Storage systems

Many of today’s IT systems suffer from an alarming proliferation of cryptographic keys and certificates used in software applications, storage, servers, communications, all of which are managed in a silo-based fashion. At the same time, an increasing number of complex operations are required to regularly create, deploy, refresh/roll-over, back-up, archive, restore, and delete each of these keys/certificates according to a set of business policies in a secure and centrally auditable manner.

Failures to perform such operations can lead to downtime, disclosure of confidential content, and compromise or even loss of data, with all the associated costs and penalties. This drives the requirement to consolidate and automate these operations, and to rely on a unified centrally-managed system to control them.

Surveys have revealed that complications with key distribution are the top operational problem faced by customers. Our research activities focus on these very issues: We are defining a common interface with a comprehensive protocol to perform management operations on all types of cryptographic objects. In addition, we are simplifying the deployment of the cryptographic objects with a novel automated mechanism based on common patterns.

This work is done in close collaboration with IBM Storage Development and Tivoli Security Management, which is responsible for the TKLM product (Tivoli Key Lifecycle Manager) announced in April 2008.

Figure 1. Examples of storage devices and systems using encryption today.

Figure 2. Key management includes storage of cryptographic objects, serving/distribution of such objects to endpoints that perform cryptographic operations (storage systems, servers, switches, applications, etc.), and policy-based management of the lifecycle of such objects.