There are, of course, obstacles that must still be overcome by EKMI proponents. For example, the proposed components are somewhat simple by design, which concerns some encryption purists who prefer more complex protocols, on the logic that they're more difficult to break into.
In addition, enterprises deploying an extremely sensitive system of this type that houses the keys to the kingdom will need to pay great attention to detail when hardening platforms and operating systems, a step strongly recommended by the Oasis technical committee. Failover and redundancy must also be considered during deployment to ensure availability.
Assigning these functions to an open set of protocols is asking for quite a big change in both technology and mind-set.
Then there are the problems associated with any open standard. Although published and commented on, some of the technological specifications that have been in use since the inception of the Internet aren't always implemented in, shall we say, strict adherence to their original guidelines. Integrating EKMI into the required clients for encryption of applications, endpoints, backup systems, and so on will require the cooperation of major application vendors. These entities--some of them fierce competitors--historically haven't been the most collaborative of groups. Not surprisingly, as of press time, there have been no large-scale public endorsements of EKMI, though Oracle is a member of Oasis.
Also working in EKMI's favor are recently publicized breaches and the trend for more statutory controls on the privacy of personal information, both of which are driving organizations to apply stronger data protection. We must now assume that all perimeter defenses are vulnerable, if not because of flawed technologies, then by way of the redefinition of the perimeter: The simple model of "inside, outside, and DMZ" is no longer viable as partner connectivity grows and customer-level access is increased.
Encryption represents a final level of protection. Even if data is lost or stolen, it's of no value to the holder without the decryption key. EKMI is a valuable component in the operational and management aspects of encryption, and organizations with complex encryption requirements ought to start putting pressure on their application and security vendors to support the initiative.
For now, we recommend following updates on the Oasis Web site or, if possible, joining the organization to provide input. As you purchase new security systems, those with less-proprietary interfaces will best lay the groundwork for EKMI.
David Brown is a managing consultant, security solutions, at Forsythe and has more than 20 years of experience in information security and related IT fields. Write to him at [email protected].
Photo by Jupiterimages