Asia's Source for Enterprise Network Knowledge

Monday, May 1st, 2017

Secure Your Apps

Preserving the chain of trust in end-to-end encryption

Significantly more companies are embracing an enterprise-wide encryption strategy – an increase from 15% in 2005 to 37% this year, according to Ponemon Institute. Strikingly, the research firm also reported that 59% of enterprises entrust their encryption keys solely to, or share them with, cloud providers whose competencies are largely untested.

The call to build a web of trust for digital transactions to take place came to the fore in Singapore earlier this year. The island republic has ambitious plans to build the best digital infrastructure in the world, and Dr Vivian Balakrishnan, the country’s Minister for Foreign Affairs and Minister-In-Charge of the Smart Nation Initiative, inevitably highlighted the key challenge of security. “I believe we need some form of public key infrastructure linked to our SingPass [government e-services account management system] identities to give non-repudiation, security and end-to-end encryption.”

The call is timely for enterprises not only in Singapore but also around the world because market trends like mobility, streaming media, the Internet of Things (IoT) and cloud computing are shifting the application and IT landscape to fulfil enterprises’ need for agility and faster deployment. Along with the growth in applications and traffic, everything connected via the internet is posing security risks of data breaches and the theft of critical business and personal data.

In response, enterprises are encrypting all data in transit. Secure Sockets Layer (SSL) traffic has more than doubled in the past year – from 29% to 64% of all traffic even as new application architectures and agile development models, including microservices and DevOps, emerge.

However, new sophisticated threats are putting the SSL chain of trust – that rely on the trustworthiness of everyone that assigns or controls the SSL certificates from the root Certificate Authority (CA) to the end-entity website's certificate – to the test. Although an OS or app can manage a list of trusted root certificates to validate the intermediate certs, hackers have been able to install malicious root certificates on an endpoint or exploit a vulnerability to hijack a CA.

Tougher keys

The harsh new reality is that as attacks on SSL/TLS continue to advance, longer keys are necessary to stay ahead of attackers. These keys require more computing capability – a performance problem compounded by the need to manage growing internet use and the proportion of secure encrypted connections.

The ability to intercept SSL traffic to decrypt and inspect it – both on the way in (request) and on the way out (response) – is an important component in preventing breaches and infections. But encryption and decryption aren’t cheap in terms of scale-out infrastructure capacity. To support HTTPS secure communications, organizations have to also consider back-end certificate and key management, distribution, upgrades, changes to configurations on web servers and API gateways that previously weren’t supporting HTTPS. Operational changes that have to be made include watching for expirations on certificates and renewing them.

Already, countless private keys have been compromised through human error or software failures such as the Heartbleed bug, allowing traffic encrypted with any of those keys to be readable by anyone holding them. This concern alone is driving organizations toward a concept known as Perfect Forward Secrecy (PFS), which safeguards transactions by preventing a replay of recorded traffic encrypted with an exposed private key. The move to PFS has spurred sites to support and prefer advanced Diffie-Hellman elliptical curve cryptography (ECDHE) ciphers that support PFS, and engender a greater degree of trust.

Offloading these tasks to a next-generation, cloud-ready application delivery controller (ADC) platform makes sense from a hardware and cost-effectiveness perspective – especially when the security appliance’s CPU is required to process complex core tasks, such as web application firewall services. With this approach, decrypted data from the ADC can be mirrored to appropriate security solutions for further inspection.

Dedicated power

That’s why F5 has integrated the latest cryptographic acceleration hardware into the BIG-IP iSeries appliances to offer hardware offload of ECDHE across all platforms and provide hardware acceleration for ECDHE and existing ciphers, even in high-load TLS environments. The key is the way BIG-IP iSeries handles ECC ciphers. Along with faster performance, the iSeries employs dedicated hardware offload of ECDHE rather than software on a general purpose CPU to deliver more predictable performance.

This two-tier architecture, where certs and keys are deployed, managed, and monitored at one central location, also simplifies certificate management, reduces compliance costs and preserves investment in existing infrastructure.

F5’s BIG-IP platform protects key storage, utilizing a tamper-evident hardware security module (HSM) and other physical security. The HSM secures cryptographic operations and protects critical cryptographic keys, segregating administrative and security domains, and enforcing policies over key usage.

The BIG-IP 10350v-F is F5’s first that supports the Federal Information Processing Standards (FIPS) 140-2 Level 3 platform. The Level 3 HSM adds tamper-resistance, an additional means of detection to the tamper-evident methods of Level 2, as well as a response to physical access attempts, or to cryptographic module use or tampering.

Since many government entities and secure businesses require higher scales of end-to-end encrypted protection that can only be met with a FIPS 140-2 Level 3 HSM, the F5 BIG-IP truly ensures that security doesn’t have to come at the expense of performance.

This is a QuestexAsia feature commissioned by F5 Networks Asia Pacific.