IT Management

IT Sense: Lost in Translation

With most of my six kids back in school, my role as homework consultant is again in full swing. The grade schoolers come to me with lists of vocabulary words to define, memorize, practice spelling, and use correctly in sentences. Meanwhile, my college-age kids call to discuss the finer points of abstract concepts.

This work is important, both in education and in IT. Words and concepts are the only tools we have to define IT strategies, to describe desired outcomes and objectives, to analyze alternative products and platforms, to organize implementation projects, and to assess results.

Unfortunately, these efforts are challenged by imprecision (and sometimes obfuscation) in both requirements definition and in industry literature covering solutions.

It isn’t enough that regulations and laws pertaining to information governance and privacy, for example, lack clarity and specificity. We’re simply told to protect data from accidental disclosure, but we aren’t really given any direction for securing data in a way that will pass muster in an audit or legal action.

Add to this the sometimes misleading verbiage in vendor marketing brochures regarding product functionality capabilities and limitations and you can readily see that IT planners confront a huge challenge. Most tell me they spend an inordinate amount of time sifting through vendor marketing materials, trying to separate the proverbial wheat from the chaff. Security, and perhaps storage, are the two industry segments with the biggest dictionary of marketecture terminology. A while back, IBM released a Java language utility, the IBM Encryption Key Manager, to assist “IBM encryption-enabled tape drives in generating, protecting, storing, and maintaining encryption keys used to encrypt information being written to, and decrypt information being read from, tape media (tape and cartridge formats).” This EKM has been ported to several operating system environments and is “designed to run in the background as a shared resource deployed in several locations within an enterprise.”

On the surface, this sounds like a pretty useful tool. In fact, the name—IBM Encryption Key Manager—would suggest IBM is providing a comprehensive enterprise key management solution. But the truth is quite different.

EKM is a facilitator of key encryption, not a key-based encryption management system. It acts as a “background process,” awaiting key generation or key retrieval requests. These requests are sent to it via a TCP/IP communication path between itself and the tape library, tape controller, tape subsystem, device driver, or tape drive.

When a tape drive writes encrypted data, it first requests an encryption key from the Encryption Key Manager. Upon receipt, the Encryption Key Manager (with TS1120 tape drives) generates an Advanced Encryption Standard (AES) key and serves it to the tape drives in two protected forms: encrypted or wrapped, using Rivest-Shamir-Adleman (RSA) key pairs. TS1120 tape drives write this copy of the key to the cartridge memory and three additional places on the tape media in the cartridge for redundancy. Key wrapping is used for secure transfer of the key to the tape drive where it’s unwrapped and the key is used to encrypt the data being written to tape.

Conversely, when an encrypted tape cartridge is read by a TS1120 tape drive, the protected AES key on the tape is sent to the Encryption Key Manager where the wrapped AES key is unwrapped. The AES key is then wrapped with a different key for secure transfer back to the tape drive, where it’s unwrapped and used to decrypt the data stored on the tape.

EKM also allows protected AES keys to be rewrapped, or rekeyed, using different RSA keys from the originals used when the tape was written. Rekeying is useful when an unexpected need arises to export volumes to business partners whose public keys weren’t included. In short, it eliminates the need to rewrite the entire tape and enables a tape cartridge’s data key to be re-encrypted with a business partner’s public key.

Facilitating key generation, delivery, and decryption are all useful functions. But they aren’t the full story of a comprehensive encryption system. For all the gory details of what’s involved in key encryption, consult the National Institute of Standards and Technology (NIST) Special Publication SP800-57, “Recommendation for Key Management—Part 2: Best Practices for Key Management Organization.” This 80-page document details the lifecycle of a key used to encrypt and/or decrypt electronic data.

The key management lifecycle involves much more than generating keys and using them to encrypt and decrypt data. There are six task sets described in the NIST publication that are important for anyone who is looking at data privacy, including key generation, distribution, entry and output, key storage, archiving, and ultimately, key destruction.

IBM’s EKM provides a piece of the key security puzzle, but not the complete solution—at least, not from the standpoint of Federal Information Processing Standards (FIPS) on security, which are increasingly referenced by planners in their efforts to devise a legally compliant data security strategy. For a more comprehensive lifecycle solution, you need to look beyond EKM to other security software suites that will leverage EKM functionality and augment it with NIST/FIPS lifecycle functions.

Just thought I would try to help clear up that little bit of vocabulary imprecision. Your comments are always welcome at