Storage Soup

A SearchStorage.com blog.

» VIEW ALL POSTS Nov 12 2009   7:08PM GMT

CA launches mainframe-based encryption key management software



Posted by: Beth Pariseau
Tags:
data security

Claiming its approach to enterprise data security key management will assure users of reliability, CA this week launched a new Encryption Key Manager (EKM) software offering that runs on z/OS mainframe and can manage keys for CA Tape Encryption as well as IBM tape formats.

Stefan Kochishan, director of storage product marketing for CA, said a lack of key management standards for encryption at the various points it’s deployed in the enterprise has hindered encryption adoption. But, he argued, many customers are also concerned with the reliability of open-systems based encryption key managers, since without keys to access it, encrypted data can be lost.

The new z/OS based product will manage IBM and CA tape encryption instances and automatically mirror keys among mainframes at up to three sites, including replication over SSL and digital certification for data integrity. This method allows keys to be re-created from an alternate location should the primary key manager fail, a key is accidentally deleted, or if the primary site is lost in a disaster. Users can also backup the key store to mitigate the threat of rolling corruption in the replication system.

“This is the first step in a strategy where we want to be the key manager for other encryption solutions,” Kochishan said. CA is considering managing Sun/StorageTek tape encryption next, thoiugh it doesn’t have plans for LTO.

But isn’t the mainframe and IBM focus making another silo for enterprise key management? What about non-mainframe shops? Stefan argues the enterprises most likely to be concerned with advanced key management are financial services companies and banks, which tend to still be running mainframes. Mainframe is also in CA’s DNA.

“It has to be mainframe based,” Kochishan said. “Some companies take distributed systems data and upload it to the mainframe, and have it backed up and tracked through mainframe applications…the mainframe has great reliability and availability which will address customer concerns for high availability and eliminating a single point of failure.”

What about business partners of mainframe-having customers who want to receive encrypted data? Kochishan said customers have a choice of methods to send public keys to business partners. They can send keys on a tape encrypted by CA Tape Encryption, on a natively-encrypted IBM TS1130 tape, or over SSL via replication from the mainframe.

Why not use IBM’s Enterprise Key Manager if you’re already running a z/OS mainframe and an IBM tape library? “IBM EKM has key management in the name but it’s not truly that,” Kochishan. He says IBM “doesn’t perform auditing, tracking, backup, recovery and expiration” of keys. IBM also has Tivoli Lifecycle Key Manager, but it’s “an extra cost item.” Speaking of cost items, CA’s starting price is $16,377 and an unlimited usage license starts at $54,590.

Kochishan acknowledged key management standards will still be, er, key to encryption adoption, even if CA’s approach has succeeded in allaying users’ reliability concerns. One of CA’s technical architects is on the board of the OASIS standards body working on a standard as we speak. “That is a complaint among customers,” Kochishan said.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: