HP has announced a hardened and clustered Secure Key Manager (SKM) appliance, but this is no Decru DataFort. Interestingly it has a distant key management API relationship with the DataFort but represents a different class of device.
The DataFort is an in-band appliance that sits in a data network and encrypts/decrypts data passing between hosts and storage devices. HP's SKM is an out-of-band key management system that serves up keys to requesting storage devices that do their own encryption.
According to Bob Wilson, HP's VP for nearline storage, which includes tape products, SKM is a totally-dedicated appliance running on a tight Unix kernel with two mirrored serial-attached SCSI (SAS) disks). These are quite small but fast disks. Encryption keys don't take up much space and hat's all that's stored on the disks, apart from the system software. The cabinet is locked and has a tamper-visible coating that shows if someone has been manhandling it. It comes clusterable so that one machine in an SKM pair can automatically take over if the heartbeat from the other fails to beat.
There can be a remote third machine in the cluster as well to provide aDR capability and the disk contents of an SKM appliance can be backed up to provide security layer number three. Remember, stored encryption keys represent data that you never, ever - ever - want to lose.
How it works is like this: an encrypting LTO4 tape drive gets a piece of media inserted in it. The drive sends the media marker ID string to the SKM. It does a look up and returns a key which is then used for encryption or decryption. There is a protocol used for this transaction and this protocol must become standardised for enterprise-wide security management to be possible.
The idea is that virtually every storage device will have its own encrypting capability. These devices will apply to a key management system for keys to be issued to them. For there to be a market in heterogeneous key management systems, any key management system must be able to talk via a standard protocol to any encrypting device.
I triple E
Blair Semple, a security evangelist at NetApp, ays that IEEE has initiatives, meaning working groups, relating to storage security. These are:-
- IEEE 1619.0 relates to disk security,
- IEEE 1619.1 relates to tape security,
- IEEE 1619.2 relates to securing big blocks on disk,
- IEEE 1619.3 relates to key management.
Sempl says that 1619.3 is much earlier along in the standards process than the disk and tape device focussed standards. NetApp sits on all these committees and submitted the API, jointly with HP, from the Decru DataFort's Lifetime Key Management product, the Open Key API, as technology to be used for the 1619.3 protocol. He said the: "spec is approved and is the foundation for 1619.3."
"We have a number of vendors building Open Key APIs into their product: Symantec; Quantum; and others. Quantum knows it can't generate , store and manage keys (with its own self-built technology)." He intimated that, as HP jointly submitted the Open Key API with NetApp then it wouldn't be too surprising if HP built the Open Key API into its key management product.
HP's Wilson recalls things a little differently: " NetApp submitted Open Key proposals to HP. We gave specific and detailed feedback about what we thought needed to be in the protocol. They (NetApp) submitted it. It's in discussion mode and hasn't been voted on."
"NetApp's protocol was one of many and the one that was furthest along. Our concern is that the protocol should be complete and robust." HP did not want to own the protocol in any way.
Wilson also said hat HP wasn't convinced IEEE was necessarily the right standards body to create an enterprise-wide storage security standard and was evaluating other possible approaches,