Editor's note: This article on network data encryption security is part of our three-part series on complex cloud computing security and the network control issues facing network engineers charged with extending secure access to their approved users on an infrastructure outside the firewall, which can also be outside their comfort zones. To make sure applications and data are secure enough to meet enterprise policy rules, check out how to
balance cloud risks with convenience, then how to build secure cloud infrastructure using single sign-on.
For big businesses to stay competitive,
most will need to move to a network infrastructure that can accommodate any-to-any connectivity -- devices, applications and third parties all interacting with one another. Since the Internet will be the common location and communication channel, data encryption security becomes the most important defense. Encrypted data is intrinsically protected, which is why it is mandated in so many laws and regulations.
Because cloud computing somewhat blurs the distinction amongn data at rest, data in motion and data in use, all data and communications will need to be encrypted, even if other services are protecting it.. This means encrypting access to control interfaces, not just applications and data. Furthermore, data destruction is extremely difficult in a cloud environment, but encryption renders data unreadable even when storage is disposed of. It also allows the separation of roles and data, as encryption keys control access to the data.
As a network engineer, you'll need to ensure network devices can handle the processor-intensive public key encryption algorithms involved in Secure Sockets Layer (SSL)-encrypted communications. SSL accelerator cards or proxies handling all SSL operations may need to be added to your infrastructure. Firewalls protecting the internal network should certainly be upgraded so they can inspect SSL traffic. They should ideally work in concert with data-loss prevention products so data can be classified and monitored, and policies enforced -- a good reason to use Extensible Access Control Markup Language (XACML) to define data access control and policy.
Cloud computing move should trigger review of data encryption security algorithms
The reality of what constitutes strong data encryption security changes over time, so a move to cloud computing is a good time to review the cryptographic algorithms used within your network.
You should be looking to use 256-bit Advanced Encryption Standard (AES) as the standard across all components. Network protocols generally follow the big-endian format, but processor and hardware architectures use both, and this can affect encrypt and decrypt results, so check any new devices for compatibility.
Also, the protocol at the heart of your Internet communications is going to change. IPv4 is becoming IPv6. Federal government agencies and service providers are switching and so must you. Many of the devices you already run will be dual-stacked, often opting to communicate using IPv6 if they have the option. Firewalls may need physical or software upgrades and additional configuration to protect IPv6 traffic, however. This requires an understanding of the differences between the two protocols, which will also help you get the most out of the IPv6 feature list. For example, IPv6 has a secure equivalent of the Address Resolution Protocol (ARP) called SeND (Secure Neighbor Discovery). Unfortunately, spam, spyware and malware will all still exist, so content filtering devices need to look for them in both IPv4 and IPv6 packets.
For many smaller businesses, cloud computing can be more secure than their own IT infrastructures. But to truly establish itself as a viable extension of the enterprise computing ecosystem, the cloud must provide security that can be audited against compliance requirements and is on a par with what exists inside the firewall.
Test then deploy: A smart way to check data encryption security in the cloud
Many organizations are testing these requirements by first developing and experimenting with internal or hybrid clouds. The security of these new infrastructures will need validating. This is best done by conducting an audit of your security policy and security systems, focusing on whether they remain relevant. Certainly moving any applications or data to the cloud will require a complete review of your disaster recovery policies and procedures. They will need to be integrated with and address any limitations of your cloud provider's plan. Network engineers in particular will need to understand their new roles within the overall continuity plan.
About the author: Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in December 2009