Although not as high as over the last decade, security of data in the cloud remains a top concern for enterprises deploying into cloud environments, especially public. As native and third-party security solutions emerge to resolve the majority of concerns, another variable in the realm of cloud security that needs to be considered is performance.
Of course, the first domain of any security solution is just that—security. But other variables need to be weighed as part of the decision on which tools to utilize. These variables include integration, performance, usability, navigation, compatibility, etc. In this article, we’ll discuss performance metrics and concerns that should be considered as part of your acquisition decision.
In order for security to be effective, it must be practical. Many will remember the cumbersome use of early X.509 messaging or the lag and steps required with RSA tokens. Cloud technology is purpose-built for fast, flexible, and efficient operations. Similarly, solutions used to secure the cloud must be quick, seamless, and user-friendly in order to match or exceed the performance of the services they’re designed to secure. There are many cloud security solutions out there, including security information and event management (SEIM), advanced threat protection (ATP), and identity and access management (IAM) to name a few, but here we will focus on the topic of encryption and key management.
Encryption is the foundation of an effective cybersecurity strategy, especially for public cloud deployments. The majority of users view encryption as a binary function—it’s on (encrypting) or off (no encryption), but encryption needs to be considered under a very detailed performance light. Encryption requires time and resources (CPU and memory) to convert data from plain text to cipher text—what I often refer to as an “encryption tax”—so you need to ensure that your tax rate is as low as possible.
Here are some factors you should consider to lower your tax rate:
- Simplicity and Unity of Management Platform
- Enterprises need a common security management platform across all virtualized and cloud infrastructure as a service (IaaS)—both public and private
- A unified, intelligent policy-based management platform across all your workloads, from AWS or Azure to VMware and OpenStack.
- Speed of Encryption Conversion
- Full Disk Encryption (FDE)
- Weigh security risks against performance parameters to determine if FDE is required.
- Often Dev Ops environments have workloads running for small amounts of time (one or two hours), so encryption is mandatory, but exposure is low.
- Full Disk Encryption (FDE)
- Partial Disk (Quick crypt)
- Partial disk encryption allows for only the data on the disk to be encrypted.
- Nominal exposure, but for short term and high-performance requirements, this is a viable option.
- Replication/Clone/Snapshot
- Often replicating or backing up cloud workloads requires the action of having to decrypt and then re-encrypt data in a new instance. This can be a time consuming activity taking up to and often over an hour.
- Seek solutions with robust key management that can replicate the encrypted entity as a new workload. This methodology has zero impact on setting up new workloads.
- Workload Portability
- All cloud platforms are different and offer their own native encryption.
- As stated by Gartner, 82% of enterprises will have some form of hybrid cloud deployment and the average enterprise will have six cloud services in use.
- Seek solutions that are external to the cloud service provider and can offer that ability to move encrypted workloads seamlessly between clouds.
- In-Guest Encryption
- In-guest vs hypervisor encryption is a factor to be researched and considered carefully.
- In-guest can often provide the highest performance with lowest overhead and offers the same encryption methodology regardless of hypervisor or cloud platform, thereby simplifying deployment and management of encrypted workloads.