A major disruptor to the network function virtualization (NFV) era is the expansion of telco cloud services. Cloud-based services offer tremendous benefits, such as scalability, cost performance, central and easy management. However, these services are a centralized repository of information using shared resources, which makes them a prime target for attackers.
About the author
Danny Lahav, product manager, Nokia cloud core.
These shared resources include compute or cloud storage servers, and a breach in a single server can potentially cause a full information leak and compromise. Thus, security industry experts are exploring technologies, such as firewalls and encryption to protect cloud services and platforms. As more and more telco cloud services implement these technologies, it’s important to have an understanding of the current options.
The meaning of encryption
Encryption uses a cryptographic key to convert plaintext, also known as your human-readable data, into an unreadable text. Similarly, the decryption of the encrypted data requires a respective cryptographic key to convert it to its original form. Data encryption ensures data security and integrity. Without the key, data cannot be decrypted by an attacker or unauthorized user, unless the key was already compromised. Encryption can be applied on two types of data: in transit and at rest.
Data in Transit includes data that travels across the Internet and system interfaces, which can be external to the system or internal between servers and software application programming interfaces (APIs). It can be encrypted using HTTPS, TLS, IPSec, etc., which is crucial to prevent interception by an unauthorized user.
Data at Rest also means data in storage, and includes storage nodes and removable storage media. Data at rest encryption can be applied to a specific data file or all stored data. End-to-end encryption is a means of encrypting data so that it can only be decrypted at the endpoints. Interfacing the cloud services via encrypted data in transit removes the likelihood of server access without having an appropriate key – only the sender and the recipient can decrypt the messaging over these interfaces.
Encryption can also be applied in cloud systems to enable authorized user access, as well as used for system access over external interfaces and to protect sensitive data stored on the cloud system. Without the cryptographic key, lost or stolen data cannot be accessed.
Encrypted server data also minimizes the chance for attackers to access the data at rest. Even if they accessed the encrypted server data, attackers are unable to “read” the data or compromise it without having the keys to decrypt it. Therefore, encrypting data at rest is a key element in robust cloud data security.
Securing crypto key lifecycles using a Hardware Security Module
A dedicated crypto processor specifically designed to safeguard the crypto key lifecycle, the hardware security module (HSM) protects and manages digital keys for strong authentication and offers crypto-processing.
Traditionally, HSMs are either a plugin card or an external device that attaches to a computer or network server. As these modules are often part of mission-critical IT infrastructure, they are generally clustered for high availability, including dual power supply modules.
Cloud operators keep its main project secret key, known as the Key Encryption Key (KEK), in the HSM to interact with Barbican via the Crypto plugin using PKCS#11 protocol. A REST API meant for securing storage, supplying and managing secrets, Barbican is an OpenStack project that enables users to build secure, cloud-ready key management systems.
These systems allow for the management of sensitive information, such as symmetric and asymmetric keys, and raw secrets. Residing in the HSM, secrets are encrypted and later decrypted on retrieval, by a project-specific KEK. For example, the HSM will generate a Crypto Key per service to encrypt a storage volume.
Service identification with Keystone
Another OpenStack project is Keystone, which provides centralized API client authentication, service discovery, and distributed multi-tenant authorization. Keystone first authenticates a user before gaining access to any other service. It can also use an external authentication system like LDAP or TACACS+. Once successfully authenticated, the user gains a temporary token that is included in the service request. The user receives service access if and only if the token is validated and if the user has the proper roles.
Dynamic Keys Management: How Barbican manages your keys
First, Barbican verifies a keystone authentication token to identify the user and project accessing or storing a secret. It then applies a policy to determine if access is authorized.
Barbican replaces sensitive information, like database passwords, with unique hyperlinks, which are securely stored for later retrieval. It encrypts sensitive data with dedicated encryption devices like HSMs to provide an enhanced level of security.
As previously mentioned, crypto plugins are used to communicate with the HSM through the PKCS#11 protocol. This protocol specifies an API, called “Cryptoki,” for devices that carry cryptographic information and perform cryptographic functions that are technology independent.
Why storage encryption matters
Cloud systems that are based on Virtual Machines (VM) or containers use volume storage. Thus, volume encryption is critical to secure VM data and physical storage medium from being stolen, leaked and accessed by attackers. Non-encrypted VM data runs the risk of an attacker breaking into a volume-hosting platform and access the data for many different VMs.
The goal of the encrypted volume functionality is to encrypt the VM’s data before it is written to the volume/storage (data in transit), and consequently to maintain data protection while residing on the storage device (data at rest).
As telco cloud NFV services continue to grow, the possibility of data leakage increases, and therefore demands attention and appropriate solutions. Encrypting internal and external interfaces, data and volumes, dynamic keys management and more are a key step in lowering your risk of data leakage and information eavesdropping.