1 / 13

KMIP Cloud Use Case

KMIP Cloud Use Case. Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp. Agenda. Discuss Cloud Challenges KMIP Sub-tasks & Plan. Background. Traditional data center centric Key management insufficient for cloud in - Scale (Client population expands and shrinks in real-time) Automation

sydney
Download Presentation

KMIP Cloud Use Case

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.

  2. Agenda • Discuss Cloud Challenges • KMIP • Sub-tasks & Plan

  3. Background • Traditional data center centric Key management insufficient for cloud in - • Scale (Client population expands and shrinks in real-time) • Automation • Migration • Geographical distribution and Key manager locality for better service experience (hybrid-cloud)

  4. Background • Virtualization enables movement of workloads across infrastructure • Dynamic and Automated Key Management • Distribution of keys • Enterprises to Cloud Service Provider (CSP) • Key manager dedicated to a tenant (or shareable key manager infrastructure)

  5. Scenario: KMIP in Cloud Enterprise Administrators Application Users CSP Administrators Enterprise App App Data Key Server vSphere Key DB Enterprise IT Cloud Service Provider

  6. Key Security Challenges in Cloud • Trust establishment (contractual and on-line) • Ownership of keys • Protection of keys at rest • Protection of keys in transit • Defining & Programming key policy • Propagating key policy (server-to-server & server-to-client) • Negotiating key policy (server-to-client for diverse clients) • Managing access to keys • Managing key life-cycle • Enforcement of key policy • Visibility of key-related services and infrastructure • Proof of possession • Client capabilities to ensure adequate protection of keys

  7. Key Management in the Cloud • Four big considerations • Where are keys created? • Where are keys used? • Where are keys stored? • Where are key policies managed? • Enterprise • Keys created, used, stored and managed by enterprise • Hybrid • Keys created, stored and managed by enterprise • Key created, stored and managed by enterprise but at CSP’s infrastructure • CSP • Keys created, used, stored and managed by CSP

  8. Sub-Tasks • Client-to-Server • Client Registration • Server Capability Query • Grouping and Policy Definition • Server-to-Client • Notification to purge or kill • Client query (guarantee protection of keys) Note: KMIP does not yet address migration of keys between Key Managers (server-to-server)

  9. Client Registration Automated scalable client registration Owner: Stan Feather (to confirm)

  10. Server Capability Query Query server for capabilities • RNG • FIPS Owner: Tim Hudson (to confirm)

  11. Grouping and Policy Propose changes to allow grouping and policy for bulk management of keys. Owner: Kiran Thota/ Saikat Saha Proposal by: Jan 30

  12. Notify – Purge/Kill Propose a notification from server to client to purge a key from usage. Owner: Kiran Thota/ Saikat Saha Proposal by: Feb 07

  13. Client Query Propose a query from server to client to evaluate client capabilities. Owner: Kiran Thota/ Saikat Saha Proposal by: Feb 20

More Related