Feeds

Pervasive encryption: Just say yes

Never mind the performance penalty

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Cloud In my day job as a sysadmin for a small business, and in my moonlighting as a freelance tech consultant, I get to do a lot of thinking about security.

Ignorance of information security among small businesses is hardly news but in my experience many small businesses are only now getting the hang of securing their local PCs - just in time to become infatuated by cloud computing tools they barely understand.

Picture the scene at a typical small retailer. After finding the consternation-inducing 69p that someone dropped on the floor, the bored till-jockey goes into the back room and fires up the ten-year-old MacBook. Several minutes later, the browser loads. The opportunity has at last arisen to punch in the sacred credentials written down on the battered yellow Post-it.

A couple of links are clicked; the till-jockey is now editing a cloud-hosted spreadsheet. Numbers from the till are entered absent-mindedly while texting friends and grabbing personal items in preparation for leaving. A box pops up; an annoyed stab is made in the general direction of “yes, okay” or whatever it seems will make said unwanted and irrelevant intrusion into consciousness go away. The document is saved immediately before the till jockey dashes out the door to catch the bus.

Compromising position

Behind the scenes, what has happened is much more interesting. Someone using a suite of applications bought online has begun to attack the network. The Wi-Fi – using WEP – is for all intents and purposes unsecured; the WEP secret to the network is easily cracked. A well-known vulnerability is exploited to breach and then root the Wi-Fi router. Our attacker has just given himself the ability to perform man-in-the-middle attacks. A security alert pops up on the browser of our bored till-jockey, but he has bypassed it in his hurry to go home.

The password for the cloud service is scraped from the HTTP session, and some very minor code injection allows a complete download of the browser history. The code injection also allows the exploitation of the un-patched, leading to the local system being rooted. Rampant password re-use allows access to the company’s complete stack of cloud services. Email, banking, accounting, CRM/ERP/BIS – including a great deal of customer personally identifiable information – have just been compromised in a matter of minutes.

With this sort of scenario in mind I want to make the case for pervasive encryption. Encryption is by no means free; it exacts a performance penalty that at cloud scale can mean millions or even billions of dollars. Traditionally, every three cores in use doing actual work has meant one core dedicated to encryption.

From a pure hardware standpoint, this is not the end of the world. Chips are cheap and getting cheaper. More and faster cores are continuously available running in the same or lower thermal envelopes.

Increasingly, modern systems are shipping standard with NICs, HBAs and other devices peripherals that offer more options than running encryption on the CPU. Hardware virtualization tech continually lessens the penalties of that technology; and new management tools integrate with our data centres to move loads around the room in order to deal with “hot spots.”

There are other costs; the increased electrical and cooling loads generated by encryption can’t simply be wished away. With dedicated and specialized crypto-processors however, the toll exacted for encrypting everything everywhere should be significantly less than the 25 per cent paid by doing it all in software.

As well as hardware considerations, pervasive encryption brings up some weighty software licensing issues. Anyone using Oracle-anything will go more than a little pale at the thought of suddenly having 25 per cent of their processing capacity vanish into encryption. Dedicated FPGAs and ASICs are available for cloud-scale deployments where licensing is a serious consideration. These allow serious crypto to be done - often without any licensing impact.

Except for dedicated communications channels between diligently maintained back-end systems, pervasive encryption is unquestionably worth it. Various flavours of encryption are one part of properly securing our own networks and ensuring its widespread use boosts security the networks of our customers as well as our own.

Nobody wants their credit card compromised the next time they go out to buy fish food. Especially if the entire incident could have been avoided by a little bit of encryption at any of several different points along the way. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Space Commanders rebel as Elite:Dangerous kills offline mode
Frontier cops an epic kicking in its own forums ahead of December revival
Intel's LAME DUCK mobile chips gobbled by CASH COW
Chipzilla won't have money-losing mobe unit to kick about anymore
First in line to order a Nexus 6? AT&T has a BRICK for you
Black Screen of Death plagues early Google-mobe batch
Ford's B-Max: Fiesta-based runaround that goes THUNK
... when you close the slidey doors, that is ...
Disturbance in the force lets phones detect gestures with Wi-Fi
These are the movement detection devices you're looking for
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.