Thales Blog

Key Management - Everybody's Problem

February 26, 2014

As we are seeing here at RSA, more than ever, organizations are under enormous pressure to protect information and support regulatory mandates in an effort to reduce risks to sensitive data. Failing to properly secure data can lead to costly penalties, remediation expenses and damaged business reputations.

Given this, the best option for businesses is to use encryption to insulate against the impact of a data breach and avoid the repercussions. Although encryption has become a necessity and encryption functionality has been added to a wide array of devices and applications, the essential job of managing the keys that encrypt and decrypt data across an enterprise still remains the primary challenge.

The Arrival of KMIP

To help tackle this, the Key Management Interoperability Protocol (KMIP) has become the first widely accepted industry standard that enables encryption devices from multiple vendors to be managed by a common key management system – which is actually a bigger deal than it sounds. The arrival of KMIP has served as a trigger for centralized key management to emerge as a standalone capabilities and a distinct corporate responsibility, it has enabled key management to evolve from being merely a product feature to being a product market in its own right. What’s more, KMIP also provides the mechanism for keys to be actually used by a different entity than the entity that manages the keys – exactly the situation that exists when encryption is performed inside a cloud but where the keys are owned and managed by the enterprise.

The Increasing Adoption of KMIP

Since KMIP was first introduced 4 years ago, we’ve seen significant adoption – and not just among security product vendors who would expect be the logical early adopters. As non-security vendors such as storage players begin to add encryption (and not key management) capabilities to their products they demonstrate the confidence that key management is a viable market and that can assume that 3rd party products will exist to manage the keys that their products require. This abstraction is important as it allows vendors to focus on the things they each do well and enterprises with the flexibility they are looking for as they expand their key management beyond the typical encryption use cases and traditional data centers. Over the next year, we expect that there will be increasing adoption as organizations start to understand the importance of interoperability for powering and securing the Internet of Things.