The cloud changed everything. Application and network design shifted to distributed and decentralized systems driven by microservices and containerized architectures. The infrastructure that businesses run on is no longer their own. It belongs to the cloud platform providers. Even with the numerous advantages AWS, Azure and Google Cloud offer, security and networking visibility challenges remain. The solutions that worked in the datacenter do not work in the cloud. Nubeva identified this challenge early on and has created the first born-in-the-cloud decryption visibility solution that understands modern encryption standards, cloud-first architecture and takes advantage of scaling benefits.
Founded in January 2016, Nubeva is an innovative startup company hyper-focused on solving the problem of encrypted packet visibility. Nubeva delivers universal, decrypted packet visibility in any datacenter or cloud – public, hybrid or private. With new visibility to encrypted traffic, Nubeva’s Symmetric Key Intercept approach brings back out-of-band decryption and packet processing for the modern SSL and TLS 1.3 world.
Nubeva and its platform powers U.S. based enterprise information technology teams including security operations, network operations, and development operations professionals at various levels. The organization provides support across a myriad of industries, including but not limited to financial services, health, and manufacturing. The company is based in San Jose, California and has offices in Canada and Australia.
Nubeva delivers universal, decrypted packet visibility in any datacenter or cloud - public, hybrid or private.
There are two reasons why Nubeva has the only decryption solution for the modern era of cloud computing and TLS 1.3.
The modern architectures of cloud environments have made man-in-the-middle decryption solutions unworkable. There is no “middle” in the cloud. There is no “middle” in modern, micro-service-oriented application design. Hair-pinning all traffic through artificial chokepoints like firewalls and proxies just to get visibility makes no sense, seriously erodes performance of those in-line devices, and is prohibitively expensive.
Modern encryption standards like TLS 1.3, encryption practices like perfect forward secrecy and pinned certificates break legacy out-of-band decryption. This is by design in the new standards. Certificates are encrypted in the TLS handshake. Pinned certificates enforce new encryption standards and TLS 1.3 requires PFS. The only way to decrypt is to be part of the handshake.
Nubeva is the only solution to both of these modern cloud security challenges. Nubeva’s patent-pending Symmetric Key Intercept architecture is the only out-of-band decryption solution designed for the cloud and workable with modern application architectures and modern encryption practices.
Cybersecurity, DevOps and compliance teams all require visibility into the payload of their data-in-motion for security, performance monitoring, troubleshooting, and audits. Such decrypted, packet-level visibility– once simple in the days of the datacenter with its defined network edges and owned hardware –is now complex and even impossible when trying to use data center technologies and approaches in cloud environments with their decentralized and distributed architectures and new TLS encryption standards. Nubeva’s breakthrough new architecture and out-of-band, software-based decryption help companies by providing complete, decrypted packet visibility for hyper-scale cloud environments.
Nubeva TLS Decrypt answers the decrypted packet visibility in the cloud problem in a completely new way. Symmetric Key Intercept decouples key discovery from encrypted traffic mirroring and decryption. Nubeva’s approach decrypts at the tool destinations which prevents transmission of clear-text and preserves original end-to-end encryption. The decoupling of these processes creates a highly elastic and massively scalable visibility plane in the client’s environment.
Architecture of Nubeva TLS Decrypt
And what places Nubeva right at the top among similar service providers? First, AI rules-based, final key discovery, and extraction happens at either end of the TLS Handshake. This TLS client and TLS server approach is critical for universal, decrypted visibility in cloud environments where applications are made of decentralized, distributed workloads and third-party data feeds. Throughout its normal cycles, a cloud workload will be both a TLS server and TLS client. Second, once the final keys are discovered, a store-and-forward function in the Nubeva Controller enables security and compliance teams to have both on-demand decryption or real-time decryption. Encrypted PCAPS may be stored for audit review and decrypted only during an audit period. Alternately, a security analyst investigating an anomaly can immediately have full, decrypted packet visibility in the tools she or his is used to using, like Wireshark, Moloch or any other commercial tool. Finally, the Nubeva Decryption Engine is a container that sits in each tool destination workload. This engine can be deployed in many scalable and flexible ways so that it conforms to the design of the current systems without interrupting them or forcing new architectures. The Nubeva Decryption Engine buffers incoming encrypted packet traffic and readies it for decryption. Incoming traffic may be coming from a mirror or tap or even an existing packet broker. Incoming traffic may also be read in from a file like a pcap. The Nubeva Decryption Engine retrieves the correct symmetric key from the controller and decrypts the packet traffic. The engine then feeds the decrypted packets to the tool destination along with the original, encrypted traffic stream.
In this way, multiple tools can each receive an out-of-band replicated and encrypted packet stream and each can decrypt and inspect it at the same time. There is no need for complex “decryption zones”. There is no need for expensive man-in-the-middle deployments between each and every node in a distributed cloud architecture. There is no need to pick and choose between security inspection or performance monitoring. Nubeva enables real-time, multi-destination, decentralized decryption of network traffic.
Another benefit of using Nubeva TLS Decryption is that it’s a universal solution supporting any TLS protocol and cipher including TLS 1.3. The solution works with any packet brokering source. Nubeva’s solution is cloud-agnostic and works with any tool destination that needs to see decrypted packet and payload traffic. This solution unlocks traffic in any cloud or datacenter to enable best-of-breed security and visibility. Nubeva supports native Amazon VPC traffic mirroring and Azure vTAPs. Organizations can use any other cloud packet brokering service for packet acquisition, processing, and distribution to their security and monitoring.
Again, Nubeva helps enterprise organizations maximize their cloud presence and accelerate their cloud transformation journey by providing IT teams (DevSecOps, primarily) with the solution needed to fully embrace modern encryption protocols AND still have visibility into the data (packets) in their cloud subscriptions for monitoring and threat hunting. Many organizations hesitate to fully leverage the benefits of the cloud because of security and visibility concerns. Nubeva TLS Decrypt eliminates the legacy requirement of abandoning visibility for security (encryption).
The advantages of Nubeva’s platform are clear: There is no MITM set up means reduced cost and better performance. No decryption zones are required which means that compliance is easier and network architectures are more flexible. The most important benefit is that Nubeva preserves original end-to-end encryption without introducing the additional vulnerabilities – associated with HTTPS interception and MITM TLS proxies – from downgrading encryption or poor certificate verification. This architecture also reduces cost and performance impacts typically seen in in-line MITM setups.
These innovations from Nubeva’s platform are changing the dynamics of the industry and have made it a disruptor delivering best-of-breed solutions to all.
Randy Chou, Founder, & CEO, Nubeva
The man leading this next-generation cloud security platform is Randy Chou, Founder, and CEO of Nubeva. Randy Chou is an experienced leader and incredibly smart developer. He knows how to keep speed, agility and innovation top of mind while fostering a culture focused on innovation and collaboration. “As a company based in San Jose, California with virtual team members across the U.S. and in Australia, communication is vital to our success. We maximize our use of tools like Slack to stay connected and get work done efficiently and effectively. We minimize decision-making by email. And, we encourage employees to be decision-makers in their roles as individual contributors,” shares Chou. “The focus is on moving forward every day to ensure client needs are met, to ensure our solutions function as promised and to exceed expectations among employees and with every client interface.”
The way ahead
The goal is simple; Nubeva is here to make security in the public cloud available everywhere, for everyone. Many organizations have experienced the benefits of moving resources to public clouds like AWS, Microsoft Azure and Google Cloud. There are cost advantages in addition to the ability to do more work, more efficiently. But organizations shouldn’t sacrifice encryption and visibility in the cloud, and IT teams still need the ability to monitor cloud assets for potential threats from the outside world.
Nubeva’s aim is to provide cloud-native solutions that enable IT teams to have access, visibility and control of their cloud data when and where they need it. Nubeva solutions ultimately unlock cloud visibility and the company will continue to innovate and deliver solutions that IT teams find invaluable as they migrate to the cloud.