IBM Security

Data Sheet

IBM Security Key Lifecycle

Manager
Simplify, centralize and automate encryption-key
management for your enterprise

Highlights
Simplify, centralize and automate the
encryption-key management process

Centrally manage encryption keys to

enhance data security and help facilitate
regulatory compliance

Gain flexibility with support for the

encryption-key management standard
the Key Management Interoperability
Protocol (KMIP) from the Organization
for the Advancement of Structured
Information Standards (OASIS)
consortium

Business data is growing at exponential rates, and along with that growth
comes a demand for securing that data on-premises and in the cloud.
Enterprises have responded by implementing encryption at various
layersin the hardware, on the network and in applications. This
response has resulted in a series of encryption silossome of them
holding confidential customer datawith inconsistent approaches to
managing security, keys and domains.
Different applications across the enterprise often employ different methods of encryption. Some departments dont encrypt data while the data is
at rest (such as when it is stored on a device or in a database) but only
when the data is in motion, using techniques such as Secure Sockets
Layer (SSL), Transport Layer Security (TLS) or virtual private networks
(VPNs) to secure the data pipeline. Other departments may encrypt particular data fields such as credit card numbers but leave other data in the
clear. Finally, some departments may use different encryption systems to
comply with specific standards or regulations, such as the Payment Card
Industry Data Security Standard (PCI DSS), Sarbanes-Oxley or the
Health Insurance Portability and Accountability Act (HIPAA).
Key management for these encryption approaches is often similarly
fragmented. Sometimes key management is carried out by department
teams using manual processes or embedded encryption tools. In some
cases, there is no formal key-management process in place.

IBM Security

Data Sheet

These keys have their own lifecycles separate from the data
theyre protectingand these lifecycles have to be managed,
from initialization and activation through expiration and
destruction. IBM Security Key Lifecycle Manager can help
you better manage the encryption key lifecycle, allowing
you to simplify, centralize and automate your organizations
key-management processes and reduce operational costs.
Together with innovative IBM self-encrypting storage offerings,
IBM Security Key Lifecycle Manager offers a proven solution
that can address concerns when a tape cartridge or disk drive is
removed from the storage system and transported in-house or
off-site. Lost storage media is not uncommon and brings with it
enormous direct and indirect costs for those who lose sensitive
information. With IBM System Storage self-encrypting offerings and IBM Security Key Lifecycle Manager, users no longer
have to worry about losing sensitive information if storage
media goes for repair, becomes misplaced or is stolen.
Additionally, support for the latest KMIP standard allows
IBM Security Key Lifecycle Manager to manage encryption
keys not only for IBM self-encrypting storage devices, but also
for a number of non-IBM encryption solutions, hence enabling
efficient management of encryption keys for the entire
organization.

IBMSecurity Key Lifecycle Manager provides easy, step-by-step screens

to help administrators set up specific storage-encryption devices with
best-of-breed security and cryptography.

Regardless of whether the key management process is

fragmented or non-existent, organizations are at risk of
losing control of their data.
Most organizations are now adopting policies of encrypting
all data at rest and centralizing the management of the
encryption keys for protecting that data. As a result, they need
a solution that integrates with multiple storage systems, uses
standard protocols, supports National Institute of Standards
and Technology (NIST) guidance, is certified to Federal
Information Processing Standard (FIPS) 140-2, and imposes
little or no burden on IT operations and processes.

Centrally manage encryption keys

IBM Security Key Lifecycle Manager serves keys at the time of
use to allow for centralized storage of key material in a secure
location, a unique approach that supports multiple protocols for
serving symmetric and asymmetric keys. Users can also centrally create, import, distribute, back up, archive and manage
the lifecycle of those keys using a customizable graphical user
interface (GUI).

Deploy a simple solution to a complex

problem
IBM Security Key Lifecycle Manager provides a simple
solution to the complex problem of key management. As
organizations adopt more encryption throughout their operations, more keys must be managed throughout their lifecycles.

The transparent encryption implementation of IBM Security

Key Lifecycle Manager enables keys to be generated and
served from a centralized location and never sent or stored

IBM Security

Data Sheet

IBM Security Key Lifecycle Manager not only manages

encryption keys for a wide range of devices, it also provides
broad support for them. It uses a combination of proprietary
and internationally standardized protocols to support:

in the clear. The embedded encryption engine in the

IBM self-encrypting storage offerings encrypts and decrypts
the data as it enters and leaves the storage system, which means
both faster and more secure handling of data.
IBM Security Key Lifecycle Manager can be deployed with an
optional hardware security module (HSM) to store the master
key that is used to protect all keys stored in the IBM Security
Key Lifecycle Manager keystore. This capability can be
enabled for installs with existing data or for new installations
of IBM Security Key Lifecycle Manager.

Disk

Tape

A broad range of IBM tape storage as well as Quantum and

Spectra Logic tape drives and libraries
A broad range of IBM disk storage (including IBM System
Storage DS series storage controllers)
Network storage devices from NetApp
Grid-scale storage solutions designed for cloud storage
implementations, such as IBM Spectrum Accelerate
High-performance enterprise file management systems, such
as IBM Spectrum Scale (formerly IBM General Parallel
File System [GPFS])
Data warehouse appliances, such as those from Netezza
Servers with self-encrypting disk drives, such as Lenovo
System x servers
Smart metering systems, such as those from Sensus

IBM Security Key Lifecycle Manager enables users to group

devices into separate domains. It allows multiple administrators
with different roles and permissions to be defined. Also, by
default, the groups of devices have access only to encryption
keys defined within their group. These role-based access
control features enable segregation of duties, mapping of permissions for actions performed against objects, and enforcement
of data isolation and security in a multi-tenancy environment.
This also enhances the security of sensitive key management
operations by allowing organizations to define which administrators can perform custodial actions on keys and limit the
permissions of operations staff to only the functions they
require to perform their jobs.

IBM Security Key

Lifecycle Manager
Network
storage
Big data
Manages
encryption keys

Servers

Smart meters

IBMSecurity Key Lifecycle Manager supports the device-specific encryption

requirements for a wide range of storage.

IBM Security

Data Sheet

Leverage a wide range of implementation

options

The approach for simplifying key management has been to

pre-generate keys or use key-wrapping keys to minimize when
keys are created and when they need to be replicated. However,
there are scenarios in which keys are created more frequently.
To accommodate this need, IBM Security Key Lifecycle
Manager works seamlessly with your existing high-availability
and disaster-recovery solutions. It has a built-in function for
automatically cloning up to 20 copies of all the data within
IBM Security Key Lifecycle Manager, thus eliminating the
chance of losing updates.

IBM Security Key Lifecycle Manager can be applied at different levels to simplify key management while meeting the
unique needs of your organization:

Enable strong authentication and strong

security
These rich capabilities are made possible by strong authentication between IBM storage systems and IBM Security Key
Lifecycle Manager. Each storage device or solution is registered
with IBM Security Key Lifecycle Manager prior to managing
the encryption keys of the device. Each time a storage device
reconnects to IBM Security Key Lifecycle Manager to
request a key, its identity is verified and cryptographically
authenticated using the devices identifying certificate. Any
unknown device is rejected or placed into a queue to be
approved by the administrator. With this strategy, a rogue
device cannot be deployed on the network and used to
intercept enterprise organizational keys.

In addition to strong authentication, there is also strong security between the storage device and IBM Security Key Lifecycle
Manager. Temporary session keys are used to encrypt the
encryption key and all of the traffic to the device.

This approach to encryption can dramatically increase data

security while simplifying encryption-key management. Users
do not need experience with encryption to realize the benefits.
And performance is not impacted because each storage device
has built-in hardware that performs the cryptographic functions
at wire speed without latency. Not having to change other processes, install more hardware or reconfigure software to support
hardware means that security is simple and straightforward.

For organizations that manage keys within separate silos,

IBM Security Key Lifecycle Manager can simplify complex
key distribution and management, reducing administrative
burdens within each silo.
For organizations that want centralized control and policydriven key management, IBM Security Key Lifecycle
Manager offers consolidated management of keys across
domains, supports standards that extend management to both
IBM and non-IBM products, and integrates well into existing
security-team methodologies.
For organizations wanting high availability and support for
disaster recovery, IBM Security Key Lifecycle Manager works
with a wide variety of clustering, replication and failover
implementations in their environments, leveraging current
investments.
The automated clone replication capabilities of IBM Security
Key Lifecycle Manager can clone up to 20 copies of a master
IBM Security Key Lifecycle Manager. The program can be
configured to do an automated backup of the master, then
restore and verify that up to 20 clones have all of the information in an IBM Security Key Lifecycle Manager instance.
While the cryptography inside of IBM Security Key Lifecycle
Manager is validated to FIPS 140-2 Level 1, users also have
the option to leverage FIPS 140-2 Level 2- or 3-validated
hardware to enhance key security.

Simplify key configuration and

management tasks
IBM Security Key Lifecycle Manager provides an easy-to-use,
web-based GUI that helps simplify key configuration and
management tasks. With this GUI, administrators can easily
create keystores, assign keys and manage the lifecycle of both
from a centralized console.

IBM Security

Data Sheet

Once registered, devices appear in the IBM Security Key

Lifecycle Manager key administration section and are ready for
use as a secure storage endpoint. The keys associated with the
devices can then be managed through the GUI, including making updates, expiring or destroying the keys. The IBM Security
Key Lifecycle Manager key administration welcome page provides critical notices to administrators, including information
about last backups and available protocols.

The software itself is typically installed on an organizations

most secure and highly available server, as a virtual machine, or
on a dedicated workstation. Once installed, the GUI allows
administrators to perform basic local key lifecycle management
on the drives and offers not only configuration and setup tools,
but also audit and compliance support. The software provides
three ways to add encryption-enabled devices: Auto-discovery
of encryption-capable devices, discovery with administrators
approval or manual addition. Once added, keys are assigned
automatically per configured policy.

Benefit from lightweight, flexible

deployments

The GUI also enables administrators to implement key retention for backed-up data and to address rules for regulatory compliance and legal discovery. In case of disaster, administrators
can provide a set of keys that can unlock encrypted backups and
make them available for use again. Administrators can configure
rules for automated rollover of groups of keys so that new
encryption keys are used automatically based on a configurable
schedule. In this way, administrators can limit the amount of
data encrypted with particular keys, minimize exposure when a
key is compromised and facilitate erasure of data by deleting
relevant keys when data is set to expire. The end result of
this automation is the ability to configure automated key
assignments over time such that the operations team has to
interact with key management very infrequently.

IBM Security Key Lifecycle Manager is an application that can

be deployed on a variety of Microsoft Windows, UNIX and
Linux operating systems. Its design and architecture do not
require extensive RAM or processing resources; in fact, the
solution can typically be deployed with 4 GB of RAM and
a single processor core.
Thanks to the applications small footprint and the ability to be
deployed as a virtual machine, organizations are easily able to
manage multiple instances of IBM Security Key Lifecycle
Manager for redundancy and high availability or alignment
with organizational structure.

Why IBM?
IBM has designed IBM Security Key Lifecycle Manager to help
your organization implement a unified key-management strategy that can help better secure your data, with performance you
need to support your critical business functions. Built on open
standards such as KMIP, the solution enables flexibility and
facilitates vendor interoperability. Its intuitive interface enables
quick time to value, while its innovative approach can help
dramatically reduce the number of keys administrators have to
manage. By enabling centralized management of strong encryption keys throughout the key lifecycle, IBM Security Key
Lifecycle Manager can help minimize the risk of exposure and
reduce operational costs.

Achieve quick time to value with

wizard-based assistance
IBM Security Key Lifecycle Manager uses a wizard-based guide
to help administrators through a series of simple, task-based
screens that guide users through key and device creation, as well
as handling of new device requests. Administrators can also
configure different devices to use certain communication
protocols including KMIP.

For more information

To learn more about IBM Security Key Lifecycle Manager,
contact your IBM representative or IBM Business Partner, or
visit: ibm.com/software/products/us/en/keylifecyclemanager

About IBM Security solutions

Copyright IBM Corporation 2015

IBM Security offers one of the most advanced and integrated

portfolios of enterprise security products and services. The
portfolio, supported by world-renowned IBM X-Force
research and development, provides security intelligence to help
organizations holistically protect their people, infrastructures,
data and applications, offering solutions for identity and access
management, database security, application development, risk
management, endpoint management, network security and
more. These solutions enable organizations to effectively
manage risk and implement integrated security for mobile,
cloud, social media and other enterprise business architectures.
IBM operates one of the worlds broadest security research,
development and delivery organizations, monitors 15 billion
security events per day in more than 130 countries, and holds
more than 3,000 security patents.

IBM Security
Route 100
Somers, NY 10589
Produced in the United States of America
December 2015
IBM, the IBM logo, ibm.com, IBM Spectrum Accelerate, IBM Spectrum
Scale, GPFS, System Storage, System Storage DS, and X-Force are
trademarks of International Business Machines Corp., registered in
many jurisdictions worldwide. Other product and service names might be
trademarks of IBM or other companies. A current list of IBM trademarks
is available on the web at Copyright and trademark information
at ibm.com/legal/copytrade.shtml
Netezza is a registered trademark of IBM International Group B.V.,
an IBM Company.
Linux is a registered trademark of Linus Torvalds in the United States,
other countries, or both.
Microsoft and Windows are trademarks of Microsoft Corporation in the
United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States
and other countries.
This document is current as of the initial date of publication and may be
changed by IBM at any time. Not all offerings are available in every
country in which IBM operates.
The performance data discussed herein is presented as derived under
specific operating conditions. Actual results may vary.

Statement of Good Security Practices: IT system security involves

protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise.
Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your
systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service or
security measure can be completely effective in preventing improper
use or access. IBM systems, products and services are designed to be
part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT
WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES
ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.

It is the users responsibility to evaluate and verify the operation of any

other products or programs with IBM products and programs.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED
AS IS WITHOUT ANY WARRANTY, EXPRESS OR
IMPLIED, INCLUDING WITHOUT ANY WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND ANY WARRANTY OR CONDITION OF
NON-INFRINGEMENT. IBM products are warranted according to the
terms and conditions of the agreements under which they are provided.
The client is responsible for ensuring compliance with laws and regulations
applicable to it. IBM does not provide legal advice or represent or warrant
that its services or products will ensure that the client is in compliance with
any law or regulation. Statements regarding IBMs future direction and
intent are subject to change or withdrawal without notice, and represent
goals and objectives only.
Please Recycle

WGD03087-USEN-00