Home Tags Data In Motion

Tag: Data In Motion

Data in transit is defined into two categories, information that flows over the public or untrusted network such as the internet and data which flows in the confines of a private network such as a corporate or enterprise Local Area Network (LAN).

Data in transit is also referred to as data in motion.

The security vendor aims to embed security as part of an application by way of an integrated software development kit. Virgil Security announced on Oct. 12 that it has raised $4 million in a Series A round of funding.

The new funding, which was led by KEC Ventures and included the participation of Bloomberg Beta, Blu Venture Investors, Charge Ventures, NextGen Venture Partners, Sparkland Capital and Working Lab Capital, will be used to help the company grow its sales, marketing and go-to-market efforts.Virgil Security got its start in August 2014 and was part of the Mach 37 cyber accelerator program that helps startups build a business."What we do is we turn every software developer into an applied cryptologist," Dmitry Dain, CTO and founder of Virgil Security, told eWEEK. "Most developers simply don't know how to protect their applications, so we created a set of SDKs and APIs in the cloud that allows any software developer to protect applications."What Virgil Security does not provide is Transport Layer Security (TLS) for data in motion.

Dain said the company provides end-to-end application layer encryption. "Our system doesn't care what transport a developer uses," Dain said. "A developer can choose to use TLS or they can use insecure transport; it doesn't matter as everything is encrypted at the application layer." Virgil Security provides encryption for data at rest that is deployed in the cloud, he said. A common attack vector for hackers today is to intercept non-TLS transported data in a man-in-the-middle attack that can then replace data or potentially inject malicious code into an application. According to Dain, Virgil Security users are still protected thanks to the use of the Elliptic Curve Integrated Encryption Scheme (ECIES) algorithm, which includes data verification."Many IoT devices do not use secure transport," he said. "So we enable developers not to worry about which particular data transport method is being used as we encrypt at the application layer."The way Virgil Security works is a software library is compiled into an application.
Software development kits (SDKs) are provided for high-level programming languages, including Python, Java, C, .NET and Go.

To enable a DevOps workflow, Virgil Security integrates with the open-source Jenkins continuous development/continuous integration (CI/CD) platform.The core software libraries for Virgil Security are available as open-source downloads on GitHub. On top of the core libraries is the Virgil Key Service, which provides a cloud-based crypto key management service that has commercial support options available."The libraries are open-source, and users can just take the GitHub code and never actually need to talk to us at all," Michael W. Wellman, CEO and co-founder of Virgil Security, told eWEEK.Virgil Security is looking at moving beyond just data encryption and data verification to providing a full suite of security APIs.

Additionally, Dain said there will be more work done on making it easier for developers to easily build secured applications."We don't consider ourselves to be a pure cyber-security company; we're more of a developer tools company," Dain said. "We're not preventing malware; we're purely doing application security."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.
The latest release of the open-source container orchestration technology adds new security features, including TLS bootstrap. The open-source Kubernetes 1.4 release, which debuted Sept. 26, provides users with a host of enhanced security capabilities for container deployment and orchestration.Kubernetes originated at Google and is now part of the Cloud Native Computing Foundation, benefiting from the contributions of multiple vendors.Among the new features in Kubernetes 1.4 is TLS bootstrap, which is designed to improve the use of encryption for data in motion across a cluster.

TLS (Transport Layer Security) is widely used on the internet today for encryption."The TLS bootstrapping work done in Kubernetes 1.4 is a step toward automating the addition of new hosts to the Kubernetes cluster," Clayton Coleman, Red Hat's lead architect for OpenShift, explained to eWEEK. OpenShift is Red Hat's platform as a service (PaaS) and is based on Docker containers and Kubernetes.

Coleman noted that Kubernetes 1.4 is already available in the OpenShift Origin upstream project. Later this fall, Red Hat's commercially supported OpenShift Container Platform 3.4 will be updated with Kubernetes 1.4. OpenShift Container Platform 3.3, based on Kubernetes 1.3, was released on Sept. 22. CoreOS is also a leading contributor to Kubernetes and builds a commercially supported distribution of Kubernetes called Tectonic.

Brandon Philips, CTO of CoreOS, explained that prior to Kubernetes 1.4, the communication channel between the kubelet (a core building block of Kubernetes and the primary node agent that runs on each node) and the API server was only secured in one direction without manual configuration. "This change [TLS bootstrap] allows kubelets to request cryptographic assets [certificates] that identify them as approved members of the cluster when talking to the API server," Philips told eWEEK. "This sets the stage for a variety of security features based on strong kubelet identity."Going forward, CoreOS hopes to expand the TLS bootstrap feature to allow other components of Kubernetes to request certificates, Philips said.Another new capability in Kubernetes 1.4 is the image policy webhook that can help make sure malicious container images don't run on a cluster."An Admission Controller is configured with an Image Policy webhook that will contact a back-end service for verifying images," Philips said. "The back-end service needs to only understand how to respond to a request from an admission controller, which allows for a variety of possible back-end services."hilips noted that one example could be a service collocated with CoreOS' Quay container image repository, which approves or rejects scheduling requests for containers based on the results of a Quay Security Scanner analysis. He added that today that system can notify users of potential issues via email, Slack or webhook but with this addition to Kubernetes a user will, in the future, be able to block known vulnerable images from ever running.Work is also ongoing in Kubernetes with a Pod Security Policy, which Coleman said is the upstream Kubernetes equivalent of the Security Context Constraints that originally shipped with OpenShift v3.0 in June 2015."Pod Security Policy (and Security Context Constraints) provides a set of rules that match a user or group to allow security options on the pods they create—to limit users from running pods/containers that may not be secure," Coleman said.Pod Security Policy is currently off by default in Kubernetes, he said.

The current plan from Red Hat is to move the security policies that OpenShift provides out of the box, which range from restrictive to fully permissive, into Kubernetes in either the 1.5 or 1.6 releases.Looking forward for Philips, one of the major efforts for CoreOS is helping to make rkt a first-class container runtime for Kubernetes. Rkt is a container runtime effort led by CoreOS that got started in December 2014."Our goal as community stewards for Kubernetes is to allow broad participation in the project while ensuring a healthy technical foundation for innovation," Philips said.The top areas of improvement for the Kubernetes 1.5 release, according to Coleman, will include maturing the storage capabilities in Kubernetes with dynamic volume provisioning across a wide range of cloud providers and storage systems.
In addition, there is a focus on continuing tomake performance and scale improvements to enable larger clusters.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.
CloudFlare aims to jump-start adoption of the next generation of internet encryption by supporting a draft standard. The Transport Layer Security 1.3 specification is not yet a finalized Internet Engineering Task Force (IETF) official standard, but that's not stopping content delivery network provider CloudFlare from implementing it.

CloudFlare announced on Sept. 20 that it is now supporting several advanced encryption technologies on its platform, including TLS 1.3, Opportunistic Encryption and HTTPS Rewrites.TLS 1.3 is the latest incarnation of the standard for encrypting data in motion across the internet that originally was known as Secure Sockets Layer (SSL).

Following SSL 3.0, which is no longer considered to be safe, TLS became its successor in 1999 with the TLS 1.0 specification.

The most recent formal version of TLS is the 1.2 specification that was defined in 2008."CloudFlare supports the latest draft of the TLS 1.3 specification, which is very close to the final version of the protocol," Nick Sullivan, head of cryptography at CloudFlare, told eWEEK. "We expect this draft to be standardized soon."Both the Mozilla Firefox and Google Chrome web browsers support the latest draft of TLS 1.3 as well. Sullivan noted that anyone using Firefox or Chrome with TLS 1.3 will automatically connect to CloudFlare sites with TLS 1.3. "With about 4 million CloudFlare customers today, this will encourage browser vendors to enable TLS 1.3, and we hope that this is a call for action to make that happen," he said. Among the promises of TLS 1.3 is that it can enable encrypted traffic to be as fast as nonencrypted traffic. Historically, one of the most cited reasons why organizations have not deployed SSL/TLS is because of the performance impact that it has on traffic."TLS 1.3 decreases connection time compared to previous versions of TLS, which has remained the same since the beginning of SSL," Sullivan said.In addition, TLS 1.3 builds on top of the next-generation HTTP/2 web standard for even faster page loads.

The HTTP/2 standard was declared by the IETF to be final on Feb. 18, 2015, providing improved web traffic prioritization, control and security capabilities.
Sullivan added that encrypted sites are already faster than unencrypted sites today as a result of CloudFlare's launching support for HTTP/2 back in 2015.While support for TLS 1.3 is helpful for encouraging the use of encryption, CloudFlare is also taking additional measures, including support for HTTPS Rewrites and Opportunistic Encryption.
Sullivan said the HTTPS Rewrite technology was developed by CloudFlare security experts in collaboration with technologists from the Electronic Frontier Foundation (EFF) who manage the HTTPS Everywhere project."The main difference between the two is that with HTTPS Rewrites we rewrite links on your page, and with Opportunistic Encryption we tell the browser that the site is available over an encrypted connection via an HTTP header," Sullivan explained. "Rewriting links helps fix mixed content on all browsers, while Opportunistic Encryption only works with Firefox."The reason why HTTPS Rewrites and Opportunistic Encryption are needed is because many websites will still mix non-HTTPS content, including images, links and videos, with HTTPS pages.
Sullivan said that CloudFlare's Automatic HTTPS Rewrites solves the problem of mixed content errors, which occur when content is loaded using unencrypted HTTP on an HTTPS site."These errors result in a warning message or the removal of the green lock icon in the address bar," Sullivan said. "With Automatic HTTPS Rewrites, images or content that use HTTP will automatically be secured using HTTPS whenever possible."Overall, CloudFlare is working to make encryption as simple and as accessible as possible, he said."We believe online services should be available using encryption, and that encryption should be enabled by default," Sullivan said. "These three features make it easier and more appealing than ever for customers to make encryption their default. However, the choice is ultimately up to our customers.

That's why we created these features—to make the decision to encrypt a no-brainer."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.
The cloud data security issue usually gets lost in the general discussion on cloud security.

But there are key differences around securing cloud data that you should understand. Many enterprises believe that if they have cloud security covered generall...