Network encryptors: essential for the protection of sensitive customer data

FLYNT bank uses network encryptors and a cluster of Securosys Primus HSMs for its IT security. The company is protecting highly sensitive customer data. In his keynote speech at Securosys' Centurion Network Encryptor Launch, Stefan Thiel detailed the security requirements for FLYNT’s IT security architecture. He also presented how he had evaluated the network encryptor.

IT security is a top technology concern for the newly established FLYNT bank. Flynt offers the possibility to aggregate data from different kind of assets within its platform: from real estate to banking assets held at different banks,  from works of art to movable objects, such as airplanes or yachts. Therefore, the data of FLYNT’s customers are classified as highly sensitive. In addition, FLYNT has to comply with regulatory requirements for data protection and privacy like any other bank.

Stefan Thiel
FLYNT’s enterprise architect Stefan Thiel during his keynote speech about the company’s IT architecture.

Two basic security requirements can be derived from this:

  • Protection of sensitive data from unauthorized access and manipulation
  • Operational protection, i.e. protection against intruders and ensuring the availability of online services

Some examples of appropriate security measures at FLYNT:

  • Separate encryption of persistent data for each business entity in order to protect and separate stored data; FLYNT uses a cluster of Securosys Primus HSM for key management and encryption
  • Limitation of access to network, data and applications by means of specific authentication and authorization systems
  • A ready-to-use backup office location, this ensures the seamless continuity of operations in the event of a failure in one of the office locations
  • High availability data centers; two redundant data centers are linked redundantly in order to attain maximum availability of essential resources. Many services (such as storage, HSMs, VMotion, carp, VEEAM, Netscaler, Active Directory, Cassandra cluster and Akka cluster) synchronize with network encryptors. Therefore, the protection requirements for these links are particularly high.
  • Cluster or HA mode (1+1) für the most important hardware components. This applies particularly to network encryptors and the HSMs.
Schema für den Einsatz eines Netzwerkverschlüsslers
The diagram shows how FLYNT is deploying its network encryptors.

Requirements for the protection of data-center links

FLYNT provides the following requirements for the protection of data-center links:

  • Network compatibility allowing to extend to other data centers and office locations in the future; therefore, the solution should support fiber, carrier Ethernet, MPLS and IP
  • Cost effectiveness in regard to long lifecycles and usage time, as well as multi-purpose capabilities (point-to-point or multipoint, various network technologies); for this reason, FLINT opted for FPGA technology instead of an ASIC-based solution
  • Performance that does not reduce the actual bandwidth of the links (line rate forwarding and encryption); negligible latency which does not affect the communication of latency-sensitive systems (e.g., mirrored storage systems)
  • Maximum security level on the device, management, control and data plane; in addition, secure keys and secure key exchange. 
  • Maintain local logs for compliance reasons; allow for secure integration into the monitoring infrastructure
  • No additional peripheral systems, which would generate further maintenance and safety cost

Hard-to-compare network encryptors

“The evaluation of suitable devices proved to be a nightmare,” confessed Stefan Thiel. During an online search one can find a lot of information about network encryptors. However, it is very difficult and time-consuming to compare technical data. FLYNT used a market overview of encryptors and hired its author as a consultant.
The chosen solution has been in operation for two months now. „We are very satisfied,“ says Thiel. „With this technology, we are able to ensure a security level that fully meets the trust of our clients.“

This text is based on a keynote speech of FLYNT’s enterprise Architect Stefan Thiel during the launch of Securosys’ network encryptor Centurion on August 22, 2017.

Another use case of Centurion (network encryptor for VPN)