READ TIME: 3 min. 25 sec
tl;dr: Nubeva has created a new, cloud-native Symmetric Key Architecture that allows IT teams to maximize modern encryption protocols while also gaining full visibility into data at the packet level when and where needed. The solution enables the discovery and extraction of final symmetric encryption keys after the handshakes are complete. Keys are stored in a user's key database and accessed when needed so tools can monitor for anomalies and security threats.
Today, a vast majority of cloud data is encrypted, and that’s a good thing for security. Modern encryption protocols help keep public cloud environments (AWS, Azure and Google Cloud) secure and allow IT organizations to maximize their cloud subscriptions for cost, efficiency and productivity gains.
When done correctly, encryption allows users to protect data, even when their cloud environments aren’t under their full control. Workloads can communicate across TLS encrypted networks to perform their tasks, deliver data and run mission critical applications for business. Each workload in the public cloud makes thousands of TLS-secured connections every day.
But enterprises have another requirement of their encrypted data in the cloud. Why? Because encrypted traffic can house virus attacks, malware, ransomware, phishing attempts, attack command and control information, and internal data leaks. IT teams, therefore, need to inspect network traffic at the packet level, which means decrypting data so security and DevOps can use their trusted tools to monitor, inspect and perform threat hunting.
As enterprise IT organizations determine they need to inspect their cloud traffic, they quickly realize that more than 70 percent of that traffic is encrypted. New security protocols are breaking the traditional decryption methods. And, application and cloud services make every server a client to a myriad of cloud services with new levels of encryption that create blind spots.
For this very reason, Nubeva created its breakthrough Symmetric Key Intercept architecture. This is a new way to solve traffic visibility in the cloud, while ensuring new security protocols remain in place. Symmetric Key Intercept enables the discovery and extraction of the final symmetric encryption keys after the handshakes are complete. Keys are then securely stored and made available to users for on-demand use within their cloud subscriptions.
This cloud-native architecture delivers universal TLS visibility and decryption for any TLS server or TLS client - including the new TLS 1.3 standard. The architecture uses AI rules-based key discovery, extraction, storage and retrieval to enable real-time, multi-destination, decentralized decryption of mirrored traffic as well as instant decryption and replay of mirrored and encrypted pcaps that can be stored for future investigation, compliance or inspection.
Our Symmetric Key Intercept architecture answers the secure vs. visibility problem that most enterprise IT organization must solve – and we do it in a completely new way. By decoupling keys discovered from encrypted traffic streams and then only decrypting at the tool destinations, original end-to-end encryption is preserved while cloud-scale decrypted visibility is created.
Symmetric Key Intercept Architecture: How It Works
First, AI rules-based, final key discovery and extraction happens at either end of the TLS Handshake. This TLS client and TLS server approach is critical for universal, decrypted visibility in cloud environments where applications are made of decentralized, distributed workloads and third party data feeds. Throughout its normal cycles, a cloud workload will be both a TLS server and TLS client.
Second, once the final keys are extracted, they are securely stored in a user’s cloud subscription in a secure key database. This effectively creates a new decryption plane architecture.
Finally, a Nubeva decryption agent container sits in each tool destination workload. This agent acts as a sidecar to the tool workload and decrypts data on the fly so only the tool can see it. It buffers incoming encrypted packet traffic, retrieves the correct key from the key database and decrypts the traffic. The Nubeva decryption agent then feeds the decrypted packets to the tool destination along with the original, encrypted traffic stream.
The architecture ensures decrypted traffic is never exposed to potential threats if it gets intercepted. Instead of decrypting traffic in storage then sending it to monitoring tools for inspection, we allow users to send the encrypted traffic to tools, databases and storage and decrypt the traffic at the tool. The architecture is modular, easy to deploy, and scales to meet any traffic load without any configuration overhead or architectural constraints.
With Symmetric Key Intercept in place, cloud DevOps and SecOps teams can, with confidence, decrypt TLS traffic inside their cloud environments – enabling security, performance and diagnostic systems and processes.