IBM drives data security via centralized key management

Few would argue that comprehensively protecting core business data is mission-critical for today’s organizations. Failure to do so—which can occur in many ways, via many possible security breaches—will often translate into catastrophic consequences.

One recent study by the Ponemon Institute suggests that for every database record exposed via unauthorized access, organizations will pay, on average, $202. Multiply that figure by the number of records in the enormous databases commonly in use by private enterprise and government organizations, and the fiscal and operational consequences become staggering.

In response, encryption solutions are commonly deployed to secure data center assets ranging from tape drives to database and data backup applications. These solutions, which require the exchange and management of keys across the infrastructure, help to lock down data from prying eyes—diminishing the odds of a breach, empowering internal security protocols and also driving compliance initiatives in the case of regulations such as HIPAA, which specify how sensitive customer information should be managed and monitored.

For many organizations, however, the overall management of encryption keys is still suboptimal from both business and technological perspectives. Commonly, organizations will have deployed encryption solutions from different vendors, each of which approaches key management in a different way; this means the management tools involved will vary in interface and features. As more management tools are added to the mix, overall management costs and complexity will rise, and overall IT responsiveness and security will fall.

Superior results would come from an integrated approach, to manage encryption keys as a centralized resource using a single tool at every stage in key lifecycles. And if this tool could integrate not just with tape drives, but production-use server disk drives, an even better outcome might be achieved.

IBM simplifies and centralizes encryption key management across solutions

Just such a tool is IBM Tivoli Key Lifecycle Manager (US) (TKLM), a powerful new solution designed to give administrators an elegant, centralized way to manage encryption keys through seamless integration with storage assets. Furthermore, thanks to the fact that it now integrates with the IBM System Storage DS8000 (US) to facilitate self-encrypted server drives, TKLM helps secure data in ongoing operational use as well as data at rest. The business benefits of TKLM, then, align very closely with widespread organizational needs: superior overall security, decreased management costs and complexity and improved regulatory compliance, all delivered by a single tool used to manage encryption keys at every stage in their lifecycles via a unified point of control.

IT administrators should be pleased to find that TKLM is exceptionally easy to deploy and work with; TKLM can be installed on a host running any of several different operating systems—IBM z/OS, Linux, AIX, Sun Solaris or Microsoft Windows. Via its built-in installation and configuration wizards and easy-to-use graphic interface, setup is rendered a straightforward proposition.

Subsequently, TKLM automatically integrates with storage assets in place throughout the infrastructure—first autodiscovering these assets by polling the network, then establishing secure communication with them so that their encryption keys can be managed. To accomplish this second step, the storage asset generates a pair of RSA keys. These are sent to TKLM and validated using a certificate authority; TKLM then generates a third key based on them. All transactions between the asset and TKLM are thus secured, at every stage of the communication process. Also notable is the fact that the process is fully automatic, requiring no time or energy on the part of administrators.

At this point, TKLM can be used to address all management functions involving encryption keys, at every stage in their lifecycles—and many of those functions are now automated or optimized in time-saving ways. For instance, certificate expiration automatically results in notification to the designated administrator, and certificates and key groups can also automatically be rotated. When TKLM files need to be backed up or restored, that task requires only a mouse click, spurring disaster recovery time objectives through an extraordinarily fast response.

Audit logs, too, are automatically created, to demonstrate compliance with both internal security policies and external government regulations. This feature translates into lower costs in yet another way. Because lost or stolen data can easily be shown to have been encrypted, organizations may save millions of dollars that might otherwise have been spent in privacy remediation (such as credit monitoring or credit counseling).

Disk drives are now supported as well

The value proposition of TKLM has recently been extended even further. At Pulse 2009, the premiere service management of the year, IBM announced that TKLM will now integrate with the high-end DS8000 enterprise disk platform—meaning that it will manage encryption keys not just for tape drives, but disk drives as well.

This new feature implies a considerable improvement in data security for today’s organizations. Unlike tape drives, server drives in data centers are in continual use; the data they store is thus continually leveraged by IT services for myriad purposes. Every disk drive in a data center will eventually, however, leave that data center—perhaps because a system is being relocated to a different data center, perhaps because the system or drive is at the end of its lifecycle and is being retired, or for some other reason. At that point, if it contains core organizational data, that data could conceivably be exposed, stolen or lost, leaving the organization vulnerable to many negative consequences.

Self-encrypting drives represent a logical solution to this problem. By continually encrypting the data they store, and decrypting it only when it is actually required, they dramatically improve overall data security; even if the drive should fall into unauthorized hands, the data on it would be secure because decrypting it would require the key, and the key is not on the drive. They are also much faster than traditional encryption solutions, based on external processing, because each drive has its own engine that encrypts data on the fly.

IBM’s flagship disk storage system, the DS8000 platform, incorporates just such self-encryption. The DS8000 also provides exceptional performance and responsiveness within a wide variety of business contexts; thanks to its optimized design, the DS8000 supports even the most demanding workloads with exceptional availability—an estimated 99.999 percent uptime—to drive up service levels for the most critical business applications. And thanks to its new integration with TKLM, the DS8000 now also receives all the benefits of centralized key management.

IBM’s future roadmap for TKLM is even more ambitious; more and more IBM storage assets will integrate with it.

In this light, TKLM can be seen as an example of IBM’s general strategy of holistic, proactive security throughout the infrastructure. Rather than apply a key function such as encryption key management as a superficial layer, IBM is embedding it at a deep level, as a scalable resource designed to grow with the demand—helping to lower costs, raise service levels and enhance security.

• IBM Tivoli Key Lifecycle Manager overview (US)
• IBM System Storage DS8000 (US)

Recent Articles

• Share the informational wealth with IBM Tivoli Wikis

  Mar 20

• IBM unveils smarter service management to enable business transformation for your industry (US)

  Mar 10

• Smarter security policies: IBM delivers a federated data and application entitlement management tool (US)

  Feb 24

• New backup solutions from IBM shatter the hourglass

  Feb 17

• Pulse 2009: An exceptionally smart investment

  Feb 03

• IBM delivers Software for a Greener World (US)

  Jan 20

• Achieve optimized change and release management with IBM expertise

  Jan 13

• Gain a single point of control over heterogeneous storage infrastructures (US)

  Jan 06

• Pulse 2009: Experience Service Management for a smarter planet (US)

  Dec 16

• How organizations can avoid an identity crisis

  Dec 9

• Protect: Service management entry point for safeguarding assets and business resilienceDec 2 (US)

  Dec 2

• IBM and Business Partners deliver next-generation energy monitoring

  Nov 18

• Browse full Tivoli Beat archive (US)