The secret to reducing cloud costs – cryptography

The secret to reducing cloud costs – cryptography

Lori MacVittie, Principal Threat Evangelist at F5 Networks, discusses how businesses should be designing their cloud-based architecture to reduce costly processes.

Cloud computing can certainly be a cost-effective strategy for many businesses, but it definitely isn’t free.

Most of today’s apps are delivered via secure HTTP. That means TLS or the increasingly frowned upon SSL. It means cryptography, which has traditionally been translated to mean performance problems.

The more complex the journey, the more expensive it becomes

Thanks to advances in technology, CPUs are now incredibly fast and many client (and server-side) hardware natively integrates what was once specialised cryptographic hardware. This means that, on a per-connection basis, speed is not as much of an issue on an individual basis for cryptography as it once was. But that doesn’t mean that cryptography still isn’t a source of performance and operational expense.

Applications today are not comprised of a single endpoint, instead they have multiple intermediaries and proxies through which a message must travel before that ‘single endpoint’ is ever encountered. They are made up of security and access control, load balancing and routing endpoints, and each needs to inspect the message – in the clear – in order to execute its designated role in the complex dance that is the modern data path.

Here is where the argument that cryptographic isn’t as expensive starts to fall apart. On its own, a single endpoint introduces very little delay. However, when repeated multiple times at every endpoint in the data path, those individual delays add up to something more noticeable and particularly in the case of public cloud, operationally expensive.

Adding up the cost

Cryptography is naturally a computationally expensive process. That means it takes a lot more CPU cycles to encrypt or decrypt a message than it does to execute business logic. In the cloud, CPU cycles are analogous to money being spent. In general, it’s an accepted cost because the point is to shift capital costs to operational expense.

But the costs start to add up if you are decrypting and encrypting a message several times. You are effectively paying for the same cryptographic process multiple times. What might be computed to cost only a penny when executed once suddenly costs five pennies when executed five times. Do the maths for the hundreds of thousands of transactions over the course of a day (or an hour) and the resulting costs are staggering.

Also remember that each CPU cycle consumed by cryptographic processing is a CPU cycle not spent on business logic. This means scaling out sooner than you might want to, which incurs even more costs as each additional instance is launched to handle the load.

Suffice to say that ‘SSL everywhere’ should not result in ‘decrypt everywhere’ architectures in the cloud.

Reducing decryption to make cloud more affordable

To reduce the costs and maximise the efficacy of the CPUs you’re paying for, it is worth the time to design your cloud-based architecture on a ‘decrypt once’ principle. ‘Decrypt once’ means you should minimise the number of endpoints in the data path that must decrypt and re-encrypt messages in transit.
Naturally, this requires forethought and careful consideration of different application services you’re using to secure and scale applications. If you aren’t subject to regulations or requirements that demand end-to-end encryption, architect your data path such that messages are decrypted as early as possible to avoid additional cycles wasted on decryption later. If you are required to maintain end-to-end encryption, the combining of services whenever possible will net you the most efficient use of compute resources.

Combining the services – i.e. load balancing with web application firewall – on a single platform means reducing the number of times you need to decrypt messages in transit. It also has the added advantage of reducing the number of connections and time on the network, which translates into performance benefits for users and consumers. But the real savings are in CPU cycles that aren’t spent on repeated decryption and re-encryption.

It may seem a waste of time to consider the impact of encryption and decryption for an app that’s lightly used today. The pennies certainly aren’t covering the cost of the effort. But as apps grow and scale and live over time, those pennies are going to add up to amounts that are impactful. Like pennies, microseconds add up. By considering the impact of cryptography across the entire data path, you can net benefits in the long run for both users and the business.

Browse our latest issue

Intelligent CIO Europe

View Magazine Archive