Share

THE NEW IT SECURITY PARADIGM PART 3 – Network Virtualisation & Encryption

By Richard Dornhart, National Security Practice Manager, Data#3

[Reading Time – 2:50 minutes]

The problem with encryption

In a typical enterprise IT environment, with distributed applications or composed services sharing enormous amounts of traffic between multiple data centres and databases, one of the greatest challenges to network security has become protecting the confidentiality and integrity of the data itself as it flows through the network – the “east-west” traffic.

Encryption presents as an obvious solution to this problem of data exposure as it moves across high-risk areas outside of your direct control. Ideally, at the network level, you would trace your machines to their logical ports and subnets, and set up point-to-point encryption tunnels between every conceivable communications pair to prevent scenarios like the above.

In smaller, specific use-case deployments, encryption is a great solution, but closer investigation reveals its limitations as a comprehensive network security solution. Beyond the complexity it introduces, with encryption there are always management issues around the issues of generation, exchange, storage and use of encryption keys. There is also the problem of potentially breaking any network security mechanisms that rely on deep-packet inspection, where the data cannot be readily assessed and policed due to the encryption.

The only way to avoid this, is for the encryption that obscures our data to be terminated at the control point, and then reapplied once the data has passed through it. As might be expected, this is a far from an ideal – let alone practical – solution.

A new way of looking at encryption through network virtualisation

In our previous blog posts, we’ve discussed network virtualisation and the role it can play in transforming the way we think about and implement network security.  When you look at the network virtualisation roadmap, this will also extend to encryption in the near future.

These developments will allow you to create a distributed network encryption system, granting easy visibility into the encrypted and unencrypted micro-segments and applications across server environments and any Public, Private, or Hybrid Clouds.

It will also allow at-a-glance, insight into key rotation and any policy violations that may have been detected with a default set of policies for encrypting data in flight, data at rest, or for ensuring overall network integrity.

With the unprecedented isolation capabilities it will allow, your system could go out to the virtual network controller and ask any given micro-segment what components it’s attached to – subnets and switches, for instance – and then send default encryption policies directly to those points of connection. This allows the encryption of traffic between points, as well as authenticating, and hashing the data on both sides of the connection.

In such a way, you will be able to ensure the data received is actually what was sent, and that its transit across the network is protected. The application and security vendor ecosystem will no longer have to trip over countless streams of encrypted traffic. The expected performance impact of encryption could also be avoided, since with network virtualisation encryption becomes a distributed service that can leverage the entire compute plane, thereby mitigating performance as an issue.  There’s also the possibility to leverage ANSI, utilising the crypto-acceleration and random number generation capabilities of Intel’s chipset architectures.

When all your machines, both on and off-premises, are able to use the virtual layer to align controls around an abstraction of the application or composed service, the entire encryption process will become simplified by an order of magnitude and encryption can be utilised in a truly meaningful way.

Clearly, network virtualisation offers great potential to address some of the fundamental barriers that, until now, have hampered a comprehensive approach to enterprise IT security. In the final blog of this series, we investigate how VMware intends to close the architectural gap between the application and the physical infrastructure layers with their new NSX platform. We consider whether their approach represents an effective means to resolve many of the complexities of encryption and end-to-end security we’ve covered in this and earlier blogs.

PART 2 – How Network Virtualisation Will Transform IT Security

PART 1 – The Need for A New Security Perspective

 

Tags: Cybersecurity, Network Security, Security

Featured

Related

SOC - Security operations center
Pull your socks up and get a SOC

Your Business Needs A Managed Security Operations Centre (SOC) Investing in high-quality socks can give you generous support and comfort.

To-SIEM-or-not-to-SIEM
To SIEM or Not To SIEM

What is SIEM? The sheer amount of information generated on your network is the stuff…

HP Elite Dragonfly
The HP Elite Dragonfly G2 Has Arrived: Secure, Sustainable, and Spectacular

The old adage that good things come in small packages was never truer than in HP’s latest device offering –…

Cisco-Duo-TechnoPro-Customer-Story-Card
Customer Story: Cisco Duo for TechnoPro

With IoT and digital transformation accelerating at speed to support a newly remote workforce, Japan’s TechnoPro Group…

How Cisco Secure Access by Duo simplifies multi-factor authentication

Multi-factor authentication (MFA) is the simplest, most effective way to make sure users really are who they say they are.

Essential-Eight-Maturity-Model-Patch-Applications
Essential Eight Maturity Model: Patch Applications

On July 12, 2021, the Australian Cyber Security Centre (ACSC) updated the Essential Eight Strategies to…

Webinar: Improve your schools’ Essential 8 maturity with Data#3 and Microsoft
Improve your school’s Essential 8 maturity with Data#3 and Microsoft

Many organisations struggle with their cybersecurity posture. Some have managed to arrive at a state of awareness, but very few…

Essential-Eight-Maturity-Model-Application-Control
Essential Eight Maturity Model: Application Control

As of July 12, 2021, the new Essential Eight maturity model became available and inspired me to write a new…