Data privacy is always an important topic in the networking and IT worlds, but it has become increasingly important in recent times. (Who hasn’t heard of a person of interest named Snowden?) For a quick definition of data privacy; directly from Wiki –
Information privacy, or data privacy (or data protection), is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them.
Privacy concerns exist wherever personally identifiable information or other sensitive information is collected and stored – in digital form or otherwise.
Data privacy is clearly a huge topic, so this blog will only focus on the “dissemination” and “public expectation of privacy” pieces of the definition. Future blogs may focus on other aspects. Before I do that however, I’d like to reference a recent report from Infonetics about the barriers to the successful deployment of cloud services. Based on the responses, the largest barrier is data security.
Source: Infonetics, Cloud Service Strategies, North American Enterprise Survey, January 2014
The Need for Encryption
Ensuring the privacy of data while it is being transporting over public and private networks with encryption often carries with it some not-so-positive expectations. Some form of data encryption is required to protect this data as it is being transported over these networks; particularly while the data is being transported over a public network. Encryption is needed to protect the integrity and confidentiality of the data, to prevent man-in-the-middle exploits, and to comply with regulatory rules or other directives. The not-so-positive expectation however, is that encrypting the transported data equates to performance penalties in the network. In other words, the performance implications of encrypting data at high speeds are negative; but this is often tolerated because “that’s just how it is”. This misconception is primarily due to the currently available products for providing this encryption.
Two examples of common network encryption technologies are IPsec (RFC 4301 & 4309) and MACSEC (IEEE 802.1AE).
So, with that as the background – the first insight I’d like to supply is that data privacy and network performance are not mutually exclusive. Not anymore, that is!
MACSEC is an open standard that operates at Layer-2 to meet the security requirements of protecting data as it is transported over Ethernet. It provides 128-bit MAC layer encryption and operates in a point-to-point model between network switches on the same segment. IPsec is an open standard that operates at Layer-3. This allows a great deal of flexibility in terms of deployment models, since it is not bound to a per-segment model. IPsec provides end-to-end encryption using a 256-bit IP layer encryption algorithm. Both of these encryption capabilities have historically resulted in performance impacts; with IPsec encryption resulting in a very high performance hit in the network. Particularly if Suite-B (RFC 6379) of IPsec is enabled, as it requires additional processing power due to its advanced cryptographic algorithm.
Brocade has been providing high performance, hardware-based encryption in our SAN products for many years. We will soon be providing high performance, hardware-based MACSEC and IPsec based encryption for IP products. These capabilities will not incur the same performance impacts of the currently deployed products that are available from other companies. To properly protect the privacy of transported data, encryption will soon become a “must have” capability in all networks and this capability must not impose a performance impact. Even if your current compliance policies do not require data encryption in your network today, the users of your network fully expect their data to be properly protected. Data privacy will become table stakes in the very near future for networks of every kind.
The second insight that I’d like to provide is that the deployment models for these encryption technologies are also not mutually exclusive.
A network could have MACSEC enabled on Ethernet segments and the same network could also have IPsec enabled for end-to-end encryption; resulting in a multi-tiered, comprehensive security architecture. When a network operator can enable these encryption technologies without a performance impact, then the deployment options become very flexible.
Common deployment use cases for MACSEC are for campus and metro networks. Common deployment use cases for IPsec are for Inter-DC transport, large campus networks, and as an IPsec appliance offload. As an example, MACSEC could be used inside the campus network up to the border router, and IPsec could be used in between the campus networks (e.g. Inter-Campus). The Inter-DC network is also a logical starting place for enabling encryption in your network. The Inter-DC high-speed links carry all sorts of user traffic and a bulk encryption capability that does not suffer any performance impacts will be needed to ensure the data privacy of this traffic. A hardware-based IPsec capability that performs at 10GbE is the perfect solution for this at the border of the data center. The ideal architecture for providing this high speed encryption is “inline”; as in, in the normal data path of the network. Having to re-direct or loop the data through an offline encryption module is not an ideal architecture; as evidenced by the negative performance impacts of providing encryption in this manner.
Well, I hope you found that this short blog helped explain a bit about the need for MACSEC and IPsec. Stay tuned to this community for exciting product announcements from Brocade around the area of data privacy!