In computing networks, computing systems, both real and virtual, often include applications and services that require communications with other computing systems to provide desired operations. For example, an application on a first computing system may require data from a database located on a second computing system. Consequently, to provide the communication, the data payload may be placed in a network packet, and transferred to the required computing system. However, although network packets provide a method of communication between computing systems, difficulties often arise in managing security between the computing systems.
To overcome some of the deficiencies presented in securing network communications between computing systems, various technologies have been developed. These technologies include virtual local area networks (VLANs), encryption for the data payload within the data packets, amongst other similar security procedures. Yet, while the security technologies currently deployed may provide additional security over unprotected networks, management of deploying the security can often be difficult and cumbersome. Further, providing a cohesive inter-computing system security policy may be difficult without modifying the applications on the computing systems, and/or the configurations provided by switches, firewalls, routers, and other similar networking devices providing the connectivity to the computing systems.
Overview
The technology disclosed herein enhances security for inter-computing system communications. In one implementation, a method of managing communications for an application on a computing system includes identifying a communication request from an application on the computing system to transfer data to a second application on a second computing system, wherein the communication request is associated with private addressing information to address the second application, and wherein the application and the second application are associated with a communication group. The method further includes generating a network packet to support the communication request, wherein the network packet comprises an encrypted portion and a non-encrypted portion, wherein the encrypted portion comprises the data and the private addressing information, wherein the non-encrypted portion comprises public addressing information and group identifier information, and wherein the group identifier information indicates at least a communication group identifier for the communication group to decrypt the encrypted portion at the second computing system. The method also provides transferring the network packet to the second computing system.