Feeds

Pervasive encryption: Just say yes

Never mind the performance penalty

  • alert
  • submit to reddit

Top three mobile application threats

Cloud In my day job as a sysadmin for a small business, and in my moonlighting as a freelance tech consultant, I get to do a lot of thinking about security.

Ignorance of information security among small businesses is hardly news but in my experience many small businesses are only now getting the hang of securing their local PCs - just in time to become infatuated by cloud computing tools they barely understand.

Picture the scene at a typical small retailer. After finding the consternation-inducing 69p that someone dropped on the floor, the bored till-jockey goes into the back room and fires up the ten-year-old MacBook. Several minutes later, the browser loads. The opportunity has at last arisen to punch in the sacred credentials written down on the battered yellow Post-it.

A couple of links are clicked; the till-jockey is now editing a cloud-hosted spreadsheet. Numbers from the till are entered absent-mindedly while texting friends and grabbing personal items in preparation for leaving. A box pops up; an annoyed stab is made in the general direction of “yes, okay” or whatever it seems will make said unwanted and irrelevant intrusion into consciousness go away. The document is saved immediately before the till jockey dashes out the door to catch the bus.

Compromising position

Behind the scenes, what has happened is much more interesting. Someone using a suite of applications bought online has begun to attack the network. The Wi-Fi – using WEP – is for all intents and purposes unsecured; the WEP secret to the network is easily cracked. A well-known vulnerability is exploited to breach and then root the Wi-Fi router. Our attacker has just given himself the ability to perform man-in-the-middle attacks. A security alert pops up on the browser of our bored till-jockey, but he has bypassed it in his hurry to go home.

The password for the cloud service is scraped from the HTTP session, and some very minor code injection allows a complete download of the browser history. The code injection also allows the exploitation of the un-patched, leading to the local system being rooted. Rampant password re-use allows access to the company’s complete stack of cloud services. Email, banking, accounting, CRM/ERP/BIS – including a great deal of customer personally identifiable information – have just been compromised in a matter of minutes.

With this sort of scenario in mind I want to make the case for pervasive encryption. Encryption is by no means free; it exacts a performance penalty that at cloud scale can mean millions or even billions of dollars. Traditionally, every three cores in use doing actual work has meant one core dedicated to encryption.

From a pure hardware standpoint, this is not the end of the world. Chips are cheap and getting cheaper. More and faster cores are continuously available running in the same or lower thermal envelopes.

Increasingly, modern systems are shipping standard with NICs, HBAs and other devices peripherals that offer more options than running encryption on the CPU. Hardware virtualization tech continually lessens the penalties of that technology; and new management tools integrate with our data centres to move loads around the room in order to deal with “hot spots.”

There are other costs; the increased electrical and cooling loads generated by encryption can’t simply be wished away. With dedicated and specialized crypto-processors however, the toll exacted for encrypting everything everywhere should be significantly less than the 25 per cent paid by doing it all in software.

As well as hardware considerations, pervasive encryption brings up some weighty software licensing issues. Anyone using Oracle-anything will go more than a little pale at the thought of suddenly having 25 per cent of their processing capacity vanish into encryption. Dedicated FPGAs and ASICs are available for cloud-scale deployments where licensing is a serious consideration. These allow serious crypto to be done - often without any licensing impact.

Except for dedicated communications channels between diligently maintained back-end systems, pervasive encryption is unquestionably worth it. Various flavours of encryption are one part of properly securing our own networks and ensuring its widespread use boosts security the networks of our customers as well as our own.

Nobody wants their credit card compromised the next time they go out to buy fish food. Especially if the entire incident could have been avoided by a little bit of encryption at any of several different points along the way. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Feast your PUNY eyes on highest resolution phone display EVER
Too much pixel dust for your strained eyeballs to handle
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Report: Apple seeking to raise iPhone 6 price by a HUNDRED BUCKS
'Well, that 5c experiment didn't go so well – let's try the other direction'
US mobile firms cave on kill switch, agree to install anti-theft code
Slow and kludgy rollout will protect corporate profits
Rounded corners? Pah! Amazon's '3D phone has eye-tracking tech'
Now THAT'S what we call a proper new feature
Leaked pics show EMBIGGENED iPhone 6 screen
Fat-fingered fanbois rejoice over Chinternet snaps
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Sony battery recall as VAIO goes out with a bang, not a whimper
The perils of having Panasonic as a partner
NORKS' own smartmobe pegged as Chinese landfill Android
Fake kit in the hermit kingdom? That's just Kim Jong-un-believable!
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.