The system will initially manage the creation, distribution and protection of keys generated by LTO-4 tape drives in HP tape libraries, and HP said it will update the system to cover other data center encryption gear in future.
Key management systems are already shipping from suppliers such as IBM, Sun, EMC and Network Appliance – the latter two by virtue of their ownership of RSA Security and Decru respectively.
HP says that its system – called Secure Key Manager – qualifies as the first enterprise-class key manager on the market because of virtues such as coming support for non-tape encryption, better clustering, and certification for the US government’s FIPS 140-2 security standard – which has not yet actually been granted, but is in progress.
Key management system take on the overhead of managing large numbers of encryption keys, and ensuring that they are never lost, and are always instantly available at multiple disaster recovery locations, whenever data is to be recovered from encrypted backups.
ESG analyst Jon Oltsik said that it is too early to determine whether HP’s claim is valid. It’s tough to make a call like that when there is so little product out there in such a young market, he said.
HP said that it plans to support whatever key management standards emerge in future. But as yet there are no practical standards that allow one vendor’s key management system to talk to another vendor’s tape libraries or other encrypting gear. Vendors have said that they expect the IEEE’s P1619.3 security group to produce a standard, probably next year.
Oltsik said that customers’ decisions about which key management system to buy will very likely come from the security department. Storage and security will have to be integrated, and it will be the security guys that will have the final say. In that sense, the bigger enterprise suppliers – HP, IBM and EMC – will have an advantage.
HP’s Secure Key Manager will run across remote clusters of up to eight nodes. For redundancy with remote clustering, three or four nodes will do the trick. But once this system manages keys across the enterprise, it may be necessary to add additional nodes for performance reasons, said HP marketing director Patrick Eitenbichler.
Now it supports tape libraries. Support for switches comes next year, and if disk encryption is taken up, then this is where the keys for that will be managed, he said. Brocade and Cisco have already promised to ship optional blades for their SAN switches that can encrypt data in flight, and which are slated to ship this from Cisco, and next year from Brocade.
