Technology
- Tunnel-Less Encryption
- Policy and Key Management
- Group Encryption
- Advanced IPsec VPN
- Network Cloud Security
- Cloud Security
- Network Encryption
- Network Encryption Overview
- Ethernet Encryption
- IP Encryption
- Layer 4 Encryption
Contact Us
Home > Network Encryption Overview > Cloud Security
Why Group Keying is the "Key" to Cloud Security
The characteristics of cloud environments typically include the terms "scalable", "dynamic" and "elastic" - terms that are nearly opposite of the user experience with IPsec tunnels - the predominant method of securing connections to virtualized private data centers and public cloud infrastructures.The IPsec Tunnel method of securing data in motion also leaves control of the policies and keys with the cloud provider, which violates data privacy regulations and security best practices. Trusting encrypted data and the encryption keys to the same provider is like locking the front door and then leaving the key in the lock. Furthermore, tunnels force point-to-point connectivity, which is limited to two endpoints per tunnel. This point-to-point mapping of large-scale distributed networks can become exponentially complex to the point of being prohibitive in terms of both the cost to manage and the performance limitations it imposes.
Group keying, however, is ideally suited for network encryption in virtualized and cloud environments due to its elegant scalability, easy management, and its ability to allow polices and keys to be controlled centrally- from the client side of the secure connection. Group keying also eliminates the need to negotiate keys on a point-to-point basis, which becomes intractable as the number of endpoints grows.
With group keying, keys are generated centrally and then securely distributed to authenticated group members. Once the keys are distributed to the group, any group member can communicate securely with any other member without making changes to existing addressing schemes. The group key used to encrypt data destined for one group member is the same key used to encrypt data destined for all of the group members. This is very different from tunnel-based solutions. With tunnels, the system negotiates and then must maintain a unique key for all possible pairs of endpoints. Maintaining this information and looking up which key to use for every incoming packet degrades the performance and limits the scalability of tunnel based solutions because of the scalability issue commonly referred to as the n*(n-1) problem where the number of tunnels grows exponentially as the number of tunnels increase. Furthermore, managing these point-to-point tunnel-based solutions and adding additional tunnels becomes difficult and time consuming after a handful of tunnels are provisioned.
Essential Solution Components
Virtual machines (VMs) executing in a cloud environment often need to communicate securely with other VMs and physical servers in a private data center; however, secure connectivity is not enough. The following are essential solution components for securing back-end network traffic and solving the issues described in the previous section.Encryption and Authentication
The only way to provide data privacy, data integrity and cryptographic isolation is to encrypt and authenticate each network packet or frame. In a shared cloud or virtualized environment, it is critical that the encryption terminates at the servers where sensitive information is produced and consumed rather than to a gateway at the provider edge of the cloud. It is not enough to encrypt network traffic across the wide area network while leaving it unprotected in the cloud network. The shared cloud network poses a security risk to unprotected traffic.
Cryptographic Isolation
Traffic should be encrypted and authenticated (per frame) such that it is unreadable and unusable to all other cloud customers who may receive the traffic accidentally or through illicit means. Traffic from other cloud customers should be blocked by default unless explicitly allowed by a policy.
Performance: High Bandwidth and Low Latency
Having the option to choose between hardware or software encryption on a per site basis allows organizations to determine the appropriate balance between performance, cost and user self-provisioning. It is important to have the option to deploy hardware-based encryption appliances where appropriate in the network. The alternative to hardware-based appliances is software-based virtual encryption appliances. Virtual appliances are easy to deploy and the encryption capacity can scale up as underlying hardware server resources are added. With group keying, encryption capabilities expand as the workload expands, so capacity scales to match the workload. This is exactly how cloud services should work.
Scalability
As the number of virtual servers in the environment grows, scalability of the security solution will become increasingly important. The group keying technology pioneered by Certes Networks provides a solid foundation for encrypted full-mesh cloud connectivity among tens of thousands of endpoints. This proven technology has been deployed and working for years in hundreds of networks throughout the world. While group keying is important for networks containing hundreds of network nodes, it is absolutely essential to allow cloud environments to scale to tens of thousands of servers.
Redundancy
Group keying can provide hitless redundancy of encrypted traffic and also allows load balancing to work seamlessly. Simply put, group keying allows the network to work the way you designed it in the first place.
Customer Control of Encryption Keys
Encryption provides a safe harbor for most data privacy regulations, but this usually requires organizations to maintain control of their own policies and keys for regulatory reasons. Likewise, cloud providers may not wish to bear the financial and legal burdens associated with being in possession of the keys. Organizations should not settle for a solution that does not allow them to control their own encryption keys.
Flexibility
Solutions that are policy-based and allow organizations to simply and easily select which traffic to encrypt, drop or pass in the clear have a clear advantage over those solutions that do not. Many tunnel-based solutions do not offer flexible policy controls that allow security administrators to specify the required connectivity and encryption policies needed for compliance grade security.
Conclusion
The technology that enables these essential solution components has been proven over nearly ten years of deployments to government agencies, defense contractors, financial organizations, as well as enterprises looking to secure PCI, HIPAA, HITECH and other compliance-driven sensitive information. Certes Networks is building on these proven technologies to provide a solution that makes the cloud safe for sensitive workloads. Our unique ability to enable scalable and transparent network encryption for the cloud allows the adoption of optimized solution architectures for data centers and cloud environments that dramatically reduce IT costs.To learn more about Certes Networks' cloud security solutions contact us at 1-888-833-1142 or feel free to ask us a question.
Learn More:
vCEP Datasheet
vCEP Brochure
Cloud Security Solution Note
Making the Cloud Safe for Sensitive Workloads
TrustNet Manager Whitepaper
Related Information:
Certes TrustNet Manager™
CEP VSE Encryption Appliances
10 Gigabit Encryptors