Rick Robinson and Walid Rjaibi, both from IBM, co-presented. As the storage of data across seamless on-premise, mobile, and cloud systems platforms becomes ubiquitous, the need for protecting the data, regardless of its location, also needs to be maintained through the use of encryption—and that means centralized key management.
How has industry adopted encryption, especially in the cloud? What applications have adopted centralized key management in the cloud? What are the standards?
There are two types of encryption: Symmetric and Asymmetric. Symmetric like AES or 3DES use the same key for both encryption and decryption. It is faster and designed for large amounts of data. The Symmetric key must be kept private and secure.
Asymmetric like RSA, ECC and Diffie-Hellman use two keys, a public key for encryption, and a private key for decryption. This is slower and intended for smaller amounts of data. However, you can freely share the public key with anyone, publish on your website or print it on your business cards. That is because it cannot be used to decrypt any data!
Don't let the size of the key fool you. AES 256-bit has more security strength than RSA-2048 or ECC-384.
Initial implementations used Electronic Code Block (ECB), which uses just the information in the block of data. Two identical plain-text blocks would be encrypted to identical encrypted blocks. Good for deduplication, but bad for security as hackers love to find patterns.
To solve this, Cyber Block Chain (CBC) uses a bit of the previous block to randomize the data so that even identical plain-text blocks would be encrypted to different results. This is like making sourdough bread, a piece of yesterday's dough is saved and used to rise the yeast for today. To get the sequence started, you need an "Initialization Vector" which is either randomly generated, or a "nonce" (which is short for a number-only-used-once).
For handshake sessions, the TLS protocol generates a Symmetric key that both the sender and recipient will use for bulk data transfer. Then, the sender uses the receiver's public key to send the Symmetric key to the receiver. The receiver uses the sender's public key to acknowledge. Once the handshake is complete, both sender and receiver use the shared Symmetric key to transfer the rest of the data.
This notion of wrapping the Symmetric key with an Asymmetric key is also used on tape and disk. The Symmetric key is often randomly assigned per disk drive or tape cartridge, and the Asymmetric key is referred to as the Key-Encrypting-Key (KEK) or "Master Key".
(The best way to explain this is a Real Estate agent that shows different houses to prospective buyers. Rather than having the agent carry 50 different house keys, she carries a single "master key". At each house, there is a locked box hanging on the door knob that can be opened with the master key, and inside this box is the key that opens that particular house.)
The other challenge to encryption is managing the keys. If you lose the key, you lose access to the data. If the keys are divulged to the wrong parties, you may need to re-encrypt your data to avoid inadvertent exposure. Master keys can be rotated every 90 days, just like passwords.
Where do you store your keys. There are several options:
- Public Key Cryptography Standard (PKCS) #12 -- defines a method to store keys in a password-protect file, such as a USB thumb drive. IBM GSKit is available to assist with this.
- Enterprise Key Manager (EKM) refers to a set of software packages that manage and distribute encryption keys. IBM Security Key Lifecycle Manager (SKLM), Safenet KeySecure, and Thales EKM are three popular examples.
- Hardware Security Module (HSM) is hardware designed to securely store keys. IBM z13 Crypto and Safenet Luna are two examples.
- Cloud-KMS are key management systems for Cloud providers. IBM Key Protect, Amazon Web Services KMS, and Microsoft Azure Key Vault are three examples.
In a survey done by Thales, the statistics are scary: Only 36 percent of companies have consistent encryption policy. Nearly half (49 percent) of companies use encryption, but inconsistently across their organization. The remaining 15 percent have no encryption strategy whatsoever.
Here is what IBM offers for zSystems, as well as Linux, UNIX and Windows (collectively referred to as LUW):
For zSystems
data-at-rest | For z and LUW
data-at-rest | LUW
data-in-use | Cloud
data-in-Cloud |
|---|
| Enterprise Key Management Foundation (EKMF) |
IBM Security Key Lifecycle Manager (SKLM) |
Guardium Data Encryption (GDE) |
IBM Key Protect (backed by a Safenet Luna HSM) |
Thomas Kelley and Mahendra Velchuru, both from Boeing, co-presented. The Boeing Company celebrates its 100th year in business in 2016. During this time we have traced the history of computing systems within the industry and have utilized IBM as a strategic partner for many decades.
Boeing found themselves with a large inventory of computing systems and technologies that are required to support their business and drive innovation. As they begin their second century, they are launching several critical systems modernizations and technology initiatives in order to maintain our role as the world's leading aerospace provider.
(While other rooms at this conference packed 80 people in a room with only 50 chairs, this session was scheduled in a room that could hold two Boeing 747 airplanes and hundreds of chairs.)
Over the years, Boeing transition from Remote Procedure Call (RPC), to Common Object Request Broker Architecture (CORBA), to Integration Brokers, to Enterprise Service Bus (ESB) Service Oriented Architecture (SOA).
(At this point, I could have gotten up and left the room, as obviously the "Systems" referred to in the title were not referring to IBM Systems, like server, network or storage systems, as I had anticipated. However, I decided to stay and learn more.)
Boeing explained their "Six Pillars" of SOA transformation, starting with a Maturity Assessment of where they were, then a four-year roadmap of transformation, and adopting a Bi-Modal SOA method, and adopting the right level of SOA Governance to keep it running correctly.