Bulletproof Network Security – Government Grade

Governmental computer systems are among some of the most security sensitive, and for European governments with communications crossing many national borders, security requirements couldn’t be higher.

The Romanian Ministry of Foreign Affairs (MoFA), the institution of central public administration which implements Romania’s foreign policy, required a turnkey security solution for protecting data in transit across its distributed infrastructure, as well as a flexible data communications protection solution that could adjust to future changes in the network.

bucharestIn order to support its integration into the European Schengen Area, MoFA had been in the process of installing a complicated set of systems and secured data network communications, both for dealing with sensitive documents as well as protecting its distributed communications infrastructure.

To secure this complex environment, MoFA mandated a turnkey, end-to-end security solution, including the national Layer 2 core network infrastructure as well as the external Layer 3 network. It also required a centralized system for managing the lifecycle of cryptographic keys.

Most of the vendors MoFA requested proposals from could only meet a few of its requirements. The only vendor that offered a single platform with the ability to adjust to the future changes that the ministry was considering was Certes Networks.

Checking all the Boxes: Certes Networks CryptoFlow

In fact, Certes Networks’ CryptoFlow Net solution offered all of the capabilities and flexibility MoFA required for this deployment. A CryptoFlow is a secure virtual overlay for each application, protecting each application with strong encryption, with its own security profile and keys. It extends to wherever the application resides in either physical or virtual data centers or private or public clouds – wherever users want access, across any network, to any of their chosen devices.

Certes designed this turnkey data communications security solution for flexible and phased deployment. It allowed redundant encrypted communication lines for each ministry office. In addition, Certes CryptoFlow provided central management of MoFA’s cryptographic keys as well as its security policies.

Installation of the Certes Networks Net software was itself a highly secure undertaking. Due to ministry regulations, the only personnel allowed to perform the installation were accredited, skilled personnel. To support this elite team of experts, Certes generated a report for ministry auditors, proving that MoFA’s data were secure – a process that required Certes to ensure the necessary conditions for solving real-time operational issues sufficient to meet the stringent demands of the auditors.

Furthermore, installing this communications security solution couldn’t disrupt the existing network infrastructure, in spite of the architectural changes necessary to transition the network to CryptoFlow. The solution also had to maintain the performance of high availability applications running on the network.

Furthermore, MoFA required that all data security administration tools be easy to use and entirely separate from existing networking administration tools, allowing the separation of duties across its networking and security teams – an important security measure for limiting the risk of an insider attack.

The ministry also expected Certes Networks to support AES 256-bit encryption at OSI Layers 2 (physical address), 3 (IP), and 4 (TCP). The Layer 4 encryption in particular was especially useful, as it permitted real-time troubleshooting of MoFA’s traffic data flows across the network whenever there was a networking issue or a new site roll-out.

Further Progress at the Ministry

Since the MoFA awarded this project in 2010, communications and security systems have been fully operational in all of the ministry’s offices – but over time, it required additional network scaling, increased throughput needs, and the ability to secure mobile device endpoints.

Their first stop? Certes Networks, of course. MoFA now has now almost 400 active Certes enforcement appliances running in its network, providing throughput speeds up to 10 Gbps. But now it needed more.

To address these additional requirements, MoFA is deploying the Certes CryptoFlow App solution to provide for mobile endpoint security. CryptoFlow App augments CryptoFlow Net’s core value proposition with the ability to offer application-aware and user-aware segmentation of applications on both virtual and physical networks – including networks with mobile endpoints.

CryptoFlow App delivers end-to-end protection based on role-based access controls, enabling the ministry to use their existing identity and access management services in conjunction with per-user and per-application policy enforcement for each mobile endpoint.

MoFA also installed Certes Networks’ CryptoFlow Creator management systems. This tool offers hardware security module (HSM) cards and Custom Base Key Encryption features, which give the ministry a customized encryption setup. As a result, it now has a higher level of confidence that its encryption keys cannot be compromised and data communications are fully protected in all instances.

The Intellyx Take

Protecting governmental communications is mission critical, especially when those communications cross borders and traverse a range of networking technologies.

To address such challenges, Certes Networks’ CryptoFlows also provide a single point of control for end-to-end protection of sensitive applications. Via this crypto-segmentation, CryptoFlows isolate and protect sensitive applications from the application server to users’ end-point devices, regardless of their location. Furthermore, CryptoFlows auto-generate session keys and protect them from any user, even one with administrative privileges.

Certes’ CryptoFlows effectively compartmentalize MoFA’s complex, distributed environment. As a result, crypto-segmentation dramatically reduces its attack surfaces, making the attacker’s job substantially more difficult.

By leveraging encryption to raise segmentation from the infrastructure to the business layer and granting access to crypto-segments based on user roles, Certes Networks has implemented an effective, business-driven approach to addressing MoFA’s security challenges.

Copyright © Intellyx LLC and Certes Networks. Certes Networks is an Intellyx client. Intellyx retains full editorial control over the content of this paper. Image credit: fusion-of-horizons.

SHARE THIS:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.