Security has become top of mind for CIOs, and CEOs. Encryption at rest is a piece of the solution, but not a big piece. Encryption over the network is another piece, but only a small piece. These and other pieces do not fit together well; they need to unencrypt and reencrypt the data when they move through the layers, leaving clear versions that create complex operational issues to monitor and detect intrusion.
Larger-scale high-value applications requiring high security often use Oracle middleware, including Java and Oracle database. Traditional security models give the data to the processors to encrypt and unencrypt, often many times. The overhead is large, and as a result encryption is used sparingly on only a few applications. The risk to enterprises is that they may have created an illusion of security, which in reality is ripe for exploitation.
The modern best-practice security model is an end-to-end encryption architecture. The application deploys application-led encryption services in main memory. These services allows end-to-end encryption, in the stack from database to middleware (e.g., Java), locally and across the networks, and across private and hybrid clouds. Oracle and others offer such solutions.
The practical problems of implementing an end-to-end encryption solution are three-fold:
- The cost of traditional processor solutions introduces additional compute and license cost of at least 100%.
- To be effective, the end-to-end solution should be applied to the application ecosystem, which again impacts downstream costs and performance.
- The implementations will almost certainly introduce increased response time and latency variance to applications that are not designed or coded for an end-to-end encryption environment; and this means application users will be being far less productive, leading to serious business impacts.
The solution premise is to reduce the effective impact of encryption on utilization and response time to be as close to zero as possible. This allows the introduction of encryption integrated throughout the infrastructure stack, never allowing the data to be “clear” across the application, network and data ecosystem.
The premise of this research is that technical solutions to implementing end-to-end always on encryption are available from Oracle and others. These technical solutions use advanced processor techniques designed specifically to process encryption and encrypted data inline in real-time. This research investigates if it is practical to utilize these technologies in the case of high-value Oracle software workloads requiring high levels of security by using an integrated end-to-end encryption solution.