“The world is a vampire.” The words to the Smashing Pumpkins song kept coming to mind as I listened to the discourse of a leading tier one carrier CISO.
I was in New York City attending one of the technical seminars that constantly come up projecting what the new New Thing is going to be. This rendition was on the insecure world of data flowing across networks. I mused that this time there was some fire to go along with the smoke. Snowden had just come on to the world stage and shone light on all that NSA and other nation states could and were doing to gain access to sensitive data, both personal and commercial.
To those of us in the network transmission business, the idea of securing network connections is nothing new. For many years we’ve used industry standard techniques to secure connections as data travels across insecure networks. The disturbing revelations coming out of the Snowden documents were not that data had been hacked but that the tools we had come to rely on for so many years could no longer be guaranteed safe.
Adding to the alarm was the issue that we were moving into the cloud and the traditional castle perimeter of the firewall would no longer exist. In fact, according to the speaker they had become nothing more than yellow police tape around a crime scene.
The cloud offers a lot in savings when it comes to reducing CAPEX, but the trade-off is the OPEX component
I have to admit I don’t know any other lyrics from the song. I just remember it from the TV series Whale Wars. But, one thing’s for sure: the world has become a vampire when it comes to data in flight.
Security for transmitted data is a concern as old as the internet. The name branding changes; it used to be data-in-motion and now it’s data in flight. I guess data-in-flight sounds more perilous. Even back in the days of the granddaddy of the internet, ARPANET, Bob Metcalfe, the inventor of Ethernet, famously predicted that the growth of connectivity would make security a serious concern. As Metcalfe’s law states, “the value of a telecommunications network is proportional to the square of the number of connected users of the system.” Any CISO that surveys the migration to the cloud will agree.
In the traditional packet network, two standards have been the stalwart tools for data in flight.
Netscape came up with HTTPS as a means to protect the application layer in the early 90s. Originally developed by Netscape for Webpage protection, the technology has evolved from SSL implementations to TSL standards for greater security. Apple announced last year at their World Wide Developer’s conference a requirement that all apps sold on their App Store needed TSLv 1.2.
Born in the 90s, IPsec has become the go-to solution for many data use cases. It’s the cornerstone security for both in VPNs and TSL/SSL. Designed from the beginning to work in the packet network TCP/IP environment, IPsec became the de facto standard for network encryption.
About 10 years ago, a Layer 2 equivalent of IPsec called MACsec was developed with a higher quality of security and better utilization of bandwidth, requiring only about 10% of the bandwidth. MACsec limitations of encrypting and decrypting at each network switch severely limited its use. The benefits though were significant enough that specialized hardware-based Layer 2 encryptors became popular with Fortune 500 companies and governments.
Whether the need is for cloud compute or storage, the cloud has a wide diversity of utility. Ultimately it is a virtual overlay to a technology or business infrastructure. From a network transport perspective, the cloud can offer significant benefits in agility and cost savings. The trade-off is that now many touch points exist outside the traditional designs of firewalls or private networks.
How do traditional security techniques fit into this new technology? Starting at the top of the stack, HTTPS still has a substantial data protection role to play. Applications operate above the network and data link layers. Apps are often the interface to the cloud services. There are a few serious issues with HTTPS.
Whether the need is for cloud compute or storage, the cloud has a wide diversity of utility
At the recent RSA conference in San Francisco, Dave Shackleford of the SANS Institute pointed out that security is now being designed into apps. Software developers are not always going to be knowledgeable about building high-quality security. This seems to be borne out in the 2016 Shadow Data Report which states that less than 95% of cloud applications are not SOC-2 compliant and a full 96% do not meet the General Data Protection Regulation (GDPR) guidelines. A typical company believes that it has 30-40 cloud apps operating when in fact it has 841.
IPsec has a bigger struggle in the cloud environment. The cloud offers a lot in savings when it comes to reducing CAPEX, but the trade-off is the OPEX component. Bandwidth, such as VPNs are expensive and IPsec will require between 40% and 60% of bandwidth. Latency is another issue with IPsec, although some vendors have moved it into hardware implementation to speed up the processing.
MACsec has evolved to fit nicely into the cloud. Improvements that allow end-to-end connectivity now address its limitations. With very low bandwidth requirements along with low latency, MACsec has become the best method for encrypting across a network. One innovative company, Senetas, has taken its hardware-based Layer 2 encryptor and virtualized it. Network function virtualization (NFV) can now make high-quality, low-cost encryption solutions possible.
How to drive a stake into the heart of the vampire? Encrypt as low in the protocol stack as possible. Take advantage of the new overlay network topology of NFV and use modern techniques to protect data. Encrypting at Layer 3 using IPsec is no longer necessary. A properly designed NFV implementation can take advantage of data center technologies like VXLAN to use MACsec for both Layer 2 and Layer 3 protection. And, by moving away from IPsec, the cost savings in VPN connections can make a significant contribution to upgrading to a virtualized network.