By Jared Hrabak, Consulting Cybersecurity Engineer
Remember in the early days of the Internet when there seemed to be little care or concern about online security? You were excited to go online and find cool new things you’d never even dreamed of before. You’d put your contact information into a form without giving it a second thought. You could create and publish online content about nearly any topic and people would easily find you… fast. Maybe you’re too young to have lived through that historic time… but it was pretty exciting, and WOW, we’ve come a long way.
Now it seems with each passing day, business gets more complex… and so does security. As more and more companies have moved data to the cloud, while maintaining some on-premise infrastructure and frequently moving large data sets between locations, cybercriminals are finding new and innovative ways to disrupt that movement and steal data for nefarious reasons.
Enter a fast-evolving security space: high-speed data encryption (HSE), specifically designed to encrypt and secure data-in-motion.
Sure, in reality, data encryption has been around for a long time… so, I won’t go down this rabbit hole here. Thales Group does a great job of detailing that history anyway, Circa 600 BC, if you can believe it! Check out their blog on it… a fascinating read. I will say, however, that we’re increasingly working with clients who have a lot of systems and data all over the place – on-premise, in the cloud, at rest, in motion, and everywhere in between, including frequently transferring large datasets between locations. Can you say ‘exponentially more risk!?’
Are the Days of IPSec Tunnels Finally Over?
You likely understand and have used IPSec tunnels. If you’re unfamiliar, this is an Internet Protocol Security encryption method for protecting sensitive data (think financial transactions, medical records, customer data, etc.) as it’s transmitted across a network, encrypting all data sent between two endpoints.
However, what you may not realize is that where there are large data sets, the amount of time and resources required to securely move that data between locations can be gargantuan. In one client case, a client was aiming to replicate a few terabytes of data across a 1GB pipe, and it took more than eight hours. That transit time not only eats up a lot of compute resources, it also dramatically increases your security exposure risk.
As networks are under a constant barrage of attacks, advanced high-speed encryption that improves security while eliminating the need for IPSec, while also reducing time and required resources are quickly becoming a new standard.
What to Look for in a High-Speed Data Encryption Solution
There are seven key elements to consider when you’re hunting for a data-in-motion encryption solution to upgrade your current data security strategies:
1. Look for a single platform that was architected to ‘encrypt everywhere,’ from your network traffic between data centers, your various locations and headquarters, and your backup and disaster recovery sites.
Managing multiple encryption systems to try and coordinate data security everywhere gets complicated fast, which means risk exposure when systems don’t ‘talk’ to each other effectively. It doesn’t matter if your data is on-prem, in the cloud, at rest, or in transit – one encryption system will result in a more secure strategy.
2. Leverage Layer 2 and 3 encryption to ensure data-in-motion security without any compromises. That means you should get maximum throughput with minimal latency, empowering you to better protect any data format, including video, voice, and metadata, from overt and covert interception and surveillance.
3. Up your security game on your most sensitive traffic. The latest, most advanced encryptors are hardware-based, stand-alone appliances that deliver robust encryption and FIPS 140-2 Level 3 tamper-resistant key management capabilities.
Be sure the solution you short-list has been rigorously tested and certified to be in compliance with the requirements of Common Criteria, the Federal Information Processing Standard (FIPS), and that it has been thoroughly vetted by such organizations as the Defense Information Systems Agency (DISA UC APL) and NATO.
4. Ensure the encryption solution meets the specifications for Suite B cryptographic algorithms (AES-256, ECDSA, ECDH, and SHA-512) for secure communications. While some solutions use NIST-certified random number generators, others use advanced key management strategies that are generated and stored in hardware, ensuring that the keys are always under your control, even in multi-tenant environments.
5. Look for high-performance, high-availability. The last thing you need is encryption system outages. Ask your shortlist of providers if they have proven uptime statistics in demanding, performance-intensive environments with near-zero latency, as well as if they are operating in full-duplex mode at full-line speed without the risk of packet loss.
6. Ask about reporting and diagnostic capabilities. Today’s most advanced encryption solutions give administrators clear and early warning signs of potential issues before they impact the business. This allows your admin team to remain vigilant and proactive around the clock.
7. Be sure it’s interoperable. Encryption solutions that are not flexible and interoperable enough to work with any vendors and systems you have in place are essentially worthless. You’ll need to verify the solution is compatible with all of the major network vendors across your environment and can be relatively easily adapted to meet your evolving security and network requirements as they change.
The solution should also support network speeds of 10Mbps to 100 Gbps, and support single to multi-port appliances, as well as be offered in both hardware and virtual formats.
Need help choosing a platform?
“As a Cybersecurity Engineer, Jared partners with clients to help them identify product solutions that match their cybersecurity governance, risk and compliance objectives. He enjoys educating and advocating for a successful cybersecurity practice by focusing on client success. Jared brings a wealth of experience in content filtering, cybersecurity operations, and military service to help put clients on the path to success.”Jared HrabakConsulting Cybersecurity Engineer