Professional Documents
Culture Documents
Saikat Saha
Encryption without key Sr. Principal Product Manager
Database Security
management Its like Icing Oracle Corporation
#RSAC
#RSAC
Key Management
Absolutely critical, but boring.
2
#RSAC
Agenda
3
#RSAC
Encryption is Everywhere
Data-at-rest Encryption
- Application encryption
- Database encryption
- File encryption
- Disk/Storage encryption
6
#RSAC
7
#RSAC
Management Regulations
Proliferation of encryption wallets and keys Physical separation of keys from encrypted data
Authorized sharing of keys Periodic key rotations
Key availability, retention, and recovery Monitoring and auditing of keys
Custody of keys and key storage files Long-term retention of keys and encrypted data
9
#RSAC
Regulatory Drivers
And more!
10 10
#RSAC
11 11
#RSAC
12 12
#RSAC
Encryption is in hardware
13
#RSAC
14
#RSAC
- Leave it to specialist security vendors Designed by the industrys most experienced vendors
- Use independent conformance testing programs
Active on-going standards development / evolution
- Avoid platform and technology lock-in
- Externalise the problem from your domain Deployed in wide range of products from multiple vendors
- Use open vendor neutral standards Successful transition from standard into products
- Avoids vendor lock-in Open standard under open management (OASIS)
Multiple independent interoperable implementations
15
#RSAC
Cryptographic services
Standards compliance
Attributes / Metadata
Authentication
Policy
Audit & reporting
17
#RSAC
Lifecycle management
Minimum operation set Create,
Register, Destroy, Rekey
KMIP has a very rich set of
operations (40+ operations)
KMIP Specifies NIST 800-57 states
and transitions
18
#RSAC
Key storage
Simple flat file
Detailed register
Secured (kek or keystore encryption)
Offload (HSM/EKM)
19
#RSAC
Attributes / Metadata
KMIP allows for an almost unlimited
number of attributes per key
(object)
Multiple attribute types
Custom attribute types (usually best avoided)
20
#RSAC
Authentication
User access
Device access KMIP Clients
Admin access
21
#RSAC
Cryptographic Services
Provide a richer set of functionality
KMIP operations include:
Encrypt & Decrypt
Sign & Verify
Hash, MAC & MAC verify
Supplement or replace HSMs
22
#RSAC
23
#RSAC
Policy
Authorisation
Scheduling
Compliance enforcement
24
#RSAC
Standards compliance
Minimum standards (NIST etc)
Ideal = KMIP
Open standard under open management (OASIS)
Active standards development / evolution
Designed by the industrys most experienced vendors
Deployed in wide range of products from multiple
vendors
25
#RSAC
Host
27
#RSAC
Authentication
Authentication is external to the protocol
All servers should support at least
TLS V1.0
Authentication message field contains the Credential Base
Object
Client or server certificate in the case of TLS
Host
Enterprise Key Manager
SSL/TLS
@!$%!%!%!%%^& @!$%!%!%!%%^&
*&^%$#&%$#$%*!^ *&^%$#&%$#$%*!^
@*%$*^^^^%$@*) @*%$*^^^^%$@*)
%#*@(*$%%%%#@ %#*@(*$%%%%#@
Identity Identity
certificate certificate
28
#RSAC
KMIP Fundamentals
29
#RSAC
KMIP Fundamentals
Message Encoding
Binary Tag-Type-Length-Value format
Optional JSON and XML encoding in
KMIP1.2
30
#RSAC
31
#RSAC
KMIP Progression
Key Points
Mature open standard
KMIP Interoperability Demonstration RSA 2015 Continuous development
Specifications and Interoperability Cryptsoft, Dell, HP, IBM, P6R, Fornetix, Thales, Vormetric
2015
KMIP Interoperability Demonstration RSA 2014
KMIP Technical Committee Face-to-Face
Cryptsoft, Dell, HP, IBM, P6R, Safenet, Thales, Vormetric
KMIP v1.2 OASIS Specification
2014
KMIP Interoperability Demonstration RSA 2013
Cryptsoft, HP, IBM, Quintessence Labs, Townsend Security, KMIP Technical Committee Face-to-Face
Thales, Vormetric 2013 KMIP v1.3 Committee Draft
Time
32
#RSAC
30
Discreet KMIP Implementations
25
20 Storage
Security & Infrastructure
15
Cloud
10
0
2H-10 1H-11 2H-11 1H-12 2H-12 1H-13 2H-13 1H-14 2H-14 1H-15 2H-15 1H-16
34
#RSAC
KMIP Deployments
Infrastructure and
Storage Cloud
Security
Disk Arrays, Flash Storage Key Managers Key Managers
Arrays, NAS Appliances
Hardware security Compliance Platforms
Tape Libraries, Virtual Tape modules
Libraries Information Managers
Encryption Gateways
Encrypting Switches Enterprise Gateways and
Virtualization Managers Security
Storage Key Managers
Virtual Storage Controllers Enterprise Authentication
Storage Controllers
Network Computing Endpoint Security
Storage Operating Systems Appliances
35
#RSAC
36
#RSAC
800
700
500
400
300
200
100
37
#RSAC
20000
15000
Completed Test Runs
Test Runs
10000
5000
0
RSA 2012 Tests RSA 2013 Tests RSA 2014 Tests RSA2015 Tests RSA2016 Tests
38
#RSAC
KMIP Conformance
39
#RSAC
KMIP Future
#RSAC
KMIP 1.3
41
#RSAC
KMIP 1.4
How to Apply?
#RSAC
44