But why was KMIP necessary to begin with? The short answer: more and more organizations were deploying encryption in multiple environments. But with encryption comes the need to properly manage the encryption keys. With encryption increasing across multiple enterprise applications it became harder to easily manage the keys from the different enterprise cryptographic applications. Better standards were needed to create uniform interfaces for the centralized encryption key manager.
Companies soon saw the benefits of adopting KMIP. Both large and small organizations need their key management to work every time and need it to scale as their organization grows. And while other work was done to address this issue, like OASIS EKMI, IEEE P1619.3, and IETF Keyprov KMIP was designed to have a broader scope than it’s predecessors and give more comprehensive standards for the industry.
In 2010, KMIP debuted at RSA. HP, IBM, and others demonstrated that their client programs using the KMIP version 1.0 protocol could “communicate securely with key management servers. The clients and servers [demonstrated] essential use cases such as generating cryptographic keys, locating existing keys, and retrieving, registering, and deleting keys.”
In 2011 at the RSA Conference major players like IBM, RSA, and HP demonstrated KMIP 1.0 compatibility with their client programs. And again in 2012 and in 2013 even more companies like Thales, NetApp, and Townsend Security demonstrated KMIP compliance. With all these prominent players becoming KMIP compatible, it was a major signal to the industry that KMIP was rapidly becoming the industry standard for interoperable communications for key managers.
Fast forward to 2014. The The Storage Networking Industry Association (SNIA) announced a testing program for KMIP conformance for its members. In their words, “By introducing the KMIP Test Program for the industry, we’re helping to encourage not only the adoption of enterprise–class key management, but a means for vendors to test for conformance and provide an assurance of interoperability and a layer of trust to their customers.”
At OASIS’ Interoperability Showcase at RSA 2016 16 companies, including Townsend Security, demonstrated KMIP compatibility. And with the likes of VMware, Oracle, Quantum, and many others demonstrating KMIP compatibility, KMIP has become a dominant standard in key management interoperability.
Encryption is your last, best defense for data at rest. But encryption is only as good as your key management. If the key is exposed to hackers, the data is lost as well. This is why key management standards like KMIP have already attracted considerable interest, and will continue to do so. The ability to have a variety of vendor applications, platforms, and databases all able to communicate with a centralized key manager enhances the data security posture of the enterprise. And this is what organizations should strive to achieve.
OASIS built the standard to address a broader scope of issues than what older industry standards addressed. But KMIP still is actively being matured by OASIS (we are on version 1.3) and we should expect to see further enhancements and revisions to the standard as well as broader industry adoption. This should give us confidence that KMIP as a well-accepted, road-tested standard will continue to grow in industry popularity in years to come.