Claiming its approach to enterprise data security key management will assure users of reliability, CA this week launched a new Encryption Key Manager (EKM) software offering that runs on z/OS mainframe and can manage keys for CA Tape Encryption as well as IBM tape formats.
Stefan Kochishan, director of storage product marketing for CA, said a lack of key management standards for encryption at the various points it’s deployed in the enterprise has hindered encryption adoption. But, he argued, many customers are also concerned with the reliability of open-systems based encryption key managers, since without keys to access it, encrypted data can be lost.
The new z/OS based product will manage IBM and CA tape encryption instances and automatically mirror keys among mainframes at up to three sites, including replication over SSL and digital certification for data integrity. This method allows keys to be re-created from an alternate location should the primary key manager fail, a key is accidentally deleted, or if the primary site is lost in a disaster. Users can also backup the key store to mitigate the threat of rolling corruption in the replication system.
“This is the first step in a strategy where we want to be the key manager for other encryption solutions,” Kochishan said. CA is considering managing Sun/StorageTek tape encryption next, thoiugh it doesn’t have plans for LTO.
But isn’t the mainframe and IBM focus making another silo for enterprise key management? What about non-mainframe shops? Stefan argues the enterprises most likely to be concerned with advanced key management are financial services companies and banks, which tend to still be running mainframes. Mainframe is also in CA’s DNA.
“It has to be mainframe based,” Kochishan said. “Some companies take distributed systems data and upload it to the mainframe, and have it backed up and tracked through mainframe applications…the mainframe has great reliability and availability which will address customer concerns for high availability and eliminating a single point of failure.”
What about business partners of mainframe-having customers who want to receive encrypted data? Kochishan said customers have a choice of methods to send public keys to business partners. They can send keys on a tape encrypted by CA Tape Encryption, on a natively-encrypted IBM TS1130 tape, or over SSL via replication from the mainframe.
Why not use IBM’s Enterprise Key Manager if you’re already running a z/OS mainframe and an IBM tape library? “IBM EKM has key management in the name but it’s not truly that,” Kochishan. He says IBM “doesn’t perform auditing, tracking, backup, recovery and expiration” of keys. IBM also has Tivoli Lifecycle Key Manager, but it’s “an extra cost item.” Speaking of cost items, CA’s starting price is $16,377 and an unlimited usage license starts at $54,590.
Kochishan acknowledged key management standards will still be, er, key to encryption adoption, even if CA’s approach has succeeded in allaying users’ reliability concerns. One of CA’s technical architects is on the board of the OASIS standards body working on a standard as we speak. “That is a complaint among customers,” Kochishan said.