Encryption Without Compromise – Are you Missing Out?

Intel is minimizing the impact cryptography has on performance and is helping to lower the barrier to enterprise adoption of encryption by integrating cryptography resources in its processors and accelerators.

In a recent tweet, I posted that Intel® Xeon® Scalable processors deliver awesome cryptographic performance. Encryption is key to a strategic security plan, and frankly, we’ve reached a point where all enterprises should be encrypting everything, everywhere, all the time! Usually, when I tell people this, their first thought is the impact all that encryption would have on performance.

Fortunately, that no longer needs to be a concern. Intel’s integrated hardware cryptography resources, including robust algorithms, strong keys, and built-in encryption accelerators, along with software optimizations, lay the foundation for strong data security while still maintaining high performance throughout the data lifecycle—at rest, in flight, and in use. Companies no longer have to choose between security and performance – Intel delivers both.

Encrypt Everything, Everywhere

In my previous blog post “The Key to Enhanced Data Protection”, I talked about the value of encrypting data. One of the worst things you can do is leave data in plain-text, like Equifax or other recently-hacked companies did, making it simpler for intruders to steal. For data-at-rest, we have full disk encryption, in-flight we have encrypted transactions, and in-use we have cryptographic isolation.

Companies need to encrypt not only obvious critical data like passwords and credit card numbers, but even non-critical data that could be used in social engineering attacks, public discreditation, or anything really. Why is so little data currently encrypted in the data center?  Partly it’s an over-reliance on perimeter defenses such as firewalls at the gateway, and partly it’s that people assume that encrypting everything would crater system performance.  But that’s just not true anymore. Intel is minimizing the impact cryptography has on performance by dedicating and integrating cryptography resources in our processors and accelerators, helping lower the barrier to end-to-end encryption.

 Protect the Data, Keep the Performance

As Intel® Xeon® processors evolve, so do the hardware-accelerated algorithms built into them. These crypto accelerators allow for broad encryption with minuscule overhead. In fact, built-in Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI) can handle standard encryption loads with as little as 1% performance overhead or less on the system1. The new Intel Xeon Scalable processors provide dramatically improved cryptographic performance for data at rest and in transit.

Many AES-based encryption schemes will immediately benefit from the 75% improvement in Intel® AES-NI instruction latency. These performance gains for cryptographic primitives improve throughput for intensive workloads in markets such as networking and storage, lowering the barrier to making encryption ubiquitous.

Figure 1. Less than 1% performance overhead to encrypt 100GB of data with Intel® AES-NI

Near-Zero Overhead for Compuverde

Intel has virtually eliminated the performance overhead for encrypting data, which makes it easier for IT administrators to encrypt as much data as possible, without negatively impacting user experience or any service level agreements they may have. Compuverde, an information technology company with a focus on data storage and cloud computing, used full AES encryption for data at rest and experienced near-zero overhead, maintaining high throughput. Christian Melander, a Senior Software Engineer for Compuverde, explains, “The performance in the encryption routines is very good; we don’t notice any performance degradation when it is activated.”

Intel QuickAssist Technology for Bulk Encryption

And for truly heavy data volumes, such as what is found in bulk encryption security appliances, Intel® QuickAssist Technology (Intel® QAT) can offload that processing from the main CPU. This leaves the system cores still available for functional workloads, meaning you can do massive volumes of encrypt/decrypt/compression operations without bogging down the server, leaving it mostly available to process whatever your business workloads are. For instance, a network security appliance that would ordinarily have to consume the full CPU to process 20,000 public key decryption operations per second can offload all of that work to the QAT engine, leaving approximately 90% of the full CPU available to handle standard web-service workloads.

Intel® QAT has been offered as an add-on card for multiple generations of our platforms and is now integrated into the Xeon-SP platform chipset for maximum efficiency, with staggering throughput capabilities (see Figure 2). Intel QAT enables security and compression acceleration and offload on standard servers for networking, storage, and cloud usages. Intel QAT also improves performance across applications and platforms, including symmetric encryption and authentication, asymmetric encryption, digital signatures, RSA, DH, and ECC, and lossless data compression. All of this makes it less and less defensible to not implement a robust encryption strategy.

Figure 2. QAT provides massive throughput improvements vs software-based solutions.

 

Nearly two-thirds of companies have not adopted an encryption strategy according to Thales e-Security. The main reason is that they believe encryption would drag down the performance of the system. With keys getting longer, algorithms getting more complex, and the explosion of data in the enterprise, server resources have the potential to be consumed more and more by the cryptography processes. Poor performance does not have to be a barrier to a sophisticated and strong security strategy anymore. With Intel Xeon Scalable processors, the improved Intel® AES-NI design and the ability to use Intel® QAT for heavy volume encryption brings a new level of cryptographic performance to the data center. I encourage you to check if your software is taking advantage of these technologies. To learn more about Intel® QAT, Intel® AES-NI, and all of the other Intel® Security technologies that help secure the platform, protect the data, and deliver all of this without compromise, visit www.intel.com/XeonScalable.

1 Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations, and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products.  For more information on the performance and system configuration please see www.intel.com/xeonconfigs.