Key Management Interoperability Protocol (KMIP) is quickly becoming the industry standard for ensuring your product or software can communicate seamlessly with cryptographic key managers. In fact, a study by the Ponemon Institute in 2013 reported on the state of encryption trends and found that “more than half of those surveyed said that the KMIP standard was important in cloud encryption compared with 42% last year.” This is surprising since KMIP v1.0 was first ratified three short years earlier on October 1st, 2010!
How Did it All Start?
The first meeting held to start discussing the new set of standards was on April, 24th 2009 in San Francisco in conjunction with the RSA convention that year. In attendance were representatives from RSA, HP, IBM, Thales, Brocade, and NetApp. Their initial scope was to “develop specifications for the interoperability of key management services with key management clients. The specifications will address anticipated customer requirements for key lifecycle management”
But why was KMIP necessary to begin with? The short answer: more and more organizations were deploying encryption in multiple environments. But with encryption comes the need to properly manage the encryption keys. With encryption increasing across multiple enterprise applications it became harder to easily manage the keys from the different enterprise cryptographic applications. Better standards were needed to create uniform interfaces for the centralized encryption key manager.
Companies soon saw the benefits of adopting KMIP. Both large and small organizations need their key management to work every time and need it to scale as their organization grows. And while other work was done to address this issue, like OASIS EKMI, IEEE P1619.3, and IETF Keyprov KMIP was designed to have a broader scope than it’s predecessors and give more comprehensive standards for the industry.
How Was KMIP Initially Received?
In 2010, KMIP debuted at RSA. HP, IBM, and others demonstrated that their client programs using the KMIP version 1.0 protocol could “communicate securely with key management servers. The clients and servers [demonstrated] essential use cases such as generating cryptographic keys, locating existing keys, and retrieving, registering, and deleting keys.”
In 2011 at the RSA Conference major players like IBM, RSA, and HP demonstrated KMIP 1.0 compatibility with their client programs. And again in 2012 and in 2013 even more companies like Thales, NetApp, and Townsend Security demonstrated KMIP compliance. With all these prominent players becoming KMIP compatible, it was a major signal to the industry that KMIP was rapidly becoming the industry standard for interoperable communications for key managers.
How is KMIP Thought of Now?
Fast forward to 2014. The The Storage Networking Industry Association (SNIA) announced a testing program for KMIP conformance for its members. In their words, “By introducing the KMIP Test Program for the industry, we’re helping to encourage not only the adoption of enterprise–class key management, but a means for vendors to test for conformance and provide an assurance of interoperability and a layer of trust to their customers.”
At OASIS’ Interoperability Showcase at RSA 2016 16 companies, including Townsend Security, demonstrated KMIP compatibility. And with the likes of VMware, Oracle, Quantum, and many others demonstrating KMIP compatibility, KMIP has become a dominant standard in key management interoperability.
Encryption is your last, best defense for data at rest. But encryption is only as good as your key management. If the key is exposed to hackers, the data is lost as well. This is why key management standards like KMIP have already attracted considerable interest, and will continue to do so. The ability to have a variety of vendor applications, platforms, and databases all able to communicate with a centralized key manager enhances the data security posture of the enterprise. And this is what organizations should strive to achieve.
OASIS built the standard to address a broader scope of issues than what older industry standards addressed. But KMIP still is actively being matured by OASIS (we are on version 1.3) and we should expect to see further enhancements and revisions to the standard as well as broader industry adoption. This should give us confidence that KMIP as a well-accepted, road-tested standard will continue to grow in industry popularity in years to come.