Share

THE NEW IT SECURITY PARADIGM PART 3 – Network Virtualisation & Encryption

By Richard Dornhart, National Security Practice Manager, Data#3

[Reading Time – 2:50 minutes]

The problem with encryption

In a typical enterprise IT environment, with distributed applications or composed services sharing enormous amounts of traffic between multiple data centres and databases, one of the greatest challenges to network security has become protecting the confidentiality and integrity of the data itself as it flows through the network – the “east-west” traffic.

Encryption presents as an obvious solution to this problem of data exposure as it moves across high-risk areas outside of your direct control. Ideally, at the network level, you would trace your machines to their logical ports and subnets, and set up point-to-point encryption tunnels between every conceivable communications pair to prevent scenarios like the above.

In smaller, specific use-case deployments, encryption is a great solution, but closer investigation reveals its limitations as a comprehensive network security solution. Beyond the complexity it introduces, with encryption there are always management issues around the issues of generation, exchange, storage and use of encryption keys. There is also the problem of potentially breaking any network security mechanisms that rely on deep-packet inspection, where the data cannot be readily assessed and policed due to the encryption.

The only way to avoid this, is for the encryption that obscures our data to be terminated at the control point, and then reapplied once the data has passed through it. As might be expected, this is a far from an ideal – let alone practical – solution.

A new way of looking at encryption through network virtualisation

In our previous blog posts, we’ve discussed network virtualisation and the role it can play in transforming the way we think about and implement network security.  When you look at the network virtualisation roadmap, this will also extend to encryption in the near future.

These developments will allow you to create a distributed network encryption system, granting easy visibility into the encrypted and unencrypted micro-segments and applications across server environments and any Public, Private, or Hybrid Clouds.

It will also allow at-a-glance, insight into key rotation and any policy violations that may have been detected with a default set of policies for encrypting data in flight, data at rest, or for ensuring overall network integrity.

With the unprecedented isolation capabilities it will allow, your system could go out to the virtual network controller and ask any given micro-segment what components it’s attached to – subnets and switches, for instance – and then send default encryption policies directly to those points of connection. This allows the encryption of traffic between points, as well as authenticating, and hashing the data on both sides of the connection.

In such a way, you will be able to ensure the data received is actually what was sent, and that its transit across the network is protected. The application and security vendor ecosystem will no longer have to trip over countless streams of encrypted traffic. The expected performance impact of encryption could also be avoided, since with network virtualisation encryption becomes a distributed service that can leverage the entire compute plane, thereby mitigating performance as an issue.  There’s also the possibility to leverage ANSI, utilising the crypto-acceleration and random number generation capabilities of Intel’s chipset architectures.

When all your machines, both on and off-premises, are able to use the virtual layer to align controls around an abstraction of the application or composed service, the entire encryption process will become simplified by an order of magnitude and encryption can be utilised in a truly meaningful way.

Clearly, network virtualisation offers great potential to address some of the fundamental barriers that, until now, have hampered a comprehensive approach to enterprise IT security. In the final blog of this series, we investigate how VMware intends to close the architectural gap between the application and the physical infrastructure layers with their new NSX platform. We consider whether their approach represents an effective means to resolve many of the complexities of encryption and end-to-end security we’ve covered in this and earlier blogs.

PART 2 – How Network Virtualisation Will Transform IT Security

PART 1 – The Need for A New Security Perspective

 

Tags: Security, Cybersecurity, Network Security

Featured

Subscribe to our blog

Related

Networking for K-12 Education
Taking the Work out of the School Network

While there’s no consensus on who coined the phrase ‘truth is stranger than fiction’, you’d be hard pressed to find…

Improve Security with Microsoft 365 and Surface
Improve Security with Microsoft 365 and Surface

Security is a rising cost for most organisations. And it’s not a welcome one, with 81% of IT Managers currently…

Networking 2020. What now? What next?

It seems like only yesterday that I was working with customers to help craft their ‘Networking 2020 strategy’. As we…

5 Steps to Implement DevSecOps

The 1980s gave us many good things, such as U2, Metallica and Bon Jovi (questionable). But from a security…

VMware and Carbon Black: An Advance for Cloud Endpoint Protection

Initially, analysts were surprised when VMware completed its $2.1 billion cash purchase of Carbon Black in August…

7 Minutes of Security | Splunk for IT Ops

In our first episode of 7 Minutes of Security, our host and National Practice Manager – Security, Richard Dornhart…

A new era of security risks in education
A new era of security risks in education

For educators, ensuring the safety and wellbeing of students has always been a critical priority – one that’s been seriously…

Splunk ITSI eBook
Predict and Prevent with Splunk ITSI: 6 Customer Stories

Too many alerts, too little time In Asia Pacific 69%1 of companies receive more than 5,000 threats a day –…