TLS Decryption in the Data Center and Private Clouds

    by Nubeva 20 December 2019

    Read Time: ~5 mins; 30 seconds


    Nubeva says “Yes You Can” to out-of-band, East/West packet traffic visibility and full decryption, even inside Kubernetes nodes. Research shows that TLS 1.3 encryption, Kubernetes adoption and elastic application architectures are even more prevalent in data centers and the private cloud than in the public cloud. While these technologies are wonderful for DevOps and security, they also create a black hole for network visibility, intrusion detection, threat hunting, response and troubleshooting. East/West visibility, packet capture and out-of-band decryption is impossible with legacy solutions and perimeter-based collection and inspection set ups. Nubeva’s patent-pending Symmetric Key Intercept architecture changes all that. 


    Data centers and private clouds are still prevalent and will remain so for the foreseeable future. New distributed, elastic, microservice application architectures from containers, Kubernetes and even VMs allow DevOps and IT to create unique and safe environments for their own compute needs. While definitions vary in the details, a private cloud is typically understood as a set of private, API accessed, resources where the infrastructure is abstracted and orchestrated through code, workflows and requests. It is  isolated from outsiders but shared by applications inside your organization and controlled by you. Your data center is largely the same except that you also own and manage the hardware, networking infrastructure, provisioning, physical security, power, etc. of the environment. You architect the private cloud environment to meet your specific needs -- gaining all of the advantages of cloud computing (elasticity, automatic provisioning, support for distributed application architecture, shared services and cost savings) while minimizing exposure and other risks. 

    The downside to all this innovation is that network decryption and packet collection/mirroring in the data center and private cloud has become complex, expensive, and often, impossible. Most organizations resort to monitoring and inspecting only the most critical traffic, leaving the rest of the network to be consumed by the growing black hole.

    The advent and adoption of TLS 1.3 has some tech experts saying out-of-band decryption can’t be done. Nubeva says, “Yes, you can.” 

    Instead of relying solely on metadata, flow data and fingerprints, Nubeva enables full, out-of-band, packet decryption; even with TLS 1.3. Because Nubeva is focused on decryption, it is not bound to a single tool. Nubeva works with all the  packet inspection, traffic inspection and network performance tools that enterprise SOCs already have in place. All the existing workflows, policies, procedures and, most importantly, institutional knowledge that you already have in house can stay put without the complexity of disruption of yet-another-security-tool.

    Instead of allowing TLS 1.3 protocols to render your security tools blind to East/West traffic, what if the security team could continue to depend on the tools they’ve invested in to maintain and monitor against set policies and controls? Tools that need to analyze TLS 1.3 encrypted traffic receive and see that traffic, fully decrypted.

    Nubeva enables organizations to improve security and eliminate the growing East/West blind spots caused by TLS 1.3 in their private clouds. Nubeva TLS 1.3 Decrypt is able to capture, mirror and fully decrypt packets:

    • Inside Kubernetes nodes
    • Moving between VMs
    • Moving between containers
    • Traversing networks

    Security teams now have the ability to inspect and analyze traffic in detail – seeing inside packets that were fully encrypted. With this easy-to-deploy solution, users can decrypt the newest TLS protocols and mirror network traffic where they previously could not. 

    How it Works in Private Cloud

    In the private cloud environment, network packet brokers can no longer decrypt out of band like they once could thanks to new TLS 1.3 encryption protocols. The ability to add Nubeva, including Nubeva’s software based decryptors on, or in front of inspection, detection and monitoring tools, completely restores your infrastructure without forcing users to change out their network packet brokering or tool infrastructure. 

    Your existing packet brokers still continue to capture, process and mirror packet traffic as usual. The NPB DecryptNubeva Key Discovery sensor sits on any desired workload and discovers then extracts the TLS 1.3 symmetric encryption keys from either side of the TLS handshake. Your NPB sends the replicated packet traffic to the destinations where the Nubeva decryptor sits on or in front of the tools and load balancers. As packets arrive from the NPB, the Nubeva decryptor buffers the incoming encrypted traffic, securely retrieves the symmetric encryption key, decrypts the packet and then outputs both the originally encrypted and newly decrypted packet directly to the tool. 

    Alternately, you can deploy a Nubeva decryptor on or in front of your NPB hub so that the NPB receives the decrypted packet and then manages the replication to a secure decryption zone where inspection, detection and monitoring tools reside. However, this kind of daisy-chain architecture is no longer necessary since the Nubeva decryptor is a software based decryptor, it can sit on or in your existing tool workloads. This means each tool can receive its own replicated copy of an encrypted packet stream from your NPB in parallel. Each decryptor can decrypt and send its version of the decrypted packet into the tool from interface to interface with no worries about decrypted chain-of-custody or who has access to potentially sensitive information at what time. 

    For more modern application architectures like Kubernetes clusters, microservices and containers, NPBs -- and even newer infrastructure-based mirrors and taps -- are unable to access internal, inter-node, inter-pod container-to-container traffic. In these cases, the Nubeva key discovery sensor is also able to capture and mirror traffic to a destination like a Nubeva decryptor or a traditional NPB. East/West visibility, even in the most modern systems, is restored. 

    Nubeva allows decryption while maintaining security, maximizing your monitoring tool investment, scaling to your needs and doing so with no library code changes. 

    Nubeva’s solution helps you decrypt traffic in your private cloud – at a low price point that is also easier, faster, more scalable and able to meet the new standards.

    Want to know more? Visit us at

    Tags: data center visibility decryption TLS encryption private cloud kubernetes cloudvisibility
    resources banner desktop

    Want to learn more?

    Request a Demo

    Subscribe Here!

    View video Data Center_Private Cloud Blog Thumbnail