Virtualised encryption: How it could be the killer app for NFV – and help with GDPR too

When it comes to meeting the new requirements of the EU’s General Data Protection Regulation (GDPR), cloud users could well have the advantage. That may sound counter-intuitive; as one of the biggest hurdles facing companies that have migrated to the cloud is exposure of data, since the perimeter is no longer a firewall at the company edge.

GDPR is set to take effect on May 25, 2018. The end goal of this legislation is to strengthen and enforce the security of personal data.  This new legal framework dictates that any company doing business in the EU, with EU citizens or that is EU-based will be held liable for any breach of data. GDPR regulation impacts virtually any company across the globe that does business in Europe, and it will likely become the new de facto standard for the care and management of customer data moving forward.

Fines for not adhering to the requirements can cost up to 20m EUR (around $24m) or 2-4% of annual global revenues, whichever is larger. The mitigating circumstance is that a company will not be held liable if they have encrypted their data in motion and it is then hacked. Let me repeat: securing data that goes into the cloud through encryption will be a critical piece of GDPR compliance.

Ultimately, the clear majority of businesses worldwide will now need to make sure their networks are encrypted. In recent weeks, major players such as Amazon and Microsoft have all indicated they will endeavor to comply with the new directive.

So, what can cloud providers do to tackle GDPR compliance?  The answer is network virtualised services.

Traditionally service providers would deploy appliances specifically built for each function such as firewalls and routers. For encryption, appliances often provide basic encryption capability for slow speed links. For higher speed or better performance, specialised hardware is necessary, but this approach adds significant cost to the equipment and requires an end-point that is vendor specific to match the proprietary hardware encryption.

Low-cost universal customer premises equipment (uCPE) allows service providers to remotely setup software services such as encryption, firewalls, and routers with zero touch provisioning. These virtualised network functions (VNF) can be downloaded and configured remotely. The uCPE is an off-the-shelf server provided by the service provider or customer. Using off-the-shelf devices over specific built appliances will drastically reduce the cost of premises equipment as will the use of software functions instead of appliances because one server can operate many different functions.

Relying on apps to handle encryption is not enough; as recently as 2016, a study by Blue Coat Systems, Inc. showed the 98% of the 15,000 apps surveyed would not meet GDPR requirements. Even if the vendors or developers claim that their products do, how does an IT department test this premise? Instead of relying on appliance manufacturers to protect data in motion, it is now possible for specialised security companies to create virtualised encryption VNFs to add to the service chain of functions. Service providers can remotely deploy virtualised encryptors to protect data-in-motion from the client's site right to the server in a data centre. Encrypting the stream to the cloud was a recommendation given at the RSA conference in San Francisco earlier this year.

Virtualisation speaks to the issue of scaling, be it a small company with limited IT resources that would have to outsource the project or a large corporation with many branch sites to address. Scaling the project based on cost is covered by the step-and-repeat process of virtualisation. Time to deploy is also a scaling issue. With zero-touch provisioning, it’s possible to automate the process so that downloading the software to commissioning can take as little as 30 minutes.

Most cloud deployments are not limited to a single cloud application. A recent RightScale State of the Cloud Report suggests that 85% of enterprises prefer this approach. With virtualised encryption, it’s possible to now encrypt in a hybrid cloud with different flows going to various cloud providers. All of the encryption can be managed by a unified key system, which can be controlled by either the service provider and/or the customer.

And the quality of the protection? While IPSec has been the past standard for data transport, it provides poor performance in a software form. IPSec is a framework of open standards that has traditionally offered security to tunnel between VPN endpoints at the IP layer. Standardised in 1995, it is noted for its complexity, intensive CPU requirements and latency. Many companies have tried to compensate for this with specialised IPSec proprietary hardware. While hardware improves performance, it does force vendor dependency. Now, however, we no longer have to rely on this standard and instead can use 21st Century government-grade software solutions. The best part is that the cost is a fraction of hardware encryption.

Agility, scaling, and flexibility are the three tenants of network functions virtualisation. Virtualised encryption covers all these points. Maybe this is the NFV killer app that service providers have been looking for to create new revenue-bearing services. In the ever-changing threat environment for data-in-motion, virtualised encryptors, through the nature of software templates, offer modern techniques for upgrading technology and scaling to meet new and changing customer requirements, thus offering the best means of ensuring GDPR compliance.