Over the past decade, organisations across every vertical market have attempted a wary balance between regulatory compliance and business agility. Yet with the arrival of the General Data Protection Regulation (GDPR) set to raise the bar yet again in 2018, how can organisations navigate ever more onerous regulatory requirements – and penalties for failure to comply; escalating security risks; dispersed and diverse infrastructure models and still achieve operational performance objectives? asks Paul German, pictured, CEO of software security company Certes Networks.
Given evolving regulatory demands and threat landscape, securing data in motion – especially across Wide Area Networks (WAN) – is clearly essential. But when traditional encryption has fundamentally compromised both network performance and essential troubleshooting, once again security and agility are in conflict.
In this increasingly regulated environment, encryption is – or should be – a fundamental component of the defence in depth security model. While organisations globally have been wrestling with the escalating security demands created in a continually evolving cyber threat landscape, the introduction in 2018 of the GDPR radically extends the business implication of any data breach. After May 2018, not only must a company inform all affected by the security breach, as well as the Information Commissioner’s Office, within 72 hours but the fines can be up to €20 million or 4% of global revenues. There is a very real risk that a data breach could lead to company failure.
Given the growing acceptance that breach is a ‘when’ not ‘if’ event, organisations have evolved beyond perimeter only security models to increasingly lock down data – both at rest and in motion. Yet data encryption has had a chequered history. Whilst in theory the ability to make all information unintelligible, unusual and valueless to hackers and thieves is clearly compelling, the challenges associated with deploying, maintaining and managing encryption technologies have deterred and inhibited many organisations.
The key problem is the way in which encryption has been deployed to date. Traditionally an organisation’s infrastructure is broken down into seven layers – following the Open Systems Interconnection model (OSI model), from the physical (Layer 1) through to Application (Layer 7). The usual technique of adding encryption at Layer 2 (Data Link) and Layer 3 (Network) essentially means asking routers and switches to undertake an additional – and demanding – task.
The result is not only drastically compromised network performance but also significant management and troubleshooting issues – often bad enough to drive organisations to switch off the encryption solution. In addition, as soon as Layer 2 and Layer 3 encryption is switched on, the organisation is completely blind to the traffic going across the network: it is not just the data that is encrypted but the file headers and network packets. The only option, therefore, when the application team needs to investigate performance problems is to switch off encryption – creating additional risk and leading to a security/operations stand-off.
Layer 4 Encryption
The answer to the continued friction between operational goals and security imperatives is to decouple encryption from the infrastructure completely. Rather than being embedded in routers, switches or firewalls, Layer 4 encryption technology is completely separate from the underlying infrastructure. By creating an overlay solution that is dedicated to providing the level of trust for data in motion and applications moving across the infrastructure, this model avoids any impact on network performance and complexity. Furthermore, Layer 4 operates in ‘stealth’ mode: it is only the data payload that is encrypted – not the entire network data packet.
This approach has two essential benefits. Firstly, a hacker that cannot see that encryption has been turned on (because the file headers are not encrypted), will have no idea whether the data is sensitive or not – it all looks like worthless data, malformed and of no use. Secondly, if the organisation needs to troubleshoot, key information – such as source/destination ports and IP Address information is still visible, enabling investigation and remedial work to be undertaken whilst the encryption is still turned on. All of the complex management and maintenance problems created by Layer 2 and Layer 3 encryption are removed. The data in motion is secure without adding complexity or compromising operational performance of the infrastructure.
Layer 4 encryption also overcomes the problems created by application vendors opting to introduce third party encryption solutions into applications to create a secure connection between clients and servers. While the theory was great, security threats such as Heartbleed and Poodle, which compromised sessions, threw application vendors into a spin. The challenge of getting the third party to fix the problem, then update the application, download a patch and ensure customers have applied that patch across their estate is huge – leaving many applications still unpatched years later. Creating a Layer 4 encryption overlay ensures that application data is secure and resolves the software provider’s security challenges. Indeed, even if the application encryption has been updated, adding Layer 4 encryption creates a double encryption model that ensures whatever may happen in the future to compromise the application – Heartbleed Mark 2 – the organisation will be secure.
The additional benefit of decoupling encryption from the infrastructure is that it supports the zero trust model that is gaining growing support across the security industry in response to the ever changing threat landscape. While it may appear logical to assume all owned infrastructure – from data centres to branch offices, LANs to private WANs – is under the organisation’s control and hence secure, in practice the reality is very different.
Firstly, the vast majority of data breaches now occur as a result of user compromised credentials – providing a hacker with direct access to that trusted network. Secondly, the concept of a private WAN is flawed: ‘private’ WAN services are typically multiple organisations’ connections delivered over a single shared managed service network using simple labels to separate customer traffic. Unfortunately, simple misconfigurations can result in the networks of two or more organisations becoming merged; at which point ‘secure’ data is not only open to the service provider? but also at the mercy of that organisation’s security posture – or lack of it. That ‘owned’ infrastructure is neither under the organisation’s control nor secure.
What value is a Service Level Agreement with a service provider when the organisation has been breached, the regulator is set to impose huge fines and customer confidence has plummeted? Passing the baton of security over to a third party without truly understanding and then mitigating that risk is a mistake. The only way to ensure that an organisation’s data is secure is to encrypt it before it hits the WAN – if the data does fall into the wrong hands it is of absolutely no use at all.
Conclusion
This is the fundamental concept that organisations need to understand – trust nothing, secure everything. By adopting a zero trust model and accepting an inherent risk of breach organisations can take a far more proactive approach to securing data across the entire infrastructure. Adding Layer 4 Stealth encryption not only secures critical data – and underpins compliance with regulations including GDPR – but it does so without compromising network performance or operational agility.
