130 likes | 522 Views
KMIP Cloud Use Case. Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp. Agenda. Discuss Cloud Challenges KMIP Sub-tasks & Plan. Background. Traditional data center centric Key management insufficient for cloud in - Scale (Client population expands and shrinks in real-time) Automation
E N D
KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.
Agenda • Discuss Cloud Challenges • KMIP • Sub-tasks & Plan
Background • Traditional data center centric Key management insufficient for cloud in - • Scale (Client population expands and shrinks in real-time) • Automation • Migration • Geographical distribution and Key manager locality for better service experience (hybrid-cloud)
Background • Virtualization enables movement of workloads across infrastructure • Dynamic and Automated Key Management • Distribution of keys • Enterprises to Cloud Service Provider (CSP) • Key manager dedicated to a tenant (or shareable key manager infrastructure)
Scenario: KMIP in Cloud Enterprise Administrators Application Users CSP Administrators Enterprise App App Data Key Server vSphere Key DB Enterprise IT Cloud Service Provider
Key Security Challenges in Cloud • Trust establishment (contractual and on-line) • Ownership of keys • Protection of keys at rest • Protection of keys in transit • Defining & Programming key policy • Propagating key policy (server-to-server & server-to-client) • Negotiating key policy (server-to-client for diverse clients) • Managing access to keys • Managing key life-cycle • Enforcement of key policy • Visibility of key-related services and infrastructure • Proof of possession • Client capabilities to ensure adequate protection of keys
Key Management in the Cloud • Four big considerations • Where are keys created? • Where are keys used? • Where are keys stored? • Where are key policies managed? • Enterprise • Keys created, used, stored and managed by enterprise • Hybrid • Keys created, stored and managed by enterprise • Key created, stored and managed by enterprise but at CSP’s infrastructure • CSP • Keys created, used, stored and managed by CSP
Sub-Tasks • Client-to-Server • Client Registration • Server Capability Query • Grouping and Policy Definition • Server-to-Client • Notification to purge or kill • Client query (guarantee protection of keys) Note: KMIP does not yet address migration of keys between Key Managers (server-to-server)
Client Registration Automated scalable client registration Owner: Stan Feather (to confirm)
Server Capability Query Query server for capabilities • RNG • FIPS Owner: Tim Hudson (to confirm)
Grouping and Policy Propose changes to allow grouping and policy for bulk management of keys. Owner: Kiran Thota/ Saikat Saha Proposal by: Jan 30
Notify – Purge/Kill Propose a notification from server to client to purge a key from usage. Owner: Kiran Thota/ Saikat Saha Proposal by: Feb 07
Client Query Propose a query from server to client to evaluate client capabilities. Owner: Kiran Thota/ Saikat Saha Proposal by: Feb 20