CSPi Puts Container Security Focus on Protecting Data, Rather than Infrastructure
Security should focus on protecting data rather than shoring up infrastructure, an approach that can make breaches irrelevant, according to Gary Southwell, general manager of the high-performance products group at network gear purveyor CSPi.
The Equifax breach for example, where failure to patch the Apache Struts library compromised personal data on 145.5 million people, could have been avoided. “If it had protected the data itself, that wouldn’t have been a problem. All the hacker would have gotten was encrypted gibberish,” he said.
“You can’t stop people from doing things like ransomware and other things, but there are backup strategies,” he said. “We shouldn’t be worrying about losing everybody’s Social Security number five or six times a year.”
As companies adopt DevOps practices in an effort to deliver software faster, developers pull components from GitHub to build applications on the public cloud. Those applications call on data from enterprise data centers, and when deployed, expose ever more attack surface, he explained.
CSPi set out to develop a solution that developers could pull in to apply encryption at every stage and apply policies managed by the infosec team.
Its software-defined security platform, ARIA is designed for containers or VMs in all environments — to be run on-premises, in a private data center or public cloud. It automatically assigning appropriate security policies to each instance as it is spawned, with little or no manual intervention.
It’s a lightweight agent deployed in Docker containers that serves as a beacon to a Kubernetes-based orchestrator. The orchestrator, for instance, can check whether a container image comes from a sanctioned repository, then either allow the container to be put into the production environment — or not. Kubernetes is an open source project managed by the Cloud Native Computing Foundation.
Developers will be able to set up these services by connecting to them, and the administrator can say, “I want this level of encryption, I want this type of micro-segmentation, I want this type of encryption for data at rest whether it’s going to S3 storage or back into my data center. I can set different policies for different stacks,” Southwell said.
“It sounds simple, but it’s not simple when you’ve got a lot of containers popping up and need to communicate with each other,” he said.
The software is designed to protect data at rest and data in motion as containers communicate. It also will incorporate third-party technologies to protect data in use, so that Social Security numbers and other sensitive data can’t be printed out or accidentally or purposely sent between devices, he said.
ARIA will be rolled out over the next several months, according to the company.
Protecting Encryption Keys
The Lowell, Mass.-based CSPi, which has been around since 1968, has a long history in network security and IT managed services. In 2013, it acquired Myricom, maker of extreme-performance 10-Gigabit Ethernet products.
Last spring it launched Myricom nVoy Series 10-Gbit Packet Recorder and Myricom nVoy Series 1-to-100-Gbit Packet Broker to give security teams the ability to isolate and closely monitor access to important data such as personal identification information or intellectual property.
To help organizations secure data and maintain performance with on-premises workloads, the company also launched the Myricom ARC Series Secure Intelligent Adapter, a 10/25 intelligent network interface card (NIC) to offload CPU intensive security functions, such as encryption, authentication and intrusion prevention.
Organizations also can store encryption keys there rather than on the server where, in a breach, they can be compromised and reused on any device running that application.
Southwell told of a financial services firm with thousands of servers whose applications crashed when it applied encryption because of high CPU demand. Its server refresh was 38 months away, so it had decided to wait that long for encryption, when CSPi suggested the NIC.
The company plans higher-speed cards later.
A rash of new companies are focused on the “DevOpsification of security.” Vendors such as Illumio, Guardicore, CloudPassage, vArmour and Threat Stack aim to provide better visibility into anomalous behavior in the data center and/or cloud. ProtectWise, Darktrace and Niara take a network-centric approach; Prevoty, Contrast Security, tCell and Stackrox are app-centric; and Elastic Beam and 42Crunch focus on API security.
The Cloud Native Computing Foundation is a sponsor of The New Stack.
Feature image via Pixabay.