CA today announced CA Encryption Key Manager (CA EKM), a z/OS-based solution that unifies and automates the management, storage, distribution, and documentation of encryption keys for multi-vendor mainframe and distributed environments such as Linux, Unix, Windows and Solaris.
CA EKM automatically replicates encryption keys across a set of local and dispersed hosts via SSL-encrypted TCP/IP, so that keys can quickly and transparently be recovered in case of a disaster, hardware errors or a system outage. It also automatically enforces policies regarding the change of encryption keys and digital certificates, mitigating the labor and risk associated with manual administration.
According to CA, because it is a vendor-neutral solution, CA EKM helps IT organizations avoid being locked into costly standalone hardware or software purchases and because the solution can support both IBM tape encryption devices and CA Tape Encryption subsystems from the same interface, CA EKM can streamline customers' approach.
"CA EKM manages the encryption keys for two specific solutions and that is significant because the solutions that are out there today tend to manage encryption keys for the vendor's own solutions," Stefan Kochishan, director of storage product marketing at CA, tells 5 Minute Briefing.
"Now, we have the capability to manage other vendor encryption devices. It is going to manage our encryption solution, CA Tape Encryption, and it is also going to manage the keys for the IBM TS1120 and 1130. Both products, CA Tape Encryption and the IBM TS1120 and TS1130, are able to handle any mix of information, either from a mainframe or from distributed-it could be Linux, Windows, Unix, etc. We don't care where the data is coming from; we are just going to be able to manage the keys. The reason it is so important is that today, with the solutions that are out there, you have to singly manage each solution; there is no centralized way of doing it."
CA EKM provides a single, centralized interface that can be used for any combination of IBM TS1120 and IBM TS1130 tape encryption devices, as well as CA Tape Encryption subsystems. CA EKM also interfaces with z/OS external security systems such as IBM RACF, CA ACF2 for z/OS and CA Top Secret for z/OS for Public/Private keys, and digital certificates storage. Encryption keys and digital certificates from these sources can be automatically re-imported if they are not found, further accelerating the recovery of encrypted data in the event of a disruption.
CA EKM integrates with the CA Graphical Management Interface so that users can respond quickly to internal or external auditing requests and validate compliance for events such as certificate generation, key migration, key store synchronization, and key deletion.
According to CA, by reducing the effort and complexity associated with key management, the new solution supports CA's broader "Mainframe 2.0" initiative which is aimed at enabling a new generation of IT professionals to effectively and efficiently operate a new generation of IBM mainframes.
CA EKM can also be installed and configured with CA Mainframe Software Manager, a key Mainframe 2.0 solution, and is designed in accordance with the guidance for key management set forth in the National Institute of Standards and Technology, document NIST 800-57.
For technical specifications for CA EKM, go here.