The Fast Mode spoke to Avishai Sharlin, Division President at Amdocs Technology on new encryption technologies and their impact on today's networks. Avishai joins us in a series of discussions with leading vendors in the traffic management, service assurance, traffic monitoring, analytics, policy control and network security space, assessing various attributes of encryption, its benefits as well as the challenges it poses, specifically loss of visibility that makes networking increasingly complex.
Tara: How important is encryption for today’s applications?
Avishai: In an era when data is the world’s most valuable and vulnerable currency, encryption has never been more important – particularly given the ever-evolving nature of the threats to application security. For example, it is feared that recent advancements in quantum computing can seriously risk the encryption standards we have today, and that in the next one to two years quantum computing will be powerful enough to break almost all existing security cryptography algorithms. Indeed, it has already been widely reported that hackers are purposefully stealing highly encrypted data that they cannot decrypt today and storing it as they will be able to decrypt it in the next year and beyond using new quantum computing techniques. When you take a step back, that’s an alarming prospect for the industry and society at large. In fact, the risk of quantum computing is already here: a Chinese research group recently released a paper claiming that if it had access to a Western quantum computer today (such as IBM Osprey), they have devised a method whereby they can brute-force attack and decrypt the widely-used RSA 2048bit encryption.
Application use creates output, which we store and call data. Applications also ingest existing data such as sensitive customer information (PII data) for processing and enabling services. Encryption is a key operational task we must execute to ensure that our application data will not be read by a third party via theft, leak, or a breach. The move to the public cloud, a shared infrastructure, further emphasizes the importance of guarding and protecting data. In public cloud environments, servers are shared between multiple customers and data is stored on storage systems that are also shared between many customers. Although dedicated infrastructure is possible in the public cloud it’s extremely expensive.
Hence, to protect data on the public cloud and even on-premise, encryption is a mandatory operation and process that must be executed for all data in transit (over the wire, via HTTPS application wise), and at rest (when the data is stored to disk). This also relates to low-code applications: there is no exception here. The way we develop an app (low code) must not impact our ability to ensure the data the app generates is secure and encrypted. It’s important to remember that on public clouds there is a shared responsibility model – the public cloud provider provides the infrastructure and required services to run an app, but the application security and its data is not within its hands.
Tara: The evolution of encryption technologies – where are we headed?
Avishai: To fight off quantum computing brute-force attacks, new algorithms for encryption are required. Post-Quantum Cryptography (PQC), where new chosen algorithms by NIST, will replace existing encryption algorithms so data remains protected in the quantum computing era. This will have a serious impact industry-wide, as code change is required for this to happen at the application level (if the application uses crypto libraries and encrypts data on its own). For example, Java-based apps will require an updated OpenJDK and new Crypto library/APIs to support these new algorithms, and the application must update its code base to use these new Crypto APIs.
To enable encryption and secrets (passwords), encryption keys must be guarded and never stored in the open on servers or disks next to the application or where it is stored for execution. As public cloud adoption progresses, services and applications are protecting their keys in managed services such as key management systems in the public cloud. The application interacts with the system to fetch the encryption keys over the wire on a secure link for encryption operation. Key management systems can also be used to execute the encryption process, allowing the application developer to offload it.
Last, public clouds allow applications to utilize hardware security modules (HSMs) via APIs. These super-hardened encryption servers are similar to key management systems but also have the required computing power to encrypt data on behalf of the application. Applications interact with the module for all cryptographic operations, and the encryption keys never leave the HSM. A dedicated HSM provides the most secure way to encrypt and protect data in the cloud.
Confidential computing is an evolution of offerings we have in public clouds and on premise. New advanced processors and chipsets provide built-in memory encryption capabilities of the server memory where we host our applications. New processors from AMD and Intel allow encryption of the entire memory of a server or specific VMs used in shared infrastructure such as the public cloud or virtualization platforms, in real time without any performance degradation. This ensures that the application memory running in that VM is fully encrypted.
Confidential computing also provides new ways for applications to store sensitive data inside the secure enclave in modern CPUs. This is a highly secure and restricted area in the CPU, to which only the CPU can have access. An encryption key can be stored in the processor secure enclave and only the processor and the app can access it.
We are seeing a call from the industry for organizations to start adopting this technique to better protect their data. This means we will likely see the widespread adoption of new algorithms and ciphers to safeguard data in ways that cannot be broken by the quantum computing power we have today and in the future.
This interview is a part of The Fast Mode's Real-time Visibility for Encrypted Traffic segment, featuring 30+ leading IP networking solution providers and their views on the impact of encryption on traffic visibility. A research report on this topic will be published in February 2023 - for more information, visit here.
