What is KMIP and Why Should Anyone Care?

Written by

Encryption continues to be a hot topic, with many diverse industries realizing its importance. Although proper encryption key management is still a struggle to overcome for many.

Considering that any one company may have several vendors’ solutions in-house addressing their needs, it can be difficult to implement an encryption and key management solution that works across the whole organization.

One way to help with this task is by implementing products that comply with the OASIS Key Management Interoperability Protocol (KMIP), which allows the interoperable exchange of data between different key management servers and clients. 

The Nuts and Bolts
OASIS is the Organization for the Advancement of Structured Information Standards, a “nonprofit consortium that drives the development, convergence and adoption of open standards for the global information society.” The group started discussions about a key management protocol in 2009, with KMIP making its first appearance in 2010, and with major companies including IBM and HP as early adopters.

The initial goal of KMIP was “to define an interoperable protocol for standard communication between key management servers, and clients and other actors which can utilize these keys.”

It was first established in the storage sector as a protocol for exchanging key management messages between archival storage (disk and tape) and key management servers. However, as security challenges grew, more organizations saw the need for encryption and a centralized key management system to unify all the moving parts.

KMIP helps facilitate data encryption by simplifying key management. Since any one organization may have several different keys from disparate vendors, KMIP solves the issue by managing it all on one platform. By establishing how to store and control managed objects – such as keys and certificates – KMIP defines how key management operations and data should be exchanged between client and servers. 

Those keys and certificates are then assigned values, and clients can use the KMIP protocol to conduct key management operation commands. As a starting point, here’s a sample of the three foundational key management operations:

  • Create – Tells the encryption platform to create a unique key
  • Get – Retrieves the key to use for a cryptographic function
  • Destroy – Destroys the key so it can’t be used for anything else

The road of possibilities ahead – and why this all matters
Adoption of KMIP has been strong and improving every year, with a diversifying base including storage devices, file and database servers, and communications products, plus more recent technologies like Internet of Things devices, cloud-based infrastructure and identity management. 

Aside from the typical technology companies one might expect to see implement KMIP, we’ve also seen universities, telecom companies and even libraries adopt it. Given the need for strong cybersecurity in everyday life, the list of KMIP vendors will continue to grow as the pace of encryption needs shows no signs of slowing. 

Enterprises operate with solutions and products of multiple vendors that perform a myriad of tasks every day. KMIP delivers a single comprehensive protocol for communication between encryption systems, from email, through databases and storage devices for a more complete cyber strategy.

By implementing KMIP conformant solutions, enterprises no longer have to struggle with multiple key management services, but can rely on a single, trusted source for creating, using and then destroying the keys.

Implementing an interoperable key management strategy can enable the strongest, centralized data protection approach that can both result in cost savings that can be put back toward the company, and in parallel can build the trust of consumers.

A recent CapGemini study on the retail sector found that “customer satisfaction and spending can drastically be improved by cybersecurity and data privacy assurance.” So, while investing in an effective cybersecurity strategy will require an investment in time and money, doing so is also “a business driver and can be a source of competitive advantage in the retail sector.”

Ultimately, adopting KMIP has clear benefits: it provides better data security and reduces costs by removing redundant, incompatible key management processes, enabling more pervasive encryption. Because KMIP can help companies do all that, it frees them up to focus on what they do best.

What’s hot on Infosecurity Magazine?