Are You the Keymaster? Yes, Actually, I Am
Have you ever lost or misplaced a set of keys? Be honest! Well if you’re like me the answer is “yes,” and in addition to being annoyed over the loss you probably experienced some level of anxiety over having strangers potentially accessing your stuff. Most of us routinely use and go to great lengths to safeguard keys that provide access to our property (house keys), wealth (safe keys) and secrets (diary keys).
Here’s a view of the keys that I carry around with me every day (yes, this is REALLY my own, personal key ring):
If someone were to get hold of this key ring they would have access to my car, my home and my mail. But I also carry devices and “certificates” that establish my identity with several businesses. So the holder of this ring would be able to tap into my resources (gas, with my Mobil SpeedPass RFID tag), and impersonate me using the barcodes on my loyalty cards. They probably wouldn’t be able to access my yoga classes, though, due to secondary security measures in force (that is, all the instructors know who I am!).
Fortunately this is a reasonable set of keys and certificates to protect, and my carabineer clip helps ensure their relative safety by locking them onto my person. If I had to worry about more than my personal assets – let’s say I was in charge of security for IBM’s Poughkeepsie site – then this localized solution would be inadequate. I’d probably want a centralized, secure room guarded by people I trust to follow procedures designed to ensure that the company’s physical security assets were properly used by all those who needed them.
This analogy extends perfectly to the digital world, where we also use – and need to protect – keys and certificates that grant access to our digital property, wealth and secrets. I can do a reasonable job protecting my own personal passwords, just as long as I don’t write them down and tape them to my computer; but if I had to scale this protection scope to the enterprise level I would need the digital equivalent of a secure room and trusted guards. As this video points out, any breach of enterprise-wide security measures can be costly; only enterprise-class solutions can deliver the appropriate level of protection.
If your enterprise relies on mainframe computers for day-to-day operations, you already have the “secure room” (IBM System z) and “trusted guards” (your mainframe IT professionals and processes). This is a major, major first step! So how can you leverage this mainframe environment to help you address your enterprise key management needs?
I’d like to introduce you to IBM’s Enterprise Key Management Foundation (EKMF), an offering from IBM’s Crypto Competency Center in Copenhagen, Denmark that centralizes the management of crypto devices that are, themselves, distributed and now available across the globe. This offering was initially developed for financial institutions but it is rapidly finding its way into other industries; for example, EKMF was recently adapted to the needs of a large auto manufacturer.
EKMF takes advantage of many of the strengths of the IBM mainframe to deliver a flexible and highly secure, centralized key management system for the enterprise.
What are some of those strengths?
The Locked Room
There is a reason why much of the world’s sensitive data resides on, and is processed by, the mainframe: it is about as safe a platform that exists, anywhere. System z has been certified to the Common Criteria Evaluation Assurance Level 5 (EAL5), the highest security rating or classification in effect for any commercially available server. If you want a safe place for those keys and certificates, you can’t do any better than this!
IBM has delivered integrated cryptographic co-processor hardware on its mainframe systems going back several generations. CryptoExpress and the CP Assist for Cryptographic Function (CPACF) are but two examples; here is a good resource to understand some of the integrated cryptographic features of the mainframe. These capabilities enable high-volume certificates and encryption keys to be managed centrally and uniformly with EKMF.
No Single Point of Failure
There are a number of key management appliances on the market today, but appliances can create single points of failure – and make it difficult to achieve highly available configurations. By keeping keys, certificates and metadata on the mainframe, EKMF leverages the business continuity and disaster recovery plans already in effect at the enterprise.
Standards, Standards and More Standards
A centralized management solution is only useful if it can supply the key and certificate formats required by the vast array of systems that service the enterprise, and adhere to the policies required by regulatory agencies. EKMF supports, for example, a wide variety of Data Encryption Standard (DES), Advanced Encryption Standard (AES) and Rivest-Shamir-Adleman (RSA) keys for a number of platforms and crypto cards. It ensures adherence with an array of specialized industry regulations, such as Europay, MasterCard and Visa (EMV) for payment card solutions. In short, EKMF can manage pretty much anything you can throw at it.
If you need to be The Keymaster for your enterprise, who you gonna call? IBM Lab Services to begin a discussion on how EKMF can benefit your business! They’ll hook you up with more information on EKMF and get you started on the road to safe, secure enterprise key management.
Paul DiMarzio has over 25 years of experience with IBM focused on bringing new and emerging technologies to the mainframe. He is currently part of the System z Growth business line, with specific focus on cross-industry business analytics offerings and the mainframe strategy for the insurance industry. You can reach Paul on Twitter: @PaulD360
Editor’s Note: This blog by Paul DiMarzio is part of a series on IT security we are running in December 2012 to help readers understand key aspects of security, including reputational risk, cloud security, and the role of hardware, software and services in security solutions.
We encourage you to read the other posts in our series, listed below:
- Reputational Risk and IT: They’re Closer Than You Think by Yesica Schaaf
- Security-Ready IT: A Fundamental Imperative for Smarter Computing by Shelley Westman
- How IBM Saves Money by Eating Our Own Dinner by Jonathan Barney
- Enterprise Systems and Security by Amy Bennett