Centralize and simplify encryption key management

Locking down data through key-based encryption with IBM Tivoli Key Lifecycle Manager

Tivoli Beat. A weekly IBM service management perspective As security threats become more sophisticated and data becomes ever more critical to the enterprise, customers must stay one step ahead of new and existing security threats to secure that data to the fullest possible extent.

One technology commonly leveraged to address this problem is encryption, which secures data from unauthorized access using complex keys. Storage devices such as tape drives, enterprise-class applications, network solutions and disk subsystems (such as those in virtual tape libraries) all utilize key-based encryption schemes in various forms. Unfortunately, however, the total business value generated by disparate implementations of encryption technology is limited due to the inherent fragmentation into different IT domains, management systems and organizational silos.

Furthermore, data is not always shielded via encryption at every operational stage—at rest (when it is relatively static, such as on a tape drive), in motion (over the network) and in ongoing everyday use (in commonly-accessed documents or databases). The result is that even in organizations that have widely deployed key-based encryption, core business data is often not as well protected as it should be.

Due to [TKLM’s] ease of use, it can rapidly improve security, spanning many different business and technological contexts, in very little time. A superior tool would resolve these problems by federating encryption key management across IT solutions, operational silos and conceivably even across the enterprise, thus simplifying management complexities, reducing management costs and increasing overall data security. And by giving administrators command over keys at every stage in their lifecycles, such a design would extend these many benefits across time as well—covering key initialization, activation, management, expiration and destruction.

TKLM helps manage cross-device encryption keys quickly, securely and easily

Where can organizations turn for such a tool? The answer is IBM Tivoli Key Lifecycle Manager (TKLM). This new solution, which works with both IBM and non-IBM storage devices, delivers advanced, federated, cross-domain key management designed to help lock down organizational data more comprehensively and easily than ever.

Through TLKM’s elegant user interface and built-in wizards, fewer encryption keys are required; keys are more easily, more consistently and more centrally managed; and overall data security is enhanced because storage devices are more securely administered. What’s more, by simplifying key management through the lifecycle, TKLM also helps to drive compliance initiatives aimed at adhering to the terms of regulatory standards, such as the Sarbanes-Oxley Act, that specify how organizations are to manage and monitor sensitive data.

Fundamentally, TKLM works by allowing administrators to connect with storage devices then create and manage keystores—secure repositories of keys and certificate information used to encrypt and decrypt data—or leverage existing keystores already in place. Over the course of key lifecycles, all management functions, including creation, importation, distribution, backup and archiving are easily accomplished using TKLM’s graphic interface, which can be accessed using any standard browser on the network. TKLM thus serves as a central point of control, unifying key management even when different classes of storage devices are involved.

How is the transaction of information between storage devices and TKLM secured? This happens in essentially two stages. First, encryption-capable storage devices are automatically discovered by TKLM and authenticated when initially mounted to ensure that the storage device is actually authorized for that environment. Each storage device generates a pair of RSA keys; TKLM receives and validates these using a certificate authority and also confirms via the drive table that the device itself is valid.

Once the device is authenticated, transactions between it and TKLM are secured using a new session key that TKLM generates using the RSA keys. Given this secured communication, an encryption key can then be created for individual cartridges (or virtual cartridges, in the case of a virtual tape library) and sent over the network to the storage device. This sophisticated approach defeats potential security threats, such as rogue device deployment or data interception on the network, by ensuring that every stage in the authentication and encryption process is secure. Yet, the entire process is transparent to the administrator, requiring no oversight and thus reducing operational expenses.

Subsequent key configuration and management is similarly simplified and enhanced. Creating keystores, assigning keys and certificates and managing their total lifecycles is easily achieved within the solution’s browser-based GUI. Once TKLM is deployed on a suitable workstation or server, administrators can carry out tasks such as configuration, setup, auditing and compliance support. Key retention policies intended to facilitate compliance initiatives, such as legal discovery, for instance, can be created; keys can thus be recreated on demand. This feature might also prove useful in cases of disaster recovery by unlocking encrypted backups and thus restoring essential data.

Ease of use, flexible configuration and support for open standards

TKLM includes wizard-based assistance, sure to be helpful in accelerating many different key management tasks and decreasing TKLM’s time-to-value. Keystore creation, for instance, is driven through such a wizard, which prompts the administrator for information such as keystore name, type, network path to storage and access password. Furthermore, following keystore creation, it’s easy to configure different devices in different ways―whatever is best suited for the business need.

SSL (Secure Socket Layer) certificates, for instance, can be created on the fly, requested from a third party or reused if already in place in order to lock down information exchanges between TKLM and tape devices; once SSL configuration is finished, the storage device will be ready for use and will appear in TKLM’s administration sidebar. Other parameters, too, can be adjusted as required, such as the audit level, TCP port, SSL port and timeout limit. Such configuration flexibility helps administrators to adapt TKLM more quickly and easily to their environments and business requirements, achieving a tailored fit with minimal effort.

The business wins for TKLM as a result of its unique design and many powerful features are numerous. Consider, for instance, that because the solution was built to support open standards, its cross-vendor compatibility is exceptionally high; it can be deployed in a remarkably wide variety of IT infrastructures and will interoperate with an extraordinary number of storage devices.

Due to its ease of use, it can rapidly improve security, spanning many different business and technological contexts, in very little time. And when unusual events such as a government audit require a quick response, TKLM can deliver one, thanks to its straightforward design. Overall management and operational costs will fall; this comes as a consequence of the fact that fewer keys need be created, less time managing keys will be demanded and IT staff can instead attend to more pressing tasks better paired with emerging business requirements.

Finally, the risk of unauthorized data access or modification will also fall through the comprehensive management of encryption keys and digital certificates at every stage in their lifecycles—across multiple IT domains and IT assets—to achieve a centralized yet comprehensive key management solution.