Encryption without operational compromise
- Published: Wednesday, 15 February 2017 14:08
Traditional encryption has compromised network performance and troubleshooting, however this doesn’t have to be the case. In this article, Paul German explains the role that 'stealth' encryption is playing in delivering data security without operational compromise.
Over the past decade, organizations across every vertical market have attempted a wary balance between regulatory compliance and business agility. Yet with the arrival of the General Data Protection Regulation (GDPR) set to raise the bar yet again in 2018, how can organizations navigate ever more onerous regulatory requirements; escalating security risks; dispersed and diverse infrastructure models: and still achieve operational performance objectives?
Given evolving regulatory demands and threat landscape, securing data in motion – especially across wide area networks (WAN) - is clearly essential.
The encryption imperative
In this increasingly regulated environment, encryption is – or should be – a fundamental component of the defence / defense in depth security model. Whilst organizations globally have been wrestling with the escalating security demands created in a continually evolving cyber threat landscape, the introduction in 2018 of the GDPR radically extends the business implication of any data breach. After May 2018, not only must a company inform all affected by the security breach within 72 hours but the fines can be up to €20 million or 4 percent of global revenues. There is a very real risk that a data breach could lead to company failure.
Given the growing acceptance that breach is a ‘when’ not ‘if’ event, organizations have evolved beyond perimeter-only security models to increasingly lock down data: both at rest and in motion. Yet data encryption has had a chequered history. Whilst in theory the ability to make all information unintelligible, unusual and valueless to hackers and thieves is clearly compelling, the challenges associated with deploying, maintaining and managing encryption technologies have deterred and inhibited many organizations.
The key problem is the way in which encryption has been deployed to date. Traditionally an organization’s infrastructure is broken down into seven layers, following the Open Systems Interconnection model (OSI model), from the physical (Layer 1) through to application (Layer 7). The usual technique of adding encryption at Layer 2 (data link) and Layer 3 (network) essentially means asking routers and switches to undertake an additional – and demanding - task.
The result is not only drastically compromised network performance but also significant management and troubleshooting issues: often bad enough to drive organizations to switch off the encryption solution. In addition, as soon as Layer 2 and Layer 3 encryption is switched on, the organization is completely blind to the traffic going across the network: it is not just the data that is encrypted but the file headers and network packets also. The only option, therefore, when the application team needs to investigate performance problems is to switch off encryption – creating additional risk and leading to a security/operations stand-off.
Layer 4 encryption
The answer to the continued friction between operational goals and security imperatives is to decouple encryption from the infrastructure completely. Rather than being embedded in routers, switches or firewalls, Layer 4 encryption technology is completely separate from the underlying infrastructure. By creating an overlay solution that is dedicated to providing the level of trust for data in motion and applications moving across the infrastructure, this model avoids any impact on network performance and complexity. Furthermore, Layer 4 operates in ‘stealth’ mode: it is only the data payload that is encrypted – not the entire network data packet.
This approach has two essential benefits. Firstly, a hacker cannot see that encryption has been turned on (because the file headers are not encrypted) and will have no idea whether the data is sensitive or not – it all looks like worthless data, malformed and of no use. Secondly, if the organization needs to troubleshoot, key information – such as source/destination ports and IP address - information is still visible, enabling investigation and remedial work to be undertaken whilst the encryption is still turned on. All of the complex management and maintenance problems created by Layer 2 and Layer 3 encryption are removed. The data in motion is secure without adding complexity or compromising operational performance of the infrastructure.
Layer 4 encryption also overcomes the problems created by application vendors opting to introduce third party encryption solutions into applications to create a secure connection between clients and servers. While the theory was great, security threats such as Heartbleed and Poodle, which compromised sessions, threw application vendors into a spin. The challenge of getting the third party to fix the problem, then update the application, download a patch and ensure customers have applied that patch across their estate is huge – leaving many applications still unpatched years later. Creating a Layer 4 encryption overlay ensures that application data is secure and resolves the software provider’s security challenges. Indeed, even if the application encryption has been updated, adding Layer 4 encryption creates a double encryption model that ensures whatever may happen in the future to compromise the application – Heartbleed Mark 2 – the organization will be secure.
Zero trust model
The additional benefit of decoupling encryption from the infrastructure is that it supports the zero trust model that is gaining growing support across the security industry in response to the ever changing threat landscape. While it may appear logical to assume all owned infrastructure – from data centres / centers to branch offices, LANs to private WANs – is under the organization’s control and hence secure, in practice the reality is very different.
Firstly, the vast majority of data breaches now occur as a result of user compromised credentials – providing a hacker with direct access to that trusted network. Secondly, the concept of a private WAN is flawed: ‘private’ WAN services are typically multiple organizations’ connections delivered over a single shared managed service network using simple labels to separate customer traffic. Unfortunately, simple misconfigurations can result in the networks of two or more organizations becoming merged; at which point ‘secure’ data is not only open to the service provider but also at the mercy of that organization’s security posture – or lack of it. That ‘owned’ infrastructure is neither under the organization’s control nor secure.
What value is a service level agreement with a service provider when the organization has been breached, the regulator is set to impose huge fines and customer confidence has plummeted? Passing the baton of security over to a third party without truly understanding and then mitigating that risk is a mistake. The only way to ensure that an organization’s data is secure is to encrypt it before it hits the WAN – if the data does fall into the wrong hands it is of absolutely no use at all.
This is the fundamental concept that organizations need to understand: trust nothing, secure everything. By adopting a zero trust model and accepting an inherent risk of breach organizations can take a far more proactive approach to securing data across the entire infrastructure.
Adding Layer 4 stealth encryption not only secures critical data – and underpins compliance with regulations including GDPR - but it does so without compromising network performance or operational agility.