data security

CA launches mainframe-based encryption key management software

Claiming its approach to enterprise data security key management will assure users of reliability, CA this week launched a new Encryption Key Manager (EKM) software offering that runs on z/OS mainframe and can manage keys for CA Tape Encryption as well as IBM tape formats.

Stefan Kochishan, director of storage product marketing for CA, said a lack of key management standards for encryption at the various points it’s deployed in the enterprise has hindered encryption adoption. But, he argued, many customers are also concerned with the reliability of open-systems based encryption key managers, since without keys to access it, encrypted data can be lost.

The new z/OS based product will manage IBM and CA tape encryption instances and automatically mirror keys among mainframes at up to three sites, including replication over SSL and digital certification for data integrity. This method allows keys to be re-created from an alternate location should the primary key manager fail, a key is accidentally deleted, or if the primary site is lost in a disaster. Users can also backup the key store to mitigate the threat of rolling corruption in the replication system.

“This is the first step in a strategy where we want to be the key manager for other encryption solutions,” Kochishan said. CA is considering managing Sun/StorageTek tape encryption next, thoiugh it doesn’t have plans for LTO.

But isn’t the mainframe and IBM focus making another silo for enterprise key management? What about non-mainframe shops? Stefan argues the enterprises most likely to be concerned with advanced key management are financial services companies and banks, which tend to still be running mainframes. Mainframe is also in CA’s DNA.

“It has to be mainframe based,” Kochishan said. “Some companies take distributed systems data and upload it to the mainframe, and have it backed up and tracked through mainframe applications…the mainframe has great reliability and availability which will address customer concerns for high availability and eliminating a single point of failure.”

What about business partners of mainframe-having customers who want to receive encrypted data? Kochishan said customers have a choice of methods to send public keys to business partners. They can send keys on a tape encrypted by CA Tape Encryption, on a natively-encrypted IBM TS1130 tape, or over SSL via replication from the mainframe.

Why not use IBM’s Enterprise Key Manager if you’re already running a z/OS mainframe and an IBM tape library? “IBM EKM has key management in the name but it’s not truly that,” Kochishan. He says IBM “doesn’t perform auditing, tracking, backup, recovery and expiration” of keys. IBM also has Tivoli Lifecycle Key Manager, but it’s “an extra cost item.” Speaking of cost items, CA’s starting price is $16,377 and an unlimited usage license starts at $54,590.

Kochishan acknowledged key management standards will still be, er, key to encryption adoption, even if CA’s approach has succeeded in allaying users’ reliability concerns. One of CA’s technical architects is on the board of the OASIS standards body working on a standard as we speak. “That is a complaint among customers,” Kochishan said.

Harvard Law School offers clarifications on lost backup tape

The Boston Globe reported this morning that an unencrypted backup tape containing personal information on some 21,000 clients of the school’s legal clinic has been lost. According to the newspaper, the tape was lost by a technician who was transporting it on the subway.

The Globe story also reports:

To prevent a similar occurrence in the future, the law school is encrypting the center’s computer servers and backup tapes for a higher level of protection beyond the password. It has bought a new tape library with a bar-code reader for better inventory control and hired a professional courier service to transport the backup tapes.

School spokesperson Robert London told me this afternoon that the Globe story “gives the impression” that the law school has determined where and how the tape was lost, but that’s not the case. ”It’s possible it was lost in transit on the MBTA, but it could have been lost after it reached our campus,” he said. The Globe story does not cite a specific source for that information.

London added that the tape was coming from a remote office that was about to become the last branch of the law school to deploy tape encryption, and said the rest of the school’s facilities already have encryption in place. To lose a backup tape from that particular system was “just bad timing and bad luck,” he said.

Last stand for NetApp’s DataFort?

 In his latest blog, NetApp chief marketing officer Jay Kidd waxes enthusiastic about Brocade’s new encryption devices:

 Brocade has new blindingly fast Fibre Channel switches and director blades that integrate almost 100 GB/s [actually 96 GB/s] of encrypting bandwidth.

Kidd is a former Brocade guy, and maybe he’s happy for his old colleagues. But it’s more likely that he sees the encryption switch and blade as a boon for his current company. He goes on to say: “NetApp will resell the Brocade products as our next generation FC DataFort.”

DataFort is the encryption device platform that NetApp acquired when it bought Decru for $272 million in 2005. Brocade’s devices support NetApp key management, and Brocade licensed its encryption technology to NetApp to ensure compatibility between its devices and the DataFort platform. That’s why the headline on Kidd’s blog reads: NetApp and Brocade’s Encryption Partnership.”

Kidd’s blog doesn’t discuss NetApp’s plans for DataFort in his blog. Besides the FC version, DataFort supports iSCSI, NAS and legacy SCSI systems. After getting briefed by Brocade last week, I asked NetApp specifically about the future of DataFort. NetApp’s senior director of data protection solutions Chris Cummings sent an email positioning the Brocade news as an expansion of the platform. “… over the past year, NetApp has also added the ability to deliver key management services combined with encryption delivered by existing components of the data center fabric, including application and tape providers, and now switch providers,” he wrote.

Brocade reps and others in the industry expect NetApp to keep DataFort as a lower-end encryption device while selling Brocade’s products for data center encryption. But it also sounds like NetApp sees Brocade rather than DataFort as its encryption platform for the future.