to the application vendors who use symmetric key management to adopt it.
Kelly Jackson Higgins, Senior Editor, Dark Reading