Information technology deployment may be characterized as systems built using various tiers or components from an enterprise technology stack. An enterprise technology stack includes tiers or components such as applications, middle-ware, databases, virtual machines, operating systems, servers, networks, and storage.
At present, the process of securing confidential data via data encryption is handled in an ad-hoc manner at the component level. In one example, upon capturing data, applications may encrypt sensitive data, and later decrypt that data before it is transmitted to middle-ware over a secure channel. Middle-ware may also encrypt sensitive data and decrypt it before the data is stored in a database. A database itself may also encrypt sensitive data by encrypting the table space or column space. Thereafter, the data may be decrypted for reporting purpose or when needed by an application. Later, a backup application may perform a database backup and store an encrypted backup on a disk or tape. The storage appliance may also apply encryption via a file system (e.g., data sets or virtual pools) when storing data on disk. Similarly, a tape drive may also encrypt data before writing it on a tape cartridge.
Thus, confidential data is secured by applying encryption within a tier. When moving from one tier to another, encrypted data is first decrypted within the same tier and then passed on to the next tier over a secured channel where that data may be encrypted all over again. Consequently, the same data may be encrypted and decrypted multiple times as it moves from applications to storage, or otherwise between components, thereby introducing performance bottlenecks and increasing enterprise management complexity.
Indeed, in this current approach, an enterprise administrator deals with increased management complexity in terms of planning, configuring, and monitoring encryption end-points within each tier or component. Creating, securely storing, and managing encryption keys for these disparate encryption end-points is also a challenge.
Thus, there exists a need for an improved system and method for managing keys for use in encrypting and decrypting data in a technology stack to address these challenges. Such a system and method would implement a grouping mechanism within a centralized key management system (KMS). Such a KMS would not only securely create and store encryption keys, but also manage key life-cycles for the encryption end-points enrolled within a KMS groups.