KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.
-
Upload
dominic-davis -
Category
Documents
-
view
213 -
download
0
Transcript of KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.
![Page 1: KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.](https://reader036.fdocuments.us/reader036/viewer/2022083007/56649e165503460f94b00e70/html5/thumbnails/1.jpg)
KMIP Cloud Use Case
Kiran Thota – VMware Inc.Saikat Saha – Oracle Corp.
![Page 2: KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.](https://reader036.fdocuments.us/reader036/viewer/2022083007/56649e165503460f94b00e70/html5/thumbnails/2.jpg)
Agenda
• Discuss Cloud Challenges• KMIP• Sub-tasks & Plan
![Page 3: KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.](https://reader036.fdocuments.us/reader036/viewer/2022083007/56649e165503460f94b00e70/html5/thumbnails/3.jpg)
Background
• Traditional data center centric Key management insufficient for cloud in -– Scale (Client population expands and shrinks in
real-time)– Automation– Migration– Geographical distribution and Key manager
locality for better service experience (hybrid-cloud)
![Page 4: KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.](https://reader036.fdocuments.us/reader036/viewer/2022083007/56649e165503460f94b00e70/html5/thumbnails/4.jpg)
Background
• Virtualization enables movement of workloads across infrastructure– Dynamic and Automated Key Management
• Distribution of keys– Enterprises to Cloud Service Provider (CSP)– Key manager dedicated to a tenant (or shareable
key manager infrastructure)
![Page 5: KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.](https://reader036.fdocuments.us/reader036/viewer/2022083007/56649e165503460f94b00e70/html5/thumbnails/5.jpg)
Scenario: KMIP in Cloud
Cloud Service Provider
App Data
Enterprise IT
Application Users
CSPAdministrators
EnterpriseAdministrators
Enterprise App
Key DB
vSphereKey Server
![Page 6: KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.](https://reader036.fdocuments.us/reader036/viewer/2022083007/56649e165503460f94b00e70/html5/thumbnails/6.jpg)
Key Security Challenges in Cloud Trust establishment (contractual and on-line) Ownership of keys Protection of keys at rest Protection of keys in transit Defining & Programming key policy Propagating key policy (server-to-server & server-to-client) Negotiating key policy (server-to-client for diverse clients) Managing access to keys Managing key life-cycle Enforcement of key policy Visibility of key-related services and infrastructure Proof of possession Client capabilities to ensure adequate protection of keys
![Page 7: KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.](https://reader036.fdocuments.us/reader036/viewer/2022083007/56649e165503460f94b00e70/html5/thumbnails/7.jpg)
Key Management in the Cloud
• Four big considerations– Where are keys created?– Where are keys used?– Where are keys stored?– Where are key policies managed?
• Enterprise– Keys created, used, stored and managed by enterprise
• Hybrid– Keys created, stored and managed by enterprise– Key created, stored and managed by enterprise but at CSP’s
infrastructure• CSP
– Keys created, used, stored and managed by CSP
![Page 8: KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.](https://reader036.fdocuments.us/reader036/viewer/2022083007/56649e165503460f94b00e70/html5/thumbnails/8.jpg)
Sub-Tasks• Client-to-Server– Client Registration– Server Capability Query– Grouping and Policy Definition
• Server-to-Client– Notification to purge or kill– Client query (guarantee protection of keys)
Note: KMIP does not yet address migration of keys between Key Managers (server-to-server)
![Page 9: KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.](https://reader036.fdocuments.us/reader036/viewer/2022083007/56649e165503460f94b00e70/html5/thumbnails/9.jpg)
Client Registration
Automated scalable client registrationOwner: Stan Feather (to confirm)
![Page 10: KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.](https://reader036.fdocuments.us/reader036/viewer/2022083007/56649e165503460f94b00e70/html5/thumbnails/10.jpg)
Server Capability Query
Query server for capabilities– RNG– FIPS
Owner: Tim Hudson (to confirm)
![Page 11: KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.](https://reader036.fdocuments.us/reader036/viewer/2022083007/56649e165503460f94b00e70/html5/thumbnails/11.jpg)
Grouping and Policy
Propose changes to allow grouping and policy for bulk management of keys.
Owner: Kiran Thota/ Saikat Saha Proposal by: Jan 30
![Page 12: KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.](https://reader036.fdocuments.us/reader036/viewer/2022083007/56649e165503460f94b00e70/html5/thumbnails/12.jpg)
Notify – Purge/Kill
Propose a notification from server to client to purge a key from usage.
Owner: Kiran Thota/ Saikat Saha Proposal by: Feb 07
![Page 13: KMIP Cloud Use Case Kiran Thota – VMware Inc. Saikat Saha – Oracle Corp.](https://reader036.fdocuments.us/reader036/viewer/2022083007/56649e165503460f94b00e70/html5/thumbnails/13.jpg)
Client Query
Propose a query from server to client to evaluate client capabilities.
Owner: Kiran Thota/ Saikat Saha Proposal by: Feb 20