Nubeva Brings TLS 1.3 Decryption Capability to Containers and Kubernetes

Some time back we told you about Nubeva bringing performance monitoring and security to the cloud. The company has just announced TLS1.3 Decrypt which enables network decryption support of container and Kubernetes workloads hosting encrypted applications in any cloud. The support extends to cloud platform variants of Kubernetes including Amazon Elastic Kubernetes Service (Amazon EKS) and Azure Kubernetes Service (AKS), Google Kubernetes Environment (GKE) and the generic form KOPS

The company’s Symmetric Key Intercept architecture discovers and extracts final, ephemeral keys for each container running on a host. Once keys are stored users can decrypt the encrypted traffic when and where needed for full visibility to the actual data in motion in and out of critical applications, workloads and even microservices.

This is a 100% out-of-band solution that serves as an easy overlay option and requires no code changes, library modifications or changes to architecture or operations.

Randy Chou, Nubeva co-founder and CEO

“Container and Kubernetes workloads are quickly becoming the standard for creating and running software and other applications in the cloud,” said Randy Chou, Nubeva co-founder and CEO. “While efficient, this architecture creates blind spots as programs communicate with other applications in the cloud and to external networks. Nubeva TLS 1.3 Decrypt obtains the keys from any north/south or east/west session and provides total visibility to traffic running in and out of containers – enabling real-time monitoring as well as forensics on Kubernetes deployments for the first time.”

This Symmetric Key Intercept architecture can discover and extract the final, ephemeral session keys for each container running on a host, regardless of how quickly the containers spin up and spin down. Once the keys are stored users can decrypt the encrypted traffic when and where needed, at scale enabling security, DevOps and compliance teams with full visibility to the actual data in motion in and out of critical applications, workloads and even microservices.

Key Benefits for Nubeva Users

  • Deploy in any container environment. Nubeva’s solution operates independently of container management systems and can be deployed in any Linux container environment – pure Docker environments, Kubernetes, Amazon EKS, AKS, and Google Cloud GKE. 
  • Get visibility into packets from clusters, nodes, pods and microservices running in Kubernetes. Nubeva TLS 1.3 Decrypt works within any environment including those that run for a week or for mere milliseconds with no modifications to the cloud architecture.
  • Compatible with all modern and TLS protocols and ciphers: Including TLS 1.3, 1.2, 1.1 and 1.0; all Diffie Hellman variants (DH, ECDH, ECDHE) and Perfect Forward Secrecy (PFS); pinned certificates; AES, AES-GCM and ChaCha20-Poly1305.
  • Supports TLS client and server sessions. Supports sessions to clients as well as workload sessions to other services, cloud platform services such as API calls and PaaS, and to third-party and external services that support and are part of the application architecture.
  • Discovers and extracts symmetric keys for all containers and pods running on an instance or node. Nubeva’s Key Discovery Agent decouples workloads from key extraction functions, minimizes the load on the instance, and reduces deployment and maintenance overhead. 
  • Delivers extreme performance. Operates with negligible CPU and memory overhead. This key extraction agent consumes ~1% of compute resources on a single CPU core for all the workloads on a node with a few megabytes of memory. 
  • Supports any packet capture and broker system. In cloud, Nubeva works with AWS VPC traffic mirroring and Azure VTAPS. In private and hybrid clouds, the solution works with any tap, span, mirror or network packet broker system. And, it works with TCPdump and PCAP files as well as mass storage of PCAPs that need selective or bulk decryption.
  • Supports Windows Schannel, a variety of Linux flavors, and public, private and hybrid cloud environments.

Learn about the latest in everything business tech… UCaaS, the Channel, IT, IOT, Edge, Cybersecurity, AI, SD-WAN, and the Future of Work at the world’s only MSP Expo, part of the ITEXPO #TechSuperShow, Feb 12-14, 2020 Fort Lauderdale, FL.


Share via
Copy link
Powered by Social Snap