Skip Links

Clear Choice Test

Encryption key management

Introduction|How we did it|Slideshow|Test archive

Encryption made easier with new key management tools

New tools solve problem of how to manage encryption keys

By Logan G. Harbaugh, Network World
September 07, 2009 12:07 AM ET

Network World - In response to dramatic and widely publicized losses of data over the last few years, IT execs are moving to deploy encryption in every corner of the enterprise. While encryption does reduce the chances of data loss, it can also create a management nightmare, with dozens of different encryption applications using hundreds or thousands of keys.

How we tested the encryption products
Archive of Network World tests

To address that problem, vendors have developed enterprise encryption key management tools. Of the dozen vendors that we identified, three accepted our invitation -- Thales, Venafi and Vormetric. Vendors who declined were Entrust, NetApp (Decru), PGP, Protegrity, RSA (EMC), SafeNet (Ingarian) and WinMagic.

The still-developing state of the market is reflected in the different types of products we received – an appliance from Thales that supports a variety of key exchange standards, software from Venafi that supports a broad range of applications, and an appliance from Vormetric that replaces existing encryption on a variety of platforms, enabling one appliance to manage encryption across a broad range of applications.

These are not simple drop-in applications – even the appliances will require a substantial amount of planning, installation and tuning. There are a wide range of tasks associated with key management: issuing, renewing and revoking keys; monitoring applications; reporting and logging; setting and auditing policies; management; and in some cases, discovery of applications using keys that can be managed through the system.

No single management tool will be able to perform all these tasks with every possible application using keys or certificates, or at least not without considerable custom programming. Part of the reason is that standards for key exchange (providing keys to one application by another) are still under development, and even when standards are ratified, it may take years before all enterprise applications and management solutions support them.

That's why each vendor we looked at has taken a different approach to the process:
-- Thales uses existing certificate and key exchange protocols such as PKCS#11, Java JCE, OpenSSL and Microsoft's CryptoAPI/CNG.
-- Venafi supports specific platforms, including servers such as Microsoft 2003, certificate authorities on many different platforms, plus other platforms such as F5 Big/IP SSL offload processors and firewalls.
-- Vormetric attempts to bypass the issue entirely by implementing both key management and the underlying encryption, access control and logging on a variety of platforms. Rather than use the built-in capabilities inherent in some applications, an agent is deployed on each server or workstation to be protected, which then controls access to the data, and is managed through the Vormetric appliance.

To get one of the products to work with a server application requires an understanding of that application as well as the encryption standard or certificate authority model it uses.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News