Sponsored

Why encryption is the key to your security strategy

Encryption used to come with performance penalties, but the latest hardware platforms can provide all the benefits without the downsides

Encryption

There's no such thing as a free lunch, and this is definitely true when it comes to security. The more secure a password it is, the harder it is to remember, and end-to-end encryption as used in Internet technologies like SSL or Wi-Fi have historically had a clear overhead in terms of performance. A study in 2008 showed that turning on WEP or WPA-TKIP with a standard 802.11g setup reduced TCP throughput by about 2.5%. Encrypting a storage device at source can have an even greater effect, with some tests seeing a 25% increase in processor load for full-disk encryption, although the data throughput is much less degraded than this.

A decade or so ago, when host equipment was less powerful than it is today, this caused a headache for hardware procurement, and potential conflicts within an organisation. There were obvious costs to encryption, and a company would need to specify more powerful hardware to fully implement it. As a result, there would likely need to be a trade-off between how much security was actually required from the hardware budget available and the specification of hardware purchased. Maintaining a completely secure platform was the ideal, but it wasn't necessarily affordable.

Nevertheless, nobody would argue that strong security is an optional extra only to be considered if you can pay for it. The National Crime Agency called 2017 the "year of ransomware attacks and massive data breaches" in its 2017-18 report. Whilst encryption is only part of a portfolio of protections against the kinds of threats detailed in this report, it is a fundamentally important one. Where human beings are the weakest link, strongly encrypting your data as it is stored and when it is transferred from one location to another is an area that corporations can control and rely upon. It therefore really should be the lynchpin of a security strategy.

Encryption causes a performance overhead for a number of reasons. To start with, there will be a handshaking process. This will involve the exchange of various tokens, such as a passphrase or login, so that the system accessing the data or connection has the right key or certificate. Different methods will involve a varying number of transactions, depending on the authentication system used. The older LEAP authentication system required fewer transactions than the now-standard PEAP, for example, but only because LEAP would send passwords unencrypted at the beginning of the process, which is less secure.

Advertisement
Advertisement - Article continues below

The primary overhead from handshaking is only incurred when the connection is first made. But some encryption systems will also be changing keys with every packet, such as the Temporal Key Integrity Protocol (TKIP) process used by Wi-Fi's WPA or Counter Mode Cipher Block Chaining Message Authentication Code Protocol, Counter Mode CBC-MAC Protocol (CCMP for short) used by WPA2. This makes these systems particularly secure because even if you can crack a particular key, it will only be in use for the duration of the associated packet, and then another key will be created. So the key has to be broken in a fraction of a second, which isn't currently possible via a brute force attack.

The lion's share of the hardware cost of encryption is in the cyphering itself, however. The most common forms of encryption use 128-bit or 256-bit keys. WPA and WPA2 generate a 256-bit key although the temporal TKIP or CCMP keys are 128-bit. Microsoft's BitLocker drive encryption also offers a choice between 128-bit and 256-bit encryption. Cracking a key this size via brute force would take unfeasible amounts of time, making these keys very secure. It has been estimated that a billion years of supercomputer time would be needed to crack even a 128-bit AES key).

However, there's still a mathematical function to perform on encrypted data even if you have the keys, taking it in and out of the encrypted state. A general-purpose CPU will only be so good at this kind of operation, depending on architecture and frequency. A 64-bit processor will perform cryptographic functions significantly faster than a 32-bit one, but this is also an area where dedicated encryption hardware support on the processor itself comes into play, primarily revolving around acceleration of floating point instructions. For example, the reduction in latency on AES New Instructions with the Intel Xeon v3 family allowed for up to four times faster processing of OpenSSL 128-bit AES blocks than with v2 Xeons. The latest Intel Xeon Scalable architecture's AVX-512 instructions go even further, processing twice as many floating point operations as the 256-bit AVX-2, and four times as many as the 128-bit Streaming SIMD Extensions (SSE).

Encryption can add a five to 10% overhead to transaction time with a cloud-hosted database, according to research by HashiCorp. But this can be significantly reduced when the hardware at either end of the process has CPU capabilities to accelerate encryption and decryption without significant penalty. If there are no performance or cost dis-incentives to encrypting all data storage and connectivity, such as the wholesale shift to HTTPS that has been happening on the Web over the last couple of years, then that can only be a good thing, because it raises overall data security levels in general.

Companies that implement ubiquitous encryption know that the hardware side of the security equation is covered. With all sensitive data storage encrypted, the costs of a physical theft in terms of data breach penalties will be negated. And ensuring that all data connections inside and outside the corporation are also encrypted will stop all possibility of snooping. The focus can then be on the aspects of security that revolve around endpoints and their human users. This primarily consists of training staff with good practice and ensuring that the interfaces they operate encourage them to implement this good practice.

Much further down the road, the almost mythical possibilities of quantum computing to render all current encryption crackable loom. Some vendors think that quantum computers could be with us in five years, but most researchers believe they won't have sufficient capabilities to break encryption until the 2030s. Until then, encryption remains the most powerful technical tool we have to keep our data and computing activities secure. Now, with the appropriate computing platform like Intel's Xeon Scalable, we can reap the benefits without having to worry about performance downsides.

Is your business ready for IT Transformation? Discover more from Intel here.

Advertisement
Related Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/network-internet/34596/bt-unveils-barrage-of-new-business-services
Network & Internet

BT unveils barrage of new business services

9 Oct 2019
Visit/hardware/34326/intel-hades-canyon-nuc-review-dead-impressive
Hardware

Intel Hades Canyon NUC review: Dead impressive

5 Sep 2019
Visit/hardware/34247/intel-announces-new-10th-gen-comet-lake-processors
Hardware

Intel announces new 10th-gen ‘Comet Lake’ processors

21 Aug 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

4 Nov 2019
Visit/domain-name-system-dns/34842/microsoft-embraces-dns-over-https-to-secure-the-web
Domain Name System (DNS)

Microsoft embraces DNS over HTTPS to secure the web

19 Nov 2019
Visit/strategy/28115/the-pros-and-cons-of-net-neutrality
Business strategy

The pros and cons of net neutrality

4 Nov 2019
Visit/social-media/34844/can-wikipedia-founders-social-network-really-challenge-facebook
social media

Can Wikipedia founder's social network really challenge Facebook?

19 Nov 2019