To date, most container security efforts have focused on the isolation of individual containers from one another and through other access control approaches. Now, one data security firm is proposing an entirely new approach.
Thales e-Security Inc. recently added an encryption scheme to its Vormetric Data Security Platform that extends data-at-rest security to Docker’s encryption and its access controls. Thales’ new encryption package is designed to achieve three things.
First, the main idea is to secure Docker containers themselves. In addition, the package is meant to ease the deployment of distributed applications and also reduce IT infrastructure downtime, the company said. Thales’ Vormetric platform also offers the ability to encrypt and re-key containerized data without taking applications that use it offline.
Thales’ complete package includes a pair of extensions for Docker, a data security appliance and a database encryption tool. The first extension is aimed at reducing downtime, and does so by enabling initial encryption and also re-keying (the process of creating a new session key, something that normally requires downtime) data while it’s in use. The extension, which is still a pilot project, is generally available now.
“IT system downtime is costly for any business, even when it is planned,” said Bob Tarzey of Quocirca, a U.K.-based business and IT advisory firm. “The financial consequences of IT disruptions arise from lost sales and productivity. In addition, consequent reputational damage can have a longer-term knock-on effect.”
He said downtime can be caused not just by a system outage but also to data processing, which includes encryption. “The idea behind Vormetric’s Live Data Transformation is to solve this problem, even for large databases with high transaction volumes,” he said. “Any organization that needs to ensure both constant data security and availability should take a look at such technology.”
The second extension delivers Thales’ encryption platform to Docker containers. It functions at the operating system level, and provides data access controls and logging capabilities. What this means is that containers can be deployed securely without altering applications, the company said.
The data security appliance enables the remote management of data security and policy controls, without visiting the data center itself. Finally, Thales’ database encryption tool, which it calls a “batch data transformation” tool, is designed to perform the initial encryption of sensitive data that’s protected by its own application encryption and token key tools. The tool also supports data masking, which refers to shielding original data by applying random characters and data to it.
Thales reckons that its new encryption package can help to reduce the complexity that comes with rolling out new encryption schemes for protecting sensitive data. The company cited a recent study on threat data that it commissioned, which found that deployment complexity was one of the top reasons that enterprises refrain from deploying data security tools.
Thales said its full container encryption package will be available in the first quarter of 2017.