Contributed by Ixia, a Keysight Business
Written by Lora O’Haver, Keysight

By necessity, financial institutions have approached public cloud with caution. Failure to comply with data privacy and compliance regulations can lead to serious economic consequences, not to mention loss of customer trust.

Fortunately, the experience of early cloud adopters has revealed key practices for limiting risk. While public cloud providers offer useful services to enhance security, it is important for cloud adopters to implement packet-based traffic monitoring to identify suspicious behavior or unsafe conditions. Here are five tips for achieving security in the cloud.

#1 | Get access to the traffic that passes through cloud infrastructure
Security solutions inspect and analyze the traffic entering or leaving an institution’s network to identify threats from malicious sources or traffic that violates security policies. Increasingly, solutions also apply correlation analysis, anomaly detection, and machine learning to achieve faster results. Network packets are the key requirement for effective security monitoring. Public cloud providers, however, do not typically supply network packets to their clients. Therefore, to protect data and applications, financial institutions must find a way to access network packets in their clouds.

A ‘cloud visibility platform’ solves this problem by automatically embedding an agent-based sensor inside every public cloud instance you deploy. With the full cooperation of the cloud provider, the sensor makes copies of every network packet moving in your clouds. You manage the collection, filtering, and delivery of packet data remotely and the visibility platform encrypts every packet and transmits them over a secure virtual private network (VPN). For security purposes, the sensor cannot accept incoming connection requests. With complete access to all network traffic, your security monitoring solutions have the data they need to identify threats and security violations.

#2 | Decrypt and monitor all secure traffic
Encryption was supposed to assure us that certain communications were legitimate and secure. Unfortunately, malcious attackers figured out that encrypting their attacks helped them avoid detection. More than half of all network traffic is now encrypted, and the percentage is rising. With so much at stake, complete monitoring of encrypted traffic is mandatory.

The necessary first step is to decrypt traffic because your advanced security solutions can only process plain text. No matter what solution you use for decryption, it needs to be powerful. Decoding requires intense processing, and encryption algorithms are becoming more complex with longer key sizes to strengthen their ability to withstand hacking. Many of your monitoring solutions will need access to the same decrypted data, so the most efficient approach is to decrypt traffic one time and deliver the resulting plain text to as many monitoring solutions you have.

#3 | Adopt strong encryption ciphers and policies
While encryption can protect your customer information and network communications, you must choose a strong encryption algorithm. No single algorithm is ideal for all situations, but longer keys generally yield stronger encryption. Another aspect of encryption is the policies under which the keys are managed. In March 2018, the Internet Engineering Task Force (IETF) approved a new set of protocols for secure communication, known as active SSL or TLS 1.3, which make it harder to eavesdrop or intercept communications because encryption keys are negotiated anew for every secure session, rather than being than reused. It will take a while for TLS 1.3 to become widely deployed. In the meantime, financial institutions can prepare by verifying that their current network and security monitoring solutions support active SSL decryption and re-encryption.

#4 | Automatically shield sensitive data with masking
Data masking refers to overwriting information with a string such as “xxx-xx-xxxx” (in the case of social security numbers) to obscure sensitive or confidential information. If you deploy a cloud visibility platform with the ability to understand the context of network packet data, you can configure the platform to automatically mask sensitive data with no manual intervention. This capability allows you to set predefined masking templates for common fields such as credit card numbers, email addresses, and social security numbers and also offers the ability to define custom masks to protect other types of sensitive information.

#5 | Simplify hybrid cloud monitoring
In hybrid IT environments, network monitoring is more complex and you will likely want to deploy additional security and performance management solutions. A cloud visibility platform can reduce the time and effort required to manage these solutions by providing you with a single management pane for setting up the collection, filtering, and distribution of network packets to all your tools. A single management platform will reduce training costs, speed configuration and setup, and reduce errors. Do not underestimate the savings in time and accuracy that come from choosing a visibility platform designed to support hybrid environments.

The use of public and hybrid clouds requires you to adjust your practices for security monitoring. While cloud providers offer useful data and services to assist you, it is important to implement comprehensive packet-based traffic monitoring. A hybrid visibility platform strengthens security by centrally managing decryption, automatically shielding sensitive data fields, and reducing the workload for your security monitoring solutions.

Lora O’Haver is a senior solutions manager at Keysight, with over twenty years of experience in enterprise computing, networking, and cloud technologies. Lora helps clients understand how network visibility solutions strengthen security and streamline performance monitoring.


About Keysight Technologies
Keysight Technologies, Inc. (NYSE: KEYS) is a leading technology company that helps enterprises, service providers, and governments accelerate innovation to connect and secure the world. Keysight’s solutions optimize networks and bring electronic products to market faster and at a lower cost with offerings from design simulation, to prototype validation, to manufacturing test, to optimization in networks and cloud environments. Customers span the worldwide communications ecosystem, aerospace and defense, automotive, energy, semiconductor and general electronics end markets. Keysight generated revenues of $3.9B in fiscal year 2018. More information is available at