In response to dramatic and widely publicized losses of data over the last few years, IT execs are moving to deploy encryption in every corner of the enterprise. While encryption does reduce the chances of data loss, it can also create a management nightmare, with dozens of different encryption applications using hundreds or thousands of keys.
To address that problem, vendors have developed enterprise encryption key management tools. Of the dozen vendors that we identified, three accepted our invitation — Thales, Venafi and Vormetric. Vendors who declined were Entrust, NetApp (Decru), PGP, Protegrity, RSA (EMC), SafeNet (Ingarian) and WinMagic.
The still-developing state of the market is reflected in the different types of products we received – an appliance from Thales that supports a variety of key exchange standards, software from Venafi that supports a broad range of applications, and an appliance from Vormetric that replaces existing encryption on a variety of platforms, enabling one appliance to manage encryption across a broad range of applications.
These are not simple drop-in applications – even the appliances will require a substantial amount of planning, installation and tuning. There are a wide range of tasks associated with key management: issuing, renewing and revoking keys; monitoring applications; reporting and logging; setting and auditing policies; management; and in some cases, discovery of applications using keys that can be managed through the system.
No single management tool will be able to perform all these tasks with every possible application using keys or certificates, or at least not without considerable custom programming. Part of the reason is that standards for key exchange (providing keys to one application by another) are still under development, and even when standards are ratified, it may take years before all enterprise applications and management solutions support them.
That's why each vendor we looked at has taken a different approach to the process:
— Thales uses existing certificate and key exchange protocols such as PKCS#11, Java JCE, OpenSSL and Microsoft's CryptoAPI/CNG.
— Venafi supports specific platforms, including servers such as Microsoft 2003, certificate authorities on many different platforms, plus other platforms such as F5 Big/IP SSL offload processors and firewalls.
— Vormetric attempts to bypass the issue entirely by implementing both key management and the underlying encryption, access control and logging on a variety of platforms. Rather than use the built-in capabilities inherent in some applications, an agent is deployed on each server or workstation to be protected, which then controls access to the data, and is managed through the Vormetric appliance.
To get one of the products to work with a server application requires an understanding of that application as well as the encryption standard or certificate authority model it uses.
Thales sends a systems engineer along with the appliance for new installations, providing installation support for the appliance itself, along with integration support for getting the device working with your applications.
Venafi and Vormetric also maintain large groups of pre- and post-sales support engineers for the same purposes, although on-site support is not included in the price of product, and may not be necessary, if you're using server applications that are already supported.
No pain, no gain
The complex process of integrating any of these products into your organization illustrates both the pain of the problem and the usefulness of the solution – the savings from being able to manage and monitor keys from one console can be dramatic, and will take a fair amount of work to implement, regardless of whose solution you use.
Each of these products may be a good fit for some organizations. The best way to start is checking compatibility with the applications that you'll need to manage. All three companies offer good pre-sales support that can help you figure out whether all the applications you need covered are supported or not. If not, they may be able to help you get their solution working with non-supported applications, though what this will cost is difficult to estimate.
These three products don’t directly compete with each other. In fact, one organization might well have all three installed – Thales and Venafi have worked together to satisfy some customer requirements. Thales has FIPS level security that some organizations that deal with the government will require, Venafi has an easy-to-use and straightforward discovery, management and deployment system, and Vormetric can handle encryption for applications that don't offer native encryption, including versions of Windows before 2008 and backups of IBM's DB2 and IDS databases.