ARTICLE Encryption: Magic and Myths (Part 2 - Myths)

10 myths, busted

Encryption is still an undervalued part of the security armoury, due in part to a lack of understanding and a lot of myths.
Myth #1 – Encryption will degrade my system performance

It is true that encryption has a cost, but there are many factors that affect total system performance. This is why most servers are not run at capacity — to ensure that spikes in activity don’t cripple the applications that run on them. In fact, applications such as databases and all the major operating systems have been tuned for decades to provide optimal performance by minimising the amount of time spent going to disk. As long as encryption is implemented correctly, the overhead can be minimal.

Most hardware is now built to help specifically with encryption processing. Most mid and high-end Intel and AMD processors on the market today support AES-NI (AES New Instructions), running AES encryption in hardware to improve performance 8-10 times over encryption done in software. Fortunately, the presence of AES-NI White Paper, white paper has now become the norm in x86 style processors. This also has the added benefit of offloading encryption away from the general CPU processing, freeing up even more CPU capability for applications. Even if AES-NI is not present, as we continue to deploy virtualisation on systems with ever-faster commodity processors, the cost of extra CPU, especially in the cloud, is minor and can easily and cost-effectively improve encryption performance.

Look for a provider that not only automatically detectd and used AES-NI for encryption at hardware speeds, but one that also optimises encryption by performing that processing at precisely the place where the system’s normal I/O and memory operations are already happening. In our experience, encryption overhead is minimal and often undetectable because of these benefits. Other throughput constraints in the network or non-optimal storage system configuration are most often the cause of any delays. These are where external bottlenecks typically appear and are not as a result of encryption overhead. This is especially true in virtualised environments.

Myth #2 – Encryption terminology is too hard to understand

AES, Blowfish, Symmetric key, 3DES, NIST key states, KMIP... there are a lot of buzzwords around encryption and key management. The mathematics around encryption algorithms are difficult to understand, not to mention learning attack vectors like ‘man in the middle’, spoofing, and many others.

Poor encryption solutions can leave you exposed if they require your staff to understand too many mechanics. Wouldn’t it be nice if you could make simple choices such as:

– I want these new VMs encrypted and at the end of the year, I don’t want them to run anymore.

– I want to encrypt my data in Amazon, Savvis and Rackspace. I want to be able to decommission them securely when I choose.

Myth #3 – Managing all those encryption keys is a nightmare

There are many encryption solutions in use today and many of them simply do not address key management effectively. Using password protection for a key that encrypts data on a mobile device, notebook or desktop is fine. However, this does not scale well when dealing with tens, hundreds or thousands of encrypted devices. It is also not a good solution when one or two administrators are the only people who have access to the passwords or the keys. What happens if they leave the company? Do you know where all your keys are? Can you get them back?

To summarise the problem as seen by many, cryptography export Bruce Schneier wrote in the preface to his book “Practical Cryptography”:

Having a layered system means you never have to deal with encryption keys, yet we ensure they are kept safe and secure. All you need to do is make sure your KeyControl server is occasionally backed up, just like you would any other data.

Myth #4 – It’s easy to lose my encryption keys

With encryption, if you lose your encryption keys, you lose access to your data. It is also very important that no single person has control of the keys, both for security reasons, as well as because simple human error can result in a very painful situation. As Robert Hanlon said ‘Never attribute to malice that which can be adequately explained by incompetence.’

This is why a layered, highly-available key management system is so critical. Look for a highly available key management cluster that allows you to have any number of key servers in any physical location.

Make sure key server backup images are encrypted and you’re provided with a simple policy option should you want to ensure no single administrator can restore from backup. Further, if you have encrypted VMs in Amazon, Savvis, or another provider and your keys are stored in your data centre, this means there’s no way that the provider can gain access to the keys.

Myth #5 – Encryption is hard to deploy

One of the most successful and widely used deployments of encryption is SSL. We all use SSL on a daily basis as we shop on the web, access on-line banking and other sites where sensitive data resides. There are solutions that make deployment incredibly simple.

Myth #6 – Encryption only secures the application

We often hear concerns about securing the snapshot and suspend files that are supported by virtualisation platforms, because any data that is in the VM’s memory is available to VM administrators in clear-text by simply snapshotting the VM.

Choose a solution where you can selectively encrypt all or part of the VM, without making any changes to the VM or applications and one that works with all the  major hypervisor vendors.

Myth #7– Rotating encryption keys means application downtime

Key rotation is one of the biggest problems with traditional encryption systems today. Many regulations require periodic key rotation or that you rotate keys if administrators leave the organisation. Security best practices also often mandate key rotation. To rotate keys, you need to decrypt the data with key A and then re-encrypt the data with key B. Key A will then no longer be used. Vendors who do support key rotation require that you take your applications offline to rekey. With databases reaching the hundreds of gigabytes or even terabytes, this process can take many hours, if not days.

Choose a solution that performs key rotation while your applications are still running. That way, when you set your policy, you simply state how frequently you want key rotation to take place. Key rotation starts automatically and when it finishes, a completion message is generated. It is hands free and is done with no application downtime. It’s that simple.

Myth #8 – Enterprise-grade encryption is expensive

Basic open-source encryption software like TrueCrypt have downloads in the tens of millions, which certainly speaks to the need for encryption solutions. Enterprise-grade solutions traditionally require hardware-based key management systems, which can cost you tens of thousands of dollars before you secure your first server. As you add servers, costs can skyrocket. As organisations move to virtualisation and the cloud to get better scalability and cost savings, they don’t want to break the bank just to ensure this data is secure.

Look for a solution that allows you to implement enterprise-grade security with ease.

Myth #9 – Encryption in the cloud isn’t secure

If your Cloud Service Provider is encrypting your data, but they also hold the encryption keys, does that protect you? Having sensitive data encrypted in the public cloud is certainly better than no encryption at all, but many organisations want to hold the keys themselves. Would you give the keys to your house to someone you didn’t know?

Depending on your requirements you can encrypt your data in the private, hybrid or public cloud and maintain your own key server. And at all times, you stay in control. Decommissioning from the cloud or switching providers is simple: click a button and you can ensure that any data left behind is fully encrypted and will never be accessible.

Myth #10 – Encryption solutions don’t work across all platforms

Most organisations use hardware and operating systems from multiple vendors. Encryption vendors have typically faced challenges supporting this myriad of platforms. This is even more true for virtualised environments, especially if your organisation leverages public cloud, where you have limited control over infrastructure.

Look for a provider that supports all the dominant hypervisor platforms (VMware, Xen, KVM, Hyper-V) and support encryption within the guest operating system (Windows and Linux) or at the storage layer, offering consistent security and key management as you make the move from private to hybrid to public cloud.

Summary

Good security practice shouldn’t happen just because someone tells you to. With a rock solid, enterprise-grade encryption and key management system, security can become an enabler. You can virtualise your mission critical applications. You can move to the public cloud.

Related Stories
Rate the Article

Click the link below to rate this article

Rate this article