For typical IT managers, one important aspect of system security involves encrypting resource and transaction data. A critical component of encryption is the encryption key, the piece of information or parameter that determines the functional output of a cryptographic algorithm or cipher; the key specifies a particular transformation of plaintext into ciphertext and vice-versa.
The modern, complex IT system contains many bits of data that might need to be encrypted. More and more transaction data (data in motion) is being encrypted; the same can be said of data resources in storage or in use within the IT system (data at rest). Figure 1 demonstrates some of the many points in an IT system at which data can be encrypted:
Figure 1. Data at rest (or in motion) can be encrypted anywhere within the IT ecosystem
This means an IT security manager needs to generate many encryption keys, but the story doesn't end there. The security professional also needs to be able to track, investigate, verify and validate, retire, and recreate this growing number of keys — in other words, manage the entire lifecycle of a large number of encryption keys.
How complex and critical is managing encryption keys throughout their lifecycles?
- Lost keys mean lost data.
- Theoretically, every component in your IT system could harbor data that might need to be encrypted, including storage devices, disk drives, networking switches and equipment, smart meters, and even applications.
To effectively manage such a large amount of metadata with individual lifespans, the security manager should turn to tools that automate much of the process.
One such tool is IBM® Security Key Lifecycle Manager, optimized to manage keys for data at rest through the various key lifecycles. But before we talk about that, let's see if we can explain why data at rest should be encrypted.
Protecting data at rest
Traditionally, IT security has been more highly focused on protecting data in motion: the data that flows in the form of transactions between two customers, a customer and a business, and two businesses. The original thinking was that at this point, data was out of the control of the originator and was therefore more vulnerable to hijacking by a malicious third party.
The change in the uses of data at rest has made it more important to re-emphasize security for it. Those changes include:
- Compliance requirements and adherence to standards that more agencies and governments are demanding.
- New and expanded disclosure laws concerning privacy breaches.
- A larger percentage of employees have more access to sensitive data within an organization's IT infrastructure, which exposes a company to insider threats.
- To be more useful in decision-making, more of an organization's data at rest resides outside of a more easily protected central repository.
Let's examine how IBM Security Key Lifecycle Manager helps automate the massive job of encryption key management.
IBM Security Key Lifecycle Manager 2.5
IBM Security Key Lifecycle Manager (formerly Tivoli Key Lifecycle Manager) is a simple and robust solution for key storage, key serving, and key lifecycle management, designed both for IBM self-encrypting storage devices and non-IBM devices. The product enables encryption of sensitive data and it offers automated replication to clone a master manager automatically with up to five servers. Not only are keys replicated, but also other configuration information as well, such as when new keys are rolled over.
The product meets regulations and standards such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley, and the Health Insurance Portability and Accountability Act (HIPAA). It supports the OASIS Key Management Interoperability Protocol (KMIP) standard and Federal Information Processing Standard (FIPS) 140-2 Level 1. It also offers users the option to use FIPS 140-2 Level 3 validated hardware to enhance key security.
Other features of Security Key Lifecycle Manager include:
- Automated creation, import, distribution, and backup of keys.
- Key generation and servicing from a central location.
- Device grouping into separate domains.
- Multivariable administrator definitions.
- Integrated, centralized directory servers for role-based access control.
- Key readability can be tied to specific encryption hardware.
- Key delivery can be tied to specific known devices.
- Automated replication for high-availability deployments.
- Automated clone replication that can clone up to five copies and be configured to do automated backups of the master.
- Support for disaster recovery by working with a wide variety of clustering, replication, and failover implementations.
The latest version of Security Key Lifecycle Manager, Version 2.5, includes:
- An improved and simplified user interface.
- Easier installation by using the IBM Installation Manager.
- Quicker, more silent installation: approximately 15 minutes.
- Seamless integration of all installation components: IBM WebSphere® Application Server, IBM DB2®, and Security Lifecycle Manager application installations.
Version 2.5 also gathers all required installation information for you before the installation starts. The logs are now centralized in a single location, and the system now scales to support even larger numbers of keys.
- Resources for the topics in this article (some resources might still refer to the product as Tivoli Key Lifecycle Manager):
- Start your journey to implement IT security through pragmatic, intelligent, and risk-based practices at Security on developerWorks.
- Explore developerWorks IT security from a different perspective: Take a look at the weekly Security on developerWorks newsletter.
- Attend a free developerWorks Live! briefing to get up-to-speed quickly on IBM products and tools as well as IT industry trends.
- Follow developerWorks on Twitter.
- Watch developerWorks on-demand demos ranging from product installation and setup demos for beginners, to advanced functionality for experienced developers.
Get products and technologies
- Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.
- Get involved in the developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.