As security threats become more sophisticated and data becomes more critical to corporate data centers, companies must stay one step ahead of new and existing security threats to ensure their data is secured to the fullest possible extent.
The term “Data at rest” refers to all data in computer storage while excluding data that is traversing a network or temporarily residing in computer memory to be read or updated. Data at rest can be archival or reference files that are changed rarely or never; data at rest can also be data that is subject to regular but not constant change. Examples include vital corporate files stored on the hard drive of an employee's notebook computer, files on an external backup medium, files on the servers of a storage area network (SAN), or files on the servers of an offsite backup service provider.
One technology commonly used to address security threats to data at rest is encryption, which secures data from unauthorized access using cryptographic keys. Storage devices such as tape drives, enterprise-class applications, network solutions and disk subsystems (such as those in virtual tape libraries) all utilize key-based encryption schemes in various forms.
A key management system maintains cryptographic keys used in data at rest encryption. Multiple key management systems are presently available, including IBM's TKLM (Tivoli Key Lifecycle Manager), Netapp's LKM (Lifetime Key Management), RSA's RKM (RSA Key Manager), and Hewlet Packard's SKM (Secure Key Manager). Each key management system has its own set of interfaces for communicating with the particular key management system. Because each key management system has its own set of interfaces, an enterprise desiring to use multiple key management systems must modify its own system to accommodate each set of interfaces. And even after such modifications have been made to accommodate an additional key management system, the enterprise system must be configured to recognize the presence of the additional key management system on the network.
Additionally, some key management systems provide varying degrees of redundancy and high availability (HA) so that operations on keys such as archival and retrieval are not affected by the loss of a key management system, for example due to a system crash. Some key management systems provide no redundancy, some fail to guarantee a time window for key replication, and some fail to provide feedback as to when a key has been replicated to multiple systems.
Accordingly, a need exists in the art for an improved solution for data encryption key archival.