NCache provides a rich set of industry-standard encryption algorithms that are nearly impossible to break. This ensures that your sensitive data is protected well, along with traveling over the network in encrypted form. NCache provides the following encryption algorithms that you can choose from:
Advanced Encryption Standard (AES) Encryption
NCache provides support for the AES encryption algorithm which is an official part of Federal Information Processing Standard (FIPS). The AES algorithm processes data chunks of 128 bits, using encryption keys of lengths 128, 192, and 256 bits. The supported flavors of AES are listed below.
You can read the RFC specification document for AES and AES-FIPS at the Internet Engineering Task Force (IETF) website.
- AES-128
- AES-192
- AES-256
- AES-FIPS 128
- AES-FIPS 192
- AES-FIPS 256
Triple-DES (3DES) Encryption
NCache also provides support for the 3DES encryption protocol, which processes data key lengths of 128 and 192 bits. You can read the RFC specification document for 3DES at the Internet Engineering Task Force (IETF) website. The following algorithms are supported for NCache encryption:
- 3DES-128
- 3DES-192
Where does Encryption Occur?
NCache data encryption and decryption occur inside the NCache client application process. This means that all data traveling over the network between your application and the cache cluster is already encrypted. Similarly, only encrypted data is stored in the cache store.
Client-Server Connection
When you enable encryption on a cache cluster, you provide an encryption key along with the encryption algorithm provider. This key is kept at each cache server in an encrypted manner. When a client successfully connects to the encryption-enabled cache for the first time, the encryption key and selected encryption algorithm is automatically sent to the client in a secure manner to be used in-memory for encrypting/decrypting on future requests.
Once requests are made to the cache, NCache client automatically starts encrypting your objects before sending them to the cache. Similarly, it automatically decrypts objects fetched from the cache before delivering them to your application.
Figure 1 depicts this behavior in 2 simple steps:
Figure 1: Client-Server Encryption Behavior on Connection
NCache Details NCache Encryption Docs NCache Security
Encrypted Data In-Transit and At-Rest
If you’re handling sensitive data in NCache, you can be rest assured that data is encrypted and secure from unwanted access at all stages of the data’s life.
Data from Client to Server
Once the encrypted key resides at the client end in memory, any data that has to be sent to the cache is encrypted using the key. Generally, the data is first serialized, encrypted and compressed (if compression is enabled). Encryption of data at the client end before being transmitted means that the data is encrypted in transit. This ensures anyone eavesdropping on this connection will not be able to fetch any sensitive data.
Data At-Rest
Once the data is added to cache, the data is stored in its encrypted form so it is secure even at the cache end.
Data Within Cluster Nodes
Within the cache cluster, data is encrypted during server-to-server state transfer or replication. So, it is still encrypted in-transit.
Figure 2 shows how data is encrypted from client to server::
Figure 2: Encrypted Data In-Transit and At-Rest in NCache
Client Cache
A client cache is a local cache residing on the same box where the application is running. This client cache is synchronized with the remote clustered cache to improve performance for read operations. In the case of client cache, encryption is not configured explicitly on the client cache. If the clustered cache (L2 level cache) has enabled encryption, then the client cache is encrypted too. If there is no encryption enabled on L2, the data will be added to the client cache without encryption.
Client API
The encryption/decryption behavior for NCache client API is handled automatically while ensuring all data in transit is encrypted and is only decrypted where it needs to be processed.
- Client Connection: When the client connects for the first time, it gets the encryption key and specified algorithm in an encrypted form. This is used to encrypt/decrypt data when needed.
- Adding Data to Cache: For APIs that add data to the cache like Add/Insert etc., the data is encrypted at the client end before traveling over the network. At the cache end, the data is stored in encrypted form.
- Fetching Data from Cache: For APIs that fetch data from the cache like Get/GetBulk/Loader/Queries etc., the data is in the cache in encrypted form, it travels to the client in encrypted form, and the data is decrypted at the client end.
- Events: For the events that require sending data/metadata back to the client where the server data is encrypted, the data is encrypted in-transit and decrypted at the client end.
Metadata of Cache Items
Cache items are added with metadata like Groups, Tags, and Named tags. These include additional information for the cache item that defines how data is indexed.
While adding the cache items to the cache, the data along with the metadata is encrypted at the client-end. The data and metadata travel over the network in an encrypted form. However, at the server end, the data is stored in encrypted form, but the metadata has to be decrypted because it is indexed on the server nodes.
NCache Details NCache Client API Docs NCache Security
Data Structures in Cache
NCache provides support for data structures. As data is added to the cache, it is encrypted before being added to the data structure. Similarly, when the data structure is fetched from the cache, the data is decrypted at the client end and can be used as needed.
Server-Side Features
As with client-side features, the encryption/decryption mechanism for NCache server-side features is handled automatically on the nature of the feature:
- Read-thru: Irrespective of how and where data is loaded from, if encryption is enabled on the cache, the data will be added to cache after being encrypted, serialized and compressed (if compression is enabled).
- Write-thru: The data in the cache is encrypted, but for sending data to be persisted to the write-through source, it has to be decrypted so it is stored as is.
- Cache Loader: Since Loader uses the public API, if encryption is enabled on cache, the data being loaded will automatically be stored in encrypted form in cache.
- Entry Processor: If the entry processor is invoked to process an object, the object is decrypted at the server as all processing takes place at the server end.
Enabling Encryption
You can enable encryption through NCache Management tools without any programming effort on your part. Encryption has to be enabled on cache start so that all data is homogenously encrypted. You can learn more about this in our docs on Configuring Encryption.
Figure 3: Configuring Encryption in NCache
Additional Security Features in NCache
Apart from encryption, NCache also provides secure communication through SSL/TLS 1.2. Moreover, it even ensures your cache environment is secure at cache API and node management level by providing Access Control Lists. You can read more about these features here:
BLOG: SSL/TLS Configuration in NCache Made Simple
BLOG: Exploring Cache Environment Security in NCache
Conclusion
It is no doubt that data is the new currency, and cybersecurity is gold. Hence, NCache recognizes the need to secure your data and provides a range of security features to warrant compliance with the latest algorithms. However, as encryption/decryption is a CPU intensive task, it must be used where explicitly needed as it impacts performance.
