READ MORE
|
• Review: Enterprise Key Management Software
Encryption is hot, and its buzzword status only grows with each revelation of sensitive corporate information gone missing. Are vendor's products keeping pace with their products? We analyze key management offerings from NeoScale, Decru, nCipher, RSA and Sun Microsystems.
|
Don't hold your breath. Even though large enterprises have been fighting this problem for years, the hard truth is, there are no standards to enable unified management of keys from disparate systems.
RSA's Public-Key Cryptography Standard 11 and Microsoft's CryptoAPI are helpful, but they're not standards. The OpenSSL project is a standards-based toolkit for crypto implementation, but it doesn't address key management. Java JCA/JCE (Java Cryptography Architecture/Java Cryptography Extensions) is akin to Microsoft's CryptoAPI: If you're using Java and JCE, it might meet EKM (enterprise key management) requirements for those apps only. Sun's SKIP (Simple Key Management for Internet Protocols) provides key sharing only, no management.
Our analysis of available key-management offerings, at nwc.com/go/0430review, revealed that even without settled standards, a few vendors are taking baby steps in the right direction. For the most part, though, vendors using encryption are keeping the R&D close to home, focused on improving key management for their own offerings.
And, of course, we should be careful what we wish for. Convenience rarely comes without risk, and putting all your eggs in one basket demands hardware redundancy, secure backup and recovery capabilities, and strong authentication policies for system access.