Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

PGP Offers Enterprise Key Management To Consolidate Encryption Control

PGP Key Management Server, announced today, aims to consolidate key management across third-party applications and devices, including custom applications, which typically lack built-in capabilities. PGP says enterprises are struggling with managing disparate certificates authorities for e-commerce,payment systems, file transfers and other processes. Wireless access points are another problem area, as large enterprises often use WLAN gear from multiple vendors, requiring separate key management for each. PGP Key Management Server allows enterprises to manage third-party application and device keys, consolidate controls and reduce risk of data loss because of a corrupted or lost encryption key.

PGP's entry into the enterprise key management arena comes at a time when encryption is becoming pervasive. In the past, enterprises shied away from encryption projects, in part because of key management burdens. Today, they often don't have a choice as data security programs and compliance mandates, such as PCI DSS, HIPAA/HITECH, and a smorgasbord of state data protection laws, have pushed encryption into the enterprise. Meanwhile, web applications, storage systems, mobile devices, corporate databases, e-mail and other technologies increasingly rely on encryption to secure information in transit, authenticate transactions and protect data at rest. As more applications use encryption, key management becomes more difficult. "Key management is one of those 'gotcha' categories," says Jon Oltsik, analyst at Enterprise Strategy Group (ESG). "Encryption gets cheaper, you encrypt more stuff and key management becomes more important." At issue are labor-intensive and error-prone manual key management practices. Enterprises are most concerned about not being able to recover data if keys are lost or corrupted, says Oltsik. "They come to the realization that if it's so hard to recover a file, what happens if there is a real disaster?" He says consolidating into a central management system is a high priority.

Key Management Server features include support for asymmetric, symmetric and proprietary keys. It supports a variety of protocols, including KMIP, OPAL, IEEE 1619.3 and PKCS 11. It also automates certificate management and deployment. PGP also announced several enhancements to PGP Universal Server, its centralized management system for other PGP products, including full disk encryption for Linux and Mac OS X, enhanced performance for AES 128/256-bit cryptography and local self-recovery, allowing users to generate new pre-boot passphrases without calling the help desk.

PGP's main competitors in the nascent enterprise key management market include HP, IBM, Thales, EMC/RSA and NetApp, says Oltsik. Enterprises shopping for key management should consider tamper-resistant design and easy integration into other encryption devices or key management systems' secure authentication, quorum controls and adherence to open standards - especially FIPS 140-2, and, increasingly the storage-oriented IEEE 1619.3 and OASIS Key Management Interoperability Protocol (KMIP).

Above all, however, Oltsik says products won't solve key management problems unless they rest on a foundation of sound enterprise-wide policies and processes. This is uncharted territory he cautioned--there are no generally accepted best practices. "People are sort of learning on fly," he says. "Developing processes and policies and getting the right people to manage them is the real difficult task."