Are You the Keymaster? Yes, Actually, I Am


Have you ever lost or misplaced a set of keys?  Be honest!  Well if you’re like me the answer is “yes,” and in addition to being annoyed over the loss you probably experienced some level of anxiety over having strangers potentially accessing your stuff.  Most of us routinely use and go to great lengths to safeguard keys that provide access to our property (house keys), wealth (safe keys) and secrets (diary keys).

Here’s a view of the keys that I carry around with me every day (yes, this is REALLY my own, personal key ring):


If someone were to get hold of this key ring they would have access to my car, my home and my mail.  But I also carry devices and “certificates” that establish my identity with several businesses.  So the holder of this ring would be able to tap into my resources (gas, with my Mobil SpeedPass RFID tag), and impersonate me using the barcodes on my loyalty cards.  They probably wouldn’t be able to access my yoga classes, though, due to secondary security measures in force (that is, all the instructors know who I am!).

Fortunately this is a reasonable set of keys and certificates to protect, and my carabineer clip helps ensure their relative safety by locking them onto my person.  If I had to worry about more than my personal assets – let’s say I was in charge of security for IBM’s Poughkeepsie site – then this localized solution would be inadequate.  I’d probably want a centralized, secure room guarded by people I trust to follow procedures designed to ensure that the company’s physical security assets were properly used by all those who needed them.

This analogy extends perfectly to the digital world, where we also use – and need to protect – keys and certificates that grant access to our digital property, wealth and secrets.  I can do a reasonable job protecting my own personal passwords, just as long as I don’t write them down and tape them to my computer; but if I had to scale this protection scope to the enterprise level I would need the digital equivalent of a secure room and trusted guards.  As this video points out, any breach of enterprise-wide security measures can be costly; only enterprise-class solutions can deliver the appropriate level of protection.

If your enterprise relies on mainframe computers for day-to-day operations, you already have the “secure room” (IBM System z) and “trusted guards” (your mainframe IT professionals and processes).  This is a major, major first step! So how can you leverage this mainframe environment to help you address your enterprise key management needs?

I’d like to introduce you to IBM’s Enterprise Key Management Foundation (EKMF), an offering from IBM’s Crypto Competency Center in Copenhagen, Denmark that centralizes the management of crypto devices that are, themselves, distributed and now available across the globe.  This offering was initially developed for financial institutions but it is rapidly finding its way into other industries; for example, EKMF was recently adapted to the needs of a large auto manufacturer.

EKMF takes advantage of many of the strengths of the IBM mainframe to deliver a flexible and highly secure, centralized key management system for the enterprise.

What are some of those strengths?

The Locked Room

There is a reason why much of the world’s sensitive data resides on, and is processed by, the mainframe: it is about as safe a platform that exists, anywhere. System z has been certified to the Common Criteria Evaluation Assurance Level 5 (EAL5), the highest security rating or classification in effect for any commercially available server.  If you want a safe place for those keys and certificates, you can’t do any better than this!

Baked-in Cryptography

IBM has delivered integrated cryptographic co-processor hardware on its mainframe systems going back several generations.  CryptoExpress and the CP Assist for Cryptographic Function (CPACF) are but two examples; here is a good resource to understand some of the integrated cryptographic features of the mainframe.  These capabilities enable high-volume certificates and encryption keys to be managed centrally and uniformly with EKMF.

No Single Point of Failure

There are a number of key management appliances on the market today, but appliances can create single points of failure – and make it difficult to achieve highly available configurations.  By keeping keys, certificates and metadata on the mainframe, EKMF leverages the business continuity and disaster recovery plans already in effect at the enterprise.

Standards, Standards and More Standards

A centralized management solution is only useful if it can supply the key and certificate formats required by the vast array of systems that service the enterprise, and adhere to the policies required by regulatory agencies.  EKMF supports, for example, a wide variety of Data Encryption Standard (DES), Advanced Encryption Standard (AES) and Rivest-Shamir-Adleman (RSA) keys for a number of platforms and crypto cards.  It ensures adherence with an array of specialized industry regulations, such as Europay, MasterCard and Visa (EMV) for payment card solutions.  In short, EKMF can manage pretty much anything you can throw at it.

If you need to be The Keymaster for your enterprise, who you gonna call? IBM Lab Services to begin a discussion on how EKMF can benefit your business! They’ll hook you up with more information on EKMF and get you started on the road to safe, secure enterprise key management.

Paul DiMarzio has 30+ years experience with IBM focused on bringing new and emerging technologies to the mainframe. He is currently responsible for developing and executing IBM’s worldwide z Systems big data and analytics portfolio marketing strategy. You can reach Paul on Twitter: @PaulD360.

Redbooks Thought Leader

Editor’s Note: This blog by Paul DiMarzio is part of a series on IT security we are running in December 2012 to help readers understand key aspects of security, including reputational risk, cloud security, and the role of hardware, software and services in security solutions.

We encourage you to read the other posts in our series, listed below:

Smarter Computing Analyst Paper - HurwitzTo effectively compete in today’s changing world, it is essential that companies leverage innovative technology to differentiate from competitors. Learn how you can do that and more in the Smarter Computing Analyst Paper from Hurwitz and Associates.

Subscribe to the Smarter Computing Blog
This entry was posted in Data Security and tagged , , , , , . Bookmark the permalink.

Recent Posts

Open source innovations with IBM at LinuxCon NA 2015

Adam Jollans

Cloud, big data, mobile and social applications are being rapidly developed and deployed on Linux and are demanding much more of the underlying servers, storage and infrastructure. At LinuxCon, we’re exploring how IBM and Linux are helping to revolutionize the way IT is created and consumed.

Continue reading

Data, analytics and fuel for the insight economy

Paul DiMarzio

It’s been an exciting three days at the TDWI Analytics Experience in Boston. We’ve introduced our new partnerships and expanded analytics vision for the z Systems ecosystem, and now we’re talking about the commitments we and our partners have made to the future, and how the mainframe may just turn out to be the friendliest platform for data scientists.

Continue reading

2 Responses to Are You the Keymaster? Yes, Actually, I Am

  1. Kelly Ryan says:

    Paul, thank you for making the DKMS solution so easy to understand. This is a great post to help people understand how the mainframe they have can be further extended to manage modern day problems. We know we are continuing to invest more in security on System z and I really appreciate your post that makes it easy to understand. It really is safer than the carabiner…except when rock climibing. Further proving, everything and every platform has it’s purpose :)

    • Paul DiMarzio Paul DiMarzio says:

      Thanks for the encouragement, Kelly. If you already have access to Fort Knox, why would you try and recreate the environment?

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>