The U.S. Department of Defense (DoD), like many federal government agencies, has a complicated answer to securing...
data in motion -- that's to create multiple segregated networks, each to serve its own agency or specific group of users. For the DoD, that means three different networks for three security levels: top secret, secret and unclassified. It's not cost efficient, but it is secure.
Unisys, a systems integrator, set out to build a strategy for the DoD and other government agencies to secure and isolate multiple sets of data on the same network, making each set accessible only to its designated user group. The company's answer is Unisys Stealth Solution, a combination of VPN, encryption and data-parsing technology that creates virtual network segments. Stealth not only encrypts data but mangles it and makes it unrecognizable as it travels the network.
"We were looking for ways to get that type of isolation but using shared networks," said Scott Sanchez, Unisys' security portfolio director. "Think of this as a VLAN-type technology that can spread over facilities, countries or continents."
Now Unisys hopes to sell the solution into public cloud providers and large enterprises building their own internal or hybrid clouds, or companies that simply have need for isolated data sets on an integrated network. But Unisys may not have an easy time convincing network security experts to trust in a new algorithm – or that they shouldn't address their problems with existing VPN and firewall technology.
How Unisys Stealth Solution works
Stealth includes hardware appliances and client-side software. The appliances place proprietary headers on TCP/IP packets, encrypt them and then slice the data as it traverses the network. Once the data is parsed, it is reassembled only when accessed by a user or device with the correct key. Those users and devices are broken into communities of interest that share the same workgroup key. Unisys' data parsing and authentication technique is implemented between the data link and network layer of the OSI stack.
The Joint Intelligence Laboratory (JIL) of U.S. Joint Forces Command (USJFCOM) is currently in the process of testing Stealth.
"[Our] analysts and technicians recently completed the first phase of the proof of concept and assessment activity [on Cryptographic Bit-Splitting Technology/CBST]. The results, performed in a totally self-contained, closed network, provided sufficient evidence to continue to the next phase -- a wide area network configuration somewhat more representative of the operational concept," said Vincent A. Murdock, task monitor, CBST for U.S. Joint Forces Command. Murdock didn't comment on whether the team had come across significant challenges in testing.
Unisys Stealth Solution: Using information dispersal algorithm
The Unisys Stealth Solution is not alone in using data parsing, which is one form of a network security technology called Information Dispersal Algorithms (IDAs), Wikibon Project partner and analyst Michael Versace said.
"Stealth is a form of IDA -- or the ability to disperse data in a very secure way across a number of nodes so that if you compromise one node, you won't compromise any data," Versace said. "We're hearing there are a lot of people looking at IDAs as a replacement or an alternative to traditional data encryption."
Using information dispersal algorithm for storage and the cloud
Unisys hopes to sell Stealth as a cloud network security play because it can protect data and applications in a shared environment and among storage arrays, the data center and users.
In the cloud scenario, Unisys places a Stealth appliance in between the storage array and data center servers, as well as appliances in front of each physical server facing out to the router and the Internet. That aims to encrypt and disperse data along the flow from storage to user.
"The storage [array] thinks it's talking to the server, but it's talking to Stealth; and the server thinks it's talking to storage, but it's talking to Stealth," Sanchez said. "Even developers would have no idea Stealth is sitting in the middle."
Unisys hopes that Stealth can offer the kind of security and segmentation or data isolation in the cloud that will convince customers to move more sensitive applications into public hosting environments.
"Amazon [cloud] is a collection of VPNs and firewalls all put together to approximate isolation … and that can only happen in one data center. With Stealth, they can be commonly isolated no matter where they sit in the world," Sanchez said.
With that kind of security, banks that move marketing applications to the cloud but shy away from hosting sensitive reporting apps will be more likely to take the leap of faith, he added.
Data parsing: Potential drawbacks
While many agree that there is promise for combined data parsing and VPN, pitfalls abound.
For one, in the security world, even a technology with great promise will be met with heavy skepticism -- and that's certainly the case for IDAs. What's more, security teams may not take well to the proprietary nature of IDAs.
"Security people feel that the best security is open security. When encryption took over, the algorithms were completely open," Versace said. "That's not the case with these IDAs."
Unisys is also asking customers to buy into a set of custom hardware as well as software, which will be a costly up-front investment and will require long-term overhead for management. Stealth is not available as an enhancement to existing VPN offerings.
Unisys didn't release a full set of pricing for the Stealth Solution, which could vary according to the number of Stealth network tunnels required. Combination software/hardware pricing starts at $17,350. Unisys also hopes to sell the product with a set of services for which the company did not list pricing.
There is also a potential issue with latency since Stealth adds another barrier for data packets to pass through. Users will have to run extensive latency testing on the Stealth Solution. It is also questionable whether Stealth is compatible with WAN acceleration solutions that are used to improve latency for sensitive applications.