Share

THE NEW IT SECURITY PARADIGM PART 3 – Network Virtualisation & Encryption

By Richard Dornhart, National Security Practice Manager, Data#3

[Reading Time – 2:50 minutes]

The problem with encryption

In a typical enterprise IT environment, with distributed applications or composed services sharing enormous amounts of traffic between multiple data centres and databases, one of the greatest challenges to network security has become protecting the confidentiality and integrity of the data itself as it flows through the network – the “east-west” traffic.

Encryption presents as an obvious solution to this problem of data exposure as it moves across high-risk areas outside of your direct control. Ideally, at the network level, you would trace your machines to their logical ports and subnets, and set up point-to-point encryption tunnels between every conceivable communications pair to prevent scenarios like the above.

In smaller, specific use-case deployments, encryption is a great solution, but closer investigation reveals its limitations as a comprehensive network security solution. Beyond the complexity it introduces, with encryption there are always management issues around the issues of generation, exchange, storage and use of encryption keys. There is also the problem of potentially breaking any network security mechanisms that rely on deep-packet inspection, where the data cannot be readily assessed and policed due to the encryption.

The only way to avoid this, is for the encryption that obscures our data to be terminated at the control point, and then reapplied once the data has passed through it. As might be expected, this is a far from an ideal – let alone practical – solution.

A new way of looking at encryption through network virtualisation

In our previous blog posts, we’ve discussed network virtualisation and the role it can play in transforming the way we think about and implement network security.  When you look at the network virtualisation roadmap, this will also extend to encryption in the near future.

These developments will allow you to create a distributed network encryption system, granting easy visibility into the encrypted and unencrypted micro-segments and applications across server environments and any Public, Private, or Hybrid Clouds.

It will also allow at-a-glance, insight into key rotation and any policy violations that may have been detected with a default set of policies for encrypting data in flight, data at rest, or for ensuring overall network integrity.

With the unprecedented isolation capabilities it will allow, your system could go out to the virtual network controller and ask any given micro-segment what components it’s attached to – subnets and switches, for instance – and then send default encryption policies directly to those points of connection. This allows the encryption of traffic between points, as well as authenticating, and hashing the data on both sides of the connection.

In such a way, you will be able to ensure the data received is actually what was sent, and that its transit across the network is protected. The application and security vendor ecosystem will no longer have to trip over countless streams of encrypted traffic. The expected performance impact of encryption could also be avoided, since with network virtualisation encryption becomes a distributed service that can leverage the entire compute plane, thereby mitigating performance as an issue.  There’s also the possibility to leverage ANSI, utilising the crypto-acceleration and random number generation capabilities of Intel’s chipset architectures.

When all your machines, both on and off-premises, are able to use the virtual layer to align controls around an abstraction of the application or composed service, the entire encryption process will become simplified by an order of magnitude and encryption can be utilised in a truly meaningful way.

Clearly, network virtualisation offers great potential to address some of the fundamental barriers that, until now, have hampered a comprehensive approach to enterprise IT security. In the final blog of this series, we investigate how VMware intends to close the architectural gap between the application and the physical infrastructure layers with their new NSX platform. We consider whether their approach represents an effective means to resolve many of the complexities of encryption and end-to-end security we’ve covered in this and earlier blogs.

PART 2 – How Network Virtualisation Will Transform IT Security

PART 1 – The Need for A New Security Perspective

 

Tags: Cybersecurity, Network Security, Security

Featured

Subscribe to our blog

Related

Email Security
Email: E for Error?

A number of years ago while on a family vacation, a younger member of the household that stayed behind was…

Q&A St Vincents Health
A new Era in Data Management:
Q&A with Cohesity and St Vincent’s Health Australia

Legacy data management environments are complex and siloed, leading to unnecessary expense and overheads that today’s IT teams simply don’t…

Data#3 recognised as a global finalist of 2021 Microsoft OEM Device Distributor/Reseller Partner of the Year

July 09, 2021; Brisbane, Australia: Leading Australian technology services and solutions provider, Data#3, today announced it has been named a…

Blog | Cohesity Use Cases
The modern use cases driving an evolution in data protection and recovery

In our previous post, we looked at what’s driving the increased interest in Cohesity and introduced a few use…

Customer Story: A Cisco Firepower Case Study

Cisco Firepower Strengthens Organisational Cybersecurity Defences Objective As a large organisation that places a high priority on IT security to…

Why Cohesity?
What’s driving the increased interest in Cohesity?

There has been a quiet evolution taking place in an area that often gets overlooked when it comes to technology…

Video: Cyber Maturity in Education Part 2
Cyber Maturity in Education Part 2

Practical steps to improve your School’s Security Posture Speaker Bio Logan Daley – Enterprise Security Architect, Australia & Pacific Islands,…

Video: Cyber Maturity in Education Part 1
Cyber Maturity in Education Part 1

Practical steps to improve your School’s Security Posture Speaker Bio Afzal Shariff – Director ICT Services, A.B. Paterson College Afzal…