We have all seen the return to centralized computing evolve over the past dozen years from an interesting concept, to reality, to a massive and widespread investment in pursuit of mainstream cloud computing solutions. And most believe that the world will continue to move in this direction for many years and perhaps decades. But as entrepreneurs and innovators in the information security industry, we also know that for cloud computing solutions to become viable for mainstream business applications, security and security innovation is key.
And the requirements for protecting information continue to be redefined with the advent of virtual computing and the integration of storage, continuous backup, and network services. The challenge for most if not all companies is for data to be confidential, secure, and recoverable in case of loss, end-to-end. And in today’s heterogeneous computing environments, even as these environments evolve into integrated infrastructure “stacks,” it is difficult if not completely impossible to achieve end-to-end information assurances from front-office/consumer, desktop, and mobile devices; through networks and middleware; through the applications and databases; and on into the core virtual infrastructure of storage, CPUs, and management systems, without multiple piece-parts and a mountain of technical and operational complexity.
Plus, in today’s broadly regulated business environment, information assurance requirements are increasingly influenced by the confusion that lies in the twisted contention that privacy is not security – and security is not privacy! Compliance across regulations is at the top of security officers' minds because it’s irrational to stovepipe the effort (e.g., Reg P, HIPAA HITECH, EU Data Protection, FTC Red Flags, FSA TCF, 45 state-level breach notification laws, etc.) Although most industries operate under separate and distinct regulatory regimes, many share common regulatory obligations for the protection of information. And in the end, understanding the relationship between security and privacy uncovers that the basic principles are much closer than many think and both lead ultimately to information assurance.
Unisys and Stealth
With this environment in mind, the Wikibon analyst community received a briefing from one of its long standing clients, Unisys, on a recently announced and a potentially game changing technology for data protection that is just now available in the Unisys public, private, and hybrid cloud offerings. With Stealth, Unisys is engineering data protection into the cloud.
Quick Look at Stealth
- A set of data protection technologies developed originally for the United States Department of Defense as a way to flatten networks into a single, secure, virtual channel of communications;
- A method of separating devices and data into communities of interest (CoI) on a single network AND in storage that allows data from different communities of information to co-habituate across a network and in storage without being “visible” to users, applications, or processes outside the authorized community of interest;
- An approach to using encryption and policy enforcement so that only users, devices, and data in the community of interested are visible – everything else doesn’t exist to entities outside of the community; and,
- A way to allow the establishment of communities of interest that work across applications, data centers and third-party providers.
Through a single architecture and set of technologies for networks and storage, Unisys proposes that stealth users achieve a superior level of confidentiality, integrity, and availability of data that would not otherwise be available without combining a more complex and costly set of network, application, database, and storage protection technologies.
Protection on the Network
At the core of Stealth is cryptography – a cryptographic module and key management system that is FIPS 140-2 certified, using AES-256 encryption and a proprietary bit-level splitting algorithm and authentication technique. Stealth protects data in motion and data at rest and is implemented between the data link and network layer of the OSI stack. Stealth takes in standard TCP/IP packets, adds a proprietary header to the clear text, applies cryptography using AES, then parses the data into “slices” as it travels over a network or is stored by an application. All key management is self-contained. Stealth creates and manages session keys using a FIPS-certified key store that requires no operator intervention. Human intervention is limited to the establishment of working keys in the key management protocol, and no application changes appear to needed out of the box.
Multi-tenant Data Protection
For storage arrays, data from multiple communities of interest can be co-mingled and securely stored and accessed in the same physical storage array, removing the requirement to maintain separate storage pools for critical vs. non-critical data, and relieving from the security administrator the burden of maintaining sometimes complicated access control lists. Stealth for storage arrays provides data protection at the LUN level, using the same encryption, bit-level splitting, and authentication technology as the network component. Operating as a secure, standalone device connected directly to a SAN infrastructure, Stealth can also provide replication and resiliency through data dispersal features (to be covered in a separate Wikibon Research Note).
Futures and Concerns
As will all emerging technologies, particularly security technologies coming from defense and moving to commercial applications, end-user acceptance of the Stealth value proposition will depend on the direct and indirect value achieved or perceived from this level of infrastructure and data protection integration. Clearly the technology is passing the test of NIST standards, however, 'the proprietary nature of the algorithms in the bit splicing process will come into question outside the closed environment of Unisys cloud offerings.' Also, it is not clear yet how much more protection is afforded the end-user over traditional AES 256 encryption and certified key management systems. So the question is whether the user is willing to pay what might be a premium for Stealth-secured cloud services vs. those services using potentially less sophisticated or traditional solutions (pricing details were not available at the time of the Wikibon briefing by Unisys). In addition, it will be interesting to see if the Stealth data protection services are specifically referenced in service-level agreements and what options exist for recourse should a Stealth-secured network or storage environment be compromised.
As for technical implementation, specific management support for standard hypervisor environments has not been mentioned, although Stealth presents itself as a transparent network appliance. Unisys is considering options for creating a native Stealth driver, similar to what it has already done for Windows and Linux.
Action Item: For years end-users, CISOs, CEO, CIOs, etc. have been in search for the security holy grail - data protection designed and engineered into information technology and systems to secure the world’s mass generation of digital information – the digital deluge. It appears Unisys is delivering part of that holy grail with Stealth. Users now must do the cost vs. value and risk vs. reward trade-off to determine if the integration, features, functionality, and implementation costs provides a significant - enough value proposition to move critical workloads to Stealth-secured clouds.