By Richard Dornhart, National Security Practice Manager, Data#3
[Reading Time – 2:50 minutes]
In a typical enterprise IT environment, with distributed applications or composed services sharing enormous amounts of traffic between multiple data centres and databases, one of the greatest challenges to network security has become protecting the confidentiality and integrity of the data itself as it flows through the network – the “east-west” traffic.
Encryption presents as an obvious solution to this problem of data exposure as it moves across high-risk areas outside of your direct control. Ideally, at the network level, you would trace your machines to their logical ports and subnets, and set up point-to-point encryption tunnels between every conceivable communications pair to prevent scenarios like the above.
In smaller, specific use-case deployments, encryption is a great solution, but closer investigation reveals its limitations as a comprehensive network security solution. Beyond the complexity it introduces, with encryption there are always management issues around the issues of generation, exchange, storage and use of encryption keys. There is also the problem of potentially breaking any network security mechanisms that rely on deep-packet inspection, where the data cannot be readily assessed and policed due to the encryption.
The only way to avoid this, is for the encryption that obscures our data to be terminated at the control point, and then reapplied once the data has passed through it. As might be expected, this is a far from an ideal – let alone practical – solution.
In our previous blog posts, we’ve discussed network virtualisation and the role it can play in transforming the way we think about and implement network security. When you look at the network virtualisation roadmap, this will also extend to encryption in the near future.
These developments will allow you to create a distributed network encryption system, granting easy visibility into the encrypted and unencrypted micro-segments and applications across server environments and any Public, Private, or Hybrid Clouds.
It will also allow at-a-glance, insight into key rotation and any policy violations that may have been detected with a default set of policies for encrypting data in flight, data at rest, or for ensuring overall network integrity.
With the unprecedented isolation capabilities it will allow, your system could go out to the virtual network controller and ask any given micro-segment what components it’s attached to – subnets and switches, for instance – and then send default encryption policies directly to those points of connection. This allows the encryption of traffic between points, as well as authenticating, and hashing the data on both sides of the connection.
In such a way, you will be able to ensure the data received is actually what was sent, and that its transit across the network is protected. The application and security vendor ecosystem will no longer have to trip over countless streams of encrypted traffic. The expected performance impact of encryption could also be avoided, since with network virtualisation encryption becomes a distributed service that can leverage the entire compute plane, thereby mitigating performance as an issue. There’s also the possibility to leverage ANSI, utilising the crypto-acceleration and random number generation capabilities of Intel’s chipset architectures.
When all your machines, both on and off-premises, are able to use the virtual layer to align controls around an abstraction of the application or composed service, the entire encryption process will become simplified by an order of magnitude and encryption can be utilised in a truly meaningful way.
Clearly, network virtualisation offers great potential to address some of the fundamental barriers that, until now, have hampered a comprehensive approach to enterprise IT security. In the final blog of this series, we investigate how VMware intends to close the architectural gap between the application and the physical infrastructure layers with their new NSX platform. We consider whether their approach represents an effective means to resolve many of the complexities of encryption and end-to-end security we’ve covered in this and earlier blogs.