Scalable network encryption for the cloud
Certes Networks announced the vCEP (virtual Certes Enforcement Point), a scalable network encryption solution for the cloud.
This virtual appliance allows organizations to protect network traffic among virtual servers and between clouds without using tunnels. It encrypts network traffic from Infrastructure as a Service (IaaS) cloud infrastructures to data centers across the WAN, and from server to server within the cloud.
Existing solutions typically use tunnel technologies such as IPSec or SSL/TLS to protect network traffic to the edge of the cloud network, but traffic among servers within the cloud network often remains unprotected. Tunnel-based solutions have limited applicability within cloud networks due to issues with scalability, management and performance.
vCEP is ideally suited for network encryption in virtualized and cloud environments due to its scalability, management and ability to allow policies and keys to be controlled centrally by the cloud tenant. Group encryption eliminates the need to negotiate keys on a point-to-point basis, which becomes intractable as the number of endpoints grows.
“Our group encryption and policy and key management technologies, that enable this exciting breakthrough in cloud security, have been proven in over ten years of deployments in Wide Area Network encryption for government agencies, financial organizations, and global enterprises,” said Thomas Gill, CEO of Certes Networks. “Certes Networks has leveraged these proven technologies to provide a solution that makes the cloud safe for sensitive workloads. Our customers have identified security as an enabling technology for adoption of cloud based infrastructures and we are proud to be able to provide a solution that can both protect data and enable overall reductions in IT costs.”
The vCEP solution focuses on four key areas:
Scalable group encryption: With TrustNet group encryption, keys are centrally generated and securely distributed to all of the authorized group members (as defined in Certes TrustNet Manager). Each group member can communicate securely with the other members without the performance and maintenance overhead of tunnels. Unlike tunnel-based solutions, group encryption is designed to scale to protect thousands or even tens of thousands of servers. Scalability is an essential consideration when designing cloud security solutions today, as many analysts expect twenty to fifty percent annual growth in the number of servers deployed in IaaS clouds in the coming years.
Encryption without unprotected gaps: As a virtual appliance that resides on the same server as the virtual servers that it protects, the vCEP protects sensitive network traffic inside the cloud provider’s network without leaving gaps where the data is not protected.
Secure isolation from other cloud tenants: As part of the Certes TrustNet solution, the vCEP provides persistent authentication to ensure continuous data integrity. The combination of authentication and encryption provide cryptographic isolation among cloud tenants. Cloud providers today typically offer only logical separation that can break down and allow one tenant to attack another due to misconfiguration, unauthorized wiretaps or man-in-the-middle attacks. Data that is encrypted and authenticated using keys managed by the cloud customer is not susceptible to these types of attacks.
Client control of encryption keys: An important benefit of the vCEP is its ability to allow the client to maintain control of their own policies and encryption keys. This is essential for regulatory compliance, and it protects both the data owner and the infrastructure provider. The vCEP provides a safe harbor for most data privacy regulations by leveraging Certes TrustNet standards-based encryption that has been deployed and proven across a broad range of industries to achieve compliance for data privacy including finance, healthcare, government, retail and utilities. Client control of policies and keys also benefits the cloud provider by removing the potential legal burden associated with being in possession of the encryption keys.