Thales Blog

The 4 Cs of Data in Motion Security

September 24, 2020

Joe Warren | Global Business Development More About This Author >

Control, Compliance, Consistency, and Conveyance

For more than 20 years, data in motion security solutions have been handcuffed to the network transport layer. Minimal compliance, negligible consistency, constrained conveyance, and lack of control over key lifecycle management are all negative artifacts of this protocol dependency. The result is a patchwork of layer-specific security solutions, many of which are implemented based on convenience rather than security best practices. The abstraction of protocol dependencies from network security clears a path for implementing a truly secure data in motion security strategy, paving the way for complete control, compliance, consistency, and conveyance.

Control – The advent of cloud storage and capacity on demand brought with them the need to secure data assets stored and used within the confines of external service provider environments. Rather than trust that third-party providers properly secure your data, solutions like Bring Your Own Encryption (BYOE) evolved to enable customers to control their own security. The reason BYOE is so popular is simple: encrypting data is important but control and ownership of key material reigns supreme. Complete chain of custody for key material is essential to taking control of the security of your data – whether it exists on premise, off premise, or in-between premises.

With control over the keys to your kingdom, ownership of the security is guaranteed and protections against prying eyes are implemented. While organizations are keen to control the key material for their data at rest, these same organizations often relinquish control of their data in motion key material to outsourced certificate suppliers and virtualized network segmentation solutions. A question one should ask: If organizations value control over the key material for data at rest, shouldn’t they also want control of key material for the networks in which that very same data traverses?

Compliance – Meeting minimal security standards is table stakes for any security solution. Standard encryption techniques are easily implemented and can be found in a multitude of products and services, but meeting a minimum standard is merely a guideline for security. Hardly ever covered in these recommendations are the methods in which key material is distributed and stored, how many points of compromise are there, how network performance is affected, and who has access to the security controls. Meeting a standard is fairly straightforward, but the difference between meeting a standard and implementing a well thought out security solution can be immense. The questions one should ask: The solution meets standard “xyz”, but how are the keys handled? What is the impact on my network performance?; Is the solution software upgradeable to future standards like quantum resistance?; How much commitment to security does this vendor actually have?

Consistency – Organizations often treat key management for data at rest differently from securing data in motion. This is partly because data in motion security is tightly coupled to the method of transport. If you have a Layer 3 (IP) connection, you are likely to use VPN or IPsec. If you have a Layer 2 connection, you can use Media Access Control security (MACsec), Multiprotocol Layer Security (MPLS) and other proprietary solutions. Layer 4 introduces yet additional security vendors and methods. The result is a patchwork of security solutions implemented by a variety of vendors, each operated and managed independently of each other, and all relying on second- and third-party providers to supply certificates and key material. For data in use and data at rest, solutions for security provide consistency, regardless of the transport layer. A question one should ask: Why do organizations select different data in motion security solutions based on network topology rather than a consistent security solution regardless of the transport layer?

Conveyance – Today, we request data from the edge and magically the results appear. Hidden from view are the multiple variations of topologies and carriers that are required to ensure successful end-to-end transport of the data, especially across international borders. When data crosses multiple carriers for redundancy or international long-haul connectivity, security responsibilities can change hands or worse yet, data in motion security can cease completely. Because of the lack of interoperability and inconsistency in security implementations, the movement of data between public clouds, hybrid clouds, data centers and other providers is either impossible or extremely difficult. The transport layer often dominates any data in motion security discussion. The result is that security becomes an afterthought, based solely on the connection type. More times than not, transport layer, rather than security, often drives security discussions. The questions one should ask: If the data is secure when it leaves Point A, will it be protected all the way to Point B? Can anyone eavesdrop or manipulate the data “anywhere’ within the network path? Am I doing all I can to protect the network path or am I merely settling for the convenience of a 20+ year old security solution?

The answer to the questions posed here are simple. Security professionals care about control, compliance, consistency and conveyance. However, until now, a single, elegant, data-in-motion security solution has not existed. By separating security controls from the transport layer, the Thales High Speed Encryptor (HSE) has completely shifted the paradigms associated with old data in motion security methods. IPsec is more than 20 years old and adds an average of 30- 50% overhead to the network. Would you want to use a 20-year-old laptop today? MACsec improves on the overhead problem for Layer 2 but requires every switch on the LAN to encrypt and decrypt, creating many vulnerable points of failure for your key material. MACsec provides WAN solutions but they are proprietary, creating interoperability issues between network vendors and carriers. Both IPsec and MACsec are patchwork solutions stuck within the confines of their respective topologies, and neither solution gives control over what reigns supreme to security…the key material.

Addressing the 4Cs

Thales has solved the constraints associated with IPsec and MACsec by abstracting security controls from the transport layer. Using Transport Independent Mode (TIM), Thales HSEs accommodate “The 4Cs of Data in Motion Security” by delivering a reliable security solution with little to no impact on your existing network architecture, regardless of the transport medium.

Let us show you how Thales HSEs bring control, compliance, consistency and conveyance to your data in motion security over any topology, including Software Defined Networks (SDN).