Tech Road Map: EKMITech Road Map: EKMI
Oasis' open Enterprise Key Management Infrastructure initiative promises less-complex encryption. But will vendors get on board?
June 25, 2008
Information security pros do put stock in encryption--it was named the third-most-effective security practice in our most recent Strategic Security Survey, behind only firewalls and antivirus products. However, there have been obstacles along the path to ubiquitous encryption of data, including weak ciphers, deployment and integration issues, and, perhaps most notably, key management.
Public key infrastructure, or PKI, systems alone have simply failed to address the challenge of keeping encryption keys in order. Enter the Enterprise Key Management Infrastructure initiative, a promising program spearheaded by the Oasis consortium, with organizations including CA, Red Hat, the U.S. Department of Defense, and Wells Fargo represented on the technical committee.
The objective with EKMI is to create open standards for the interaction of various platforms, applications, and technologies that would benefit from the security of symmetric encryption with a central key management system, referred to as the Symmetric Key Management System, or SKMS. Combine SKMS with PKI--for strong authentication, message integrity, and key encryption; client software that includes an API designed to interact with Java-based applications, such as Web apps or middleware systems; and an XML-based protocol for communication between client and server--and EKMI becomes a single platform for managing what has, to this point, been a morass of cryptographic key management functions.
The EKMI design has been compared with that of a DNS or DHCP system, with a few similarities to LDAP--essentially, a client requests information from a central server that communicates with multiple back-end systems where keys are created or stored. In the EKMI model, the client application asks for a symmetric key through a digitally signed request; the key server verifies the client request, then encrypts, digitally signs, and escrows the key in a database. The back-end PKI system steps in to provide security for RSA signing and encryption keys. The EKMI server then responds to the client with a signed and encrypted symmetric key. The client interface verifies the response, decrypts the key, and hands it to the client application.
Clearly, EKMI is not a replacement for PKI but an enhancement to the interface between the key-generation process and those systems and applications that require access to keys.
If you don't manage encryption well, data will be compromised. To find out how to corral keys while we wait on EKMI,
>> See all our Reports <<
Ensuring the confidentiality, integrity, and availability of keys is a primary concern for any encryption technology, and complexity is a long-standing problem that has put a drag on comprehensive data encryption. Ask people with experience managing encryption systems about deterrents to large-scale deployments, or use across various systems, and they'll often point to the proprietary nature of these applications and the diverse methods they use to address management functions.
EKMI holds a great deal of promise to solve these problems by combining essential elements into a holistic key management system. Creating a single interaction point for provisioning, escrow, recovery, caching, and destruction of symmetric keys will provide greater scalability to encryption deployments. If accepted and adopted, the standards would create a management platform that is independent of the technology applying the encryption, yet centralized in nature. Use of existing PKI systems for more extensive protection and establishing a single audit point for key management transactions are very attractive benefits of EKMI.
STRENGTH IN COMPLEXITY
There are, of course, obstacles that must still be overcome by EKMI proponents. For example, the proposed components are somewhat simple by design, which concerns some encryption purists who prefer more complex protocols, on the logic that they're more difficult to break into.
In addition, enterprises deploying an extremely sensitive system of this type that houses the keys to the kingdom will need to pay great attention to detail when hardening platforms and operating systems, a step strongly recommended by the Oasis technical committee. Failover and redundancy must also be considered during deployment to ensure availability.
Assigning these functions to an open set of protocols is asking for quite a big change in both technology and mind-set.
Then there are the problems associated with any open standard. Although published and commented on, some of the technological specifications that have been in use since the inception of the Internet aren't always implemented in, shall we say, strict adherence to their original guidelines. Integrating EKMI into the required clients for encryption of applications, endpoints, backup systems, and so on will require the cooperation of major application vendors. These entities--some of them fierce competitors--historically haven't been the most collaborative of groups. Not surprisingly, as of press time, there have been no large-scale public endorsements of EKMI, though Oracle is a member of Oasis.
This reticence could create a delay in full implementation of EKMI, but we don't see it bringing the entire effort to a halt. The overall concept and design of EKMI are sound, and the open nature of the protocols is very appealing to those who manage the behind-the-scenes aspects of security countermeasures. As a standard, it could be of significant value when combined with the appropriate systems. The Oasis technical committee consists of a variety of individuals and organizations with impressive backgrounds in encryption and information protection, including the committee chair, Arshad Noor of StrongAuth. The diversity of the membership, ranging from software development companies to financial institutions and large government agencies, reflects the current push to adopt encryption for protecting valuable information.
Also working in EKMI's favor are recently publicized breaches and the trend for more statutory controls on the privacy of personal information, both of which are driving organizations to apply stronger data protection. We must now assume that all perimeter defenses are vulnerable, if not because of flawed technologies, then by way of the redefinition of the perimeter: The simple model of "inside, outside, and DMZ" is no longer viable as partner connectivity grows and customer-level access is increased.
Encryption represents a final level of protection. Even if data is lost or stolen, it's of no value to the holder without the decryption key. EKMI is a valuable component in the operational and management aspects of encryption, and organizations with complex encryption requirements ought to start putting pressure on their application and security vendors to support the initiative.
For now, we recommend following updates on the Oasis Web site or, if possible, joining the organization to provide input. As you purchase new security systems, those with less-proprietary interfaces will best lay the groundwork for EKMI.
David Brown is a managing consultant, security solutions, at Forsythe and has more than 20 years of experience in information security and related IT fields. Write to him at [email protected].
Photo by Jupiterimages
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report
2021 Banking and Financial Services Industry Cyber Threat Landscape Report
Business Buyers Guide to Password Managers