For the past year or so, a group of vendors including EMC, IBM, Hewlett-Packard, and Thales (who acquired nCipher) have been working on a new encryption key management standard – the Key Management Interoperability Protocol (KMIP). This work has now been moved into OASIS (the Organization for the Advancement of Structured Information Standards) for completion as an open standard. Other companies (including NetApp) were given the opportunity to provide feedback and join the new OASIS workgroup. You may have seen the announcement this week on news.com and TheRegister.
Details on the announcement can be found in the FAQ about the new initiative.
Although NetApp wasn’t in the press release that hit the news wire, we fully support this new standards effort, and we are a contributing member of the OASIS KMIP Technical Committee – to quote from the first paragraph of the FAQ: “(The) Organization for the Advancement of Structured Information Standards (OASIS)along with Brocade, EMC, HP, IBM, LSI, NetApp, Seagate and Thales are announcing thecreation of a Key Management Interoperability Protocol (KMIP) Technical Committee to completethe group’s work on an open standards track.“
This isn’t the only key management standard in process right now – you may have seen my blog on 27 June 2008 New IEEE Security Standards – Enabling Ubiquitous Storage Security, which focused on the IEEE P1619.3 activity. The two major differences between the two efforts are that the KMIP effort is broader in scope (addressing many device types, whereas the P1619 effort is focused specifically on a storage infrastructure), and the KMIP protocol uses a low level binary interface to ensure that a broad range of device types can use it. Another difference is that the P1619 effort did not get the support of some major players, whereas the KMIP effort seems on track to get all the key players’ support.
My take on all of this is that having two standards initiatives going after an encryption key management standard is not a bad thing. In fact it may increase the chances that the industry can come up with a broadly supported standard that will enable ubiquitous data security.
More on this later in the year as these efforts approach completion…