EKMI is dead, long live EKMI. It was more than two years ago that I reached a proud milestone as a member of the open-source key management group for Oasis EKMI (Enterprise Key Management Infrastructure) — we released the SKSML (Symmetric Key Services Markup Language) in January 2009.
It was a culmination of projects I had been working on for years with StrongAuth to provide an easy and inexpensive encryption solution for the Payment Card Industry (PCI). SKSML did not get a warm welcome from some big name vendors but it did generate some industry attention.
Encryption represents a final level of protection. Even if data is lost or stolen, it’s of no value to the holder without the decryption key. EKMI is a valuable component in the operational and management aspects of encryption, and organizations with complex encryption requirements ought to start putting pressure on their application and security vendors to support the initiative.
The SKSML protocol had been available since 2006. Yet just a couple months after the OASIS specification was final and public we watched vendors step forward to form a separate and competing committee at OASIS: the KMIP (Key Management Interoperability Protocol).
It was weird to see a competitive standard formed from within OASIS instead of from a competing organization (e.g. the IEEE P1619.3 or DSKPP from KEYPROV/IETF) as illustrated by ISACA in 2009.
On the other hand we were pushing an open-standard that emphasized ease of deployment and configuration. These concepts may have challenged the philosophy of some vendors to the point where they felt compelled to try and reboot the OASIS committee. The chair of EKMI stepped-down rather than fight on all fronts.
Our goal was to push forward an enterprise key management protocol into the industry. To that end it was a success, even if our open and easy philosophy to key management was not adopted.
Today I was asked if I have heard of KMIP and asked whether it is a good idea. Not only do I think it is a great idea to have key management, I think we’re long overdue for a practical implementation in a multi-tenant environment (whitepaper forthcoming).
Cloud providers I’m working with need a solution that allows them to provide self-managed encryption to their customers. EKMI was definitely up to the job. In 2009 single-tenant storage encryption was said by some to be the real game in town, which EKMI saw as a subset of enterprise encryption (end-to-end and file-level encryption was also offered) rather than the entire focus. KMIP is an option and it seems now to be getting some attention but its more closed approach as well as limitations with multi-tenancy may resurrect interest in the original aims of EKMI.