Feeds

Pervasive encryption: Just say yes

Never mind the performance penalty

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Cloud In my day job as a sysadmin for a small business, and in my moonlighting as a freelance tech consultant, I get to do a lot of thinking about security.

Ignorance of information security among small businesses is hardly news but in my experience many small businesses are only now getting the hang of securing their local PCs - just in time to become infatuated by cloud computing tools they barely understand.

Picture the scene at a typical small retailer. After finding the consternation-inducing 69p that someone dropped on the floor, the bored till-jockey goes into the back room and fires up the ten-year-old MacBook. Several minutes later, the browser loads. The opportunity has at last arisen to punch in the sacred credentials written down on the battered yellow Post-it.

A couple of links are clicked; the till-jockey is now editing a cloud-hosted spreadsheet. Numbers from the till are entered absent-mindedly while texting friends and grabbing personal items in preparation for leaving. A box pops up; an annoyed stab is made in the general direction of “yes, okay” or whatever it seems will make said unwanted and irrelevant intrusion into consciousness go away. The document is saved immediately before the till jockey dashes out the door to catch the bus.

Compromising position

Behind the scenes, what has happened is much more interesting. Someone using a suite of applications bought online has begun to attack the network. The Wi-Fi – using WEP – is for all intents and purposes unsecured; the WEP secret to the network is easily cracked. A well-known vulnerability is exploited to breach and then root the Wi-Fi router. Our attacker has just given himself the ability to perform man-in-the-middle attacks. A security alert pops up on the browser of our bored till-jockey, but he has bypassed it in his hurry to go home.

The password for the cloud service is scraped from the HTTP session, and some very minor code injection allows a complete download of the browser history. The code injection also allows the exploitation of the un-patched, leading to the local system being rooted. Rampant password re-use allows access to the company’s complete stack of cloud services. Email, banking, accounting, CRM/ERP/BIS – including a great deal of customer personally identifiable information – have just been compromised in a matter of minutes.

With this sort of scenario in mind I want to make the case for pervasive encryption. Encryption is by no means free; it exacts a performance penalty that at cloud scale can mean millions or even billions of dollars. Traditionally, every three cores in use doing actual work has meant one core dedicated to encryption.

From a pure hardware standpoint, this is not the end of the world. Chips are cheap and getting cheaper. More and faster cores are continuously available running in the same or lower thermal envelopes.

Increasingly, modern systems are shipping standard with NICs, HBAs and other devices peripherals that offer more options than running encryption on the CPU. Hardware virtualization tech continually lessens the penalties of that technology; and new management tools integrate with our data centres to move loads around the room in order to deal with “hot spots.”

There are other costs; the increased electrical and cooling loads generated by encryption can’t simply be wished away. With dedicated and specialized crypto-processors however, the toll exacted for encrypting everything everywhere should be significantly less than the 25 per cent paid by doing it all in software.

As well as hardware considerations, pervasive encryption brings up some weighty software licensing issues. Anyone using Oracle-anything will go more than a little pale at the thought of suddenly having 25 per cent of their processing capacity vanish into encryption. Dedicated FPGAs and ASICs are available for cloud-scale deployments where licensing is a serious consideration. These allow serious crypto to be done - often without any licensing impact.

Except for dedicated communications channels between diligently maintained back-end systems, pervasive encryption is unquestionably worth it. Various flavours of encryption are one part of properly securing our own networks and ensuring its widespread use boosts security the networks of our customers as well as our own.

Nobody wants their credit card compromised the next time they go out to buy fish food. Especially if the entire incident could have been avoided by a little bit of encryption at any of several different points along the way. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY
'Nerd release' finally staggers past 50 per cent adoption
Tim Cook: The classic iPod HAD to DIE, and this is WHY
Apple, er, couldn’t get the parts for HDD models
Apple spent just ONE DOLLAR beefing up the latest iPad Air 2
New iPads look a lot like the old one. There's a reason for that
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
Caterham Seven 160 review: The Raspberry Pi of motoring
Back to driving's basics with a joyously legal high
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.