Far from being less complicated, the data encryption key management picture got a little cloudier today when Sun Microsystems (NASDAQ: JAVA) released its own key management protocol.
Sun announced that it is open sourcing its encryption key management technology. The “generic communication protocol between a key manager and an encrypting device” is the latest effort in Sun’s Open Storage initiative that has been one of the company’s most promising growth areas. The company said the announcement “sets Sun apart and enables partners to adopt this protocol to securely handle encryption keys without additional licensing.”
But the timing of the announcement is a little curious, coming just days after EMC (NYSE: EMC), HP (NYSE: HPQ), IBM (NYSE: IBM) and four other companies announced that they had proposed a standard for encryption key management. Interoperability between key management systems has been one of the biggest obstacles to widespread enterprise adoption of data encryption.
Sun spokesperson Alex Plant said the announcement “coincides with the one year anniversary” of Sun’s key management technology. “We need a year under the belt before feeling good about releasing it into the open source space.”
“The other announcement is just being released for the first time,” Plant added. “We don’t know that much about it. … We just found out about the KMIP standard this week, so we’re trying to understand it.”
Plant said Sun’s technology “has been in the market for over a year and covers lots of products,” among them EMC, HP and RSA. “The news is that we’re extending its ecosystem by open sourcing the UI. The good thing for customers is that they can now more easily and affordably manage the keys that encrypt their data.”
Enterprise Strategy Group security analyst Jon Oltsik said that “It appears to me that Sun is looking for partners in the short term using standard JAVA interfaces. This does not impact the KMIP work, which is based upon Web services interfaces. It probably plays well with this effort.”
Plant said that Sun has “had this standard in place for a year and EMC, HP, RSA, IBM and others are on board.” The Sun protocol is already available as open source, he said, while KMIP “will be available when the work of the OASIS committee is complete and under the terms governing OASIS standards.”
The Sun protocol has been submitted to the IEEE 1619 Security in Storage Working Group as a contribution to development of the P1619.3 Standard, Plant said.
The KMIP proposal, Plant said, “uses low-level binary protocol for communication rather than more advanced XML solution used in the latest OASIS and current IEEE 1619.3 discussions. XML has become the standard in Web applications due to its versatility and ease of use. Introducing a non-standard binary proposal is a step backwards.”
“There are opposing views on how best to deliver an interoperability standard,” said Plant. “One is to make it very general to cover all types of encrypting devices. The other is to extend a proven and accepted protocol such as provided by Sun. The risk in the former is that it may drift into ‘boiling the ocean.’ The imperative for both approaches is to keep the urgent needs of customers in mind.”
Robert Griffin, director of solution design for EMC’s RSA Security unit, said that “defining KMIP at the low level that we have, using tag/length/value, does not preclude a higher-level expression using XML. We believe that it is necessary to
express the normative protocol at this fundamental level to achieve interoperability across all environments that require security objects. But we look forward to working with Sun and others to establish higher-level expressions of the protocol as well.”
Sun said the protocol is available to customers using the Sun StorageTek KMS 2.0 Key Manager, the T9840D, T10000A and T10000B Enterprise Drives, and Sun StorageTek HP LTO-4 drives shipped in Sun libraries. “A number of additional partners are developing products based on this protocol, including EMC, whose RSA security division has talked about releasing it as an option on their RKM Key Manager,” said Sun’s press release. Sun said that releasing the protocol as open source is “a major step towards unifying the technology.”
Sun said it is working with industry partners and standards bodies such as IEEE 1619.3 and OASIS “to further develop and formalize the interface as an industry standard.” IBM’s drive division is working on supporting the protocol for their LTO-4 drive shipped in Sun Libraries, and Sun said it has shared the protocol with other partners such as computer OEMs, backup application providers and disk array and switch manufacturers.
The protocol is implemented as a complete toolkit and is available at the OpenSolaris Web site: http://opensolaris.org/os/project/kmsagenttoolkit/.