While encryption is common place these days, so are advanced threats for institutions with high value data. NetFoundry increases data in motion security “in the wild” of the Internet by combining state of the art encryption with multiple tunnels, as one layer in NetFoundry’s multi-layered security architecture. The multi-layered security architecture functions as zero trust, software-defined perimeter, enforcing explicit, least privileged access control. NetFoundry’s unique relationships with hardware root of trust solutions such as Micron make NetFoundry’s software defined perimeter exceptionally strong.
After enforcing the rigorous access control, we then can use multiple, individually encrypted tunnels to route any data stream across a NetFoundry AppWAN in multiple IP paths. Each path is independently encrypted, and routed from A to Z via a configurable number of Transfer Node Channels, physical and/or logical. When the data session is initialized, we use state of the art encryption methods to protect each individual stream. We start with a Diffie-Hellman Elliptical Curve exchange. This encrypted path is then used to pass a cryptographically secure symmetric key to be used for AES-256-GCM encryption of the actual traffic. The paths can alternate packets, so that any attacker who was able to capture the traffic only gets a portion of the stream, or can even be configured to stripe input packets across output packets, taking the data in motion security up a notch by making it that much more difficult to reassemble. Since the computational estimate of breaking a 256 bit key used in AES by brute force is about 10^40 times longer than the current age of the universe, regardless of what they were able to capture, they would have to have some other means of obtaining the keys. Oh, and did I mention we change the keys every 30 minutes by default?
It is also important to note that the Transfer nodes, which are strategically placed in various cloud providers and private data centers as appropriate to the geography of the path, do not have the actual data encryption keys. These nodes pass the exchange as data payload. Like any other potential “listener” to the exchange, the Transfer Node can not just eavesdrop and break the encryption.
Robustness Effects of Path Fragmentation
While data in motion security is a primary goal of the multiple encrypted streams on the NetFoundry platform, there is a major beneficial quality of experience effect. Since we use multiple paths, poorly performing paths can be mitigated by reducing the amount of traffic on that path, or by eliminating the use of the path altogether. Bad BGP peerings, poor network capacity engineering, transient issues or cable seeking backhoes can cause problems throughout the Internet. The longer the path latency, the higher the chance for a problem. Real time feedback within each individual NetFoundry path allows the system to weight each path accordingly, or give up on a very poor path and utilize another. Of course, that path will be encrypted with a new key, like any other. This allows a NetFoundry AppWAN to provide extremely high performance compared to VPNs, while maintaining the security of that traffic at the highest levels.
We Know Data In Motion Security Matters
We see every day a news report of another major security breach, and understand the massive toll that takes on companies’ reputations and revenues. The costs of recovery are significant in themselves, but the loss of customer trust is worth far more, and much harder to win back. NetFoundry provides an option for enterprises to obtain true data in motion security, while maintaining the kind of performance and agility the modern network demands; all while using “common Internet” services, rather than difficult to manage private networks.
NetFoundry’s leading data in motion solution is a superior security solution due to its place within NetFoundry’s overall software defined perimeter architecture, which includes integrations with industry leaders such as Micron, Neustar, AWS and Ribbon Communications. The net result is not only that NetFoundry’s AppWANs are zero trust, but that the data which flow across them is encrypted in multiple paths, and businesses can leverage the platform by spinning up AppWANs in minutes.
