Running into a possible situation where a client I am working with is requesting

Question

Running into a possible situation where a client I am working with is requesting that all data that leaves the servers should be encrypted and here, we are talking of hundreds of Linux servers spanning across data centers and also includes public and private cloud offerings.

I understand IPSec based tunnels could have worked had we talked about a handful of servers but here, I have failed at finding a solution that is easy to scale and deploy, something that doesn't warrant changes to applications.

I have looked at tcpcrypt and have searched the web looking for proprietary offerings(TLS based) if they fit the use case - looked at CipherCloud, Safenet and CertesNetworks but I doubt if any of the offerings fit the requirement. Many offerings talk of gateway based encryption but that leaves data over local network unencrypted.

Is there a solution that quite literally fits the task? (or am I trying to bite more than I can chew?)

Explanation / Answer

Just remember the fact that 'end to end' encryption doesn't necessary mean that every single link needs to be encrypted.

E.g. Payment request is encrypted in client browser using app-3 public key. Corresponding private key resides in a HSM.

Client Browser (encrypted payload) -> reverse proxy -> web -> app1 -> app2 -> app3

Payload is decrypted in app3 using HSM. If this is what the client needs to protect, you can literally leave everything in the path in the clear and the data is still safe.

So ask your client where are the important exit points of the data where encryption should be enforced.

Related Questions

Navigate

• Browse (All)
• Browse R
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.