KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.
-
Upload
dominic-davis -
Category
Documents
-
view
213 -
download
0
Transcript of KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.
KMIP Cloud Use Case
Kiran Thota – VMware Inc.Saikat Saha – Oracle Corp.
Agenda
• Discuss Cloud Challenges• KMIP• Sub-tasks & Plan
Background
• Traditional data center centric Key management insufficient for cloud in -– Scale (Client population expands and shrinks in
real-time)– Automation– Migration– Geographical distribution and Key manager
locality for better service experience (hybrid-cloud)
Background
• Virtualization enables movement of workloads across infrastructure– Dynamic and Automated Key Management
• Distribution of keys– Enterprises to Cloud Service Provider (CSP)– Key manager dedicated to a tenant (or shareable
key manager infrastructure)
Scenario: KMIP in Cloud
Cloud Service Provider
App Data
Enterprise IT
Application Users
CSPAdministrators
EnterpriseAdministrators
Enterprise App
Key DB
vSphereKey Server
Key Security Challenges in Cloud Trust establishment (contractual and on-line) Ownership of keys Protection of keys at rest Protection of keys in transit Defining & Programming key policy Propagating key policy (server-to-server & server-to-client) Negotiating key policy (server-to-client for diverse clients) Managing access to keys Managing key life-cycle Enforcement of key policy Visibility of key-related services and infrastructure Proof of possession Client capabilities to ensure adequate protection of keys
Key Management in the Cloud
• Four big considerations– Where are keys created?– Where are keys used?– Where are keys stored?– Where are key policies managed?
• Enterprise– Keys created, used, stored and managed by enterprise
• Hybrid– Keys created, stored and managed by enterprise– Key created, stored and managed by enterprise but at CSP’s
infrastructure• CSP
– Keys created, used, stored and managed by CSP
Sub-Tasks• Client-to-Server– Client Registration– Server Capability Query– Grouping and Policy Definition
• Server-to-Client– Notification to purge or kill– Client query (guarantee protection of keys)
Note: KMIP does not yet address migration of keys between Key Managers (server-to-server)
Client Registration
Automated scalable client registrationOwner: Stan Feather (to confirm)
Server Capability Query
Query server for capabilities– RNG– FIPS
Owner: Tim Hudson (to confirm)
Grouping and Policy
Propose changes to allow grouping and policy for bulk management of keys.
Owner: Kiran Thota/ Saikat Saha Proposal by: Jan 30
Notify – Purge/Kill
Propose a notification from server to client to purge a key from usage.
Owner: Kiran Thota/ Saikat Saha Proposal by: Feb 07
Client Query
Propose a query from server to client to evaluate client capabilities.
Owner: Kiran Thota/ Saikat Saha Proposal by: Feb 20