Perimeter

3/15/2017
02:30 PM
Hector Menendez
Hector Menendez
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Trust Begins With Layer 1 Encryption

In today's distributed environment, cloud and communication service providers can play a key role in providing organizations with a scalable and secure platform for the connection of everything to everything. Here's how.

At which network layer should we handle security of in-flight data? Some argue the application layer is most appropriate because this is where the user’s personal data, semantics and security requirements reside. Others argue that security should start in the network and physical layers, protecting even the protocol information involved in moving data — implementing encryption as deeply as possible, even at Layer 1. This is particularly true for Internet of Things (IoT) traffic where data generated is never at rest.

Depending on security requirements, both are correct. Security at different levels can be complementary and collectively enhance security. Cybercrime is now costing companies over $400 billion annually. According to Gemalto’s breach level index, since 2013, security breaches have resulted in the loss or theft of an estimated 5.9 billion data records from enterprises worldwide. That’s about 47 records every second. Of course, if records are encrypted, stolen information is useless. But that is only happening 4%  of the time! So, while application layer security is a great idea, other layers of protection are also needed.

Regulated industries, such as healthcare and financial services, suffer the most costly data breaches due to fines and a higher-than-average rate of lost business. Last year, the average cost per incident was $4 million, according to a 2016 Poneman Institute study. Organizations recognize that the longer it takes to detect and contain a data breach the more costly it becomes to resolve.

Enterprises have traditionally relied on perimeter security in the form of firewalls, DMZs and other technologies. However, as they turn increasingly to cloud-based enterprise services, perimeter security is no longer sufficient. Their enterprise-critical data is distributed far beyond the organization’s boundaries. But doesn’t this evolution from enterprise perimeter security to wide-area networking and cloud services increase the degree of risk for enterprises?

Contrary to some opinion, this move to the cloud is likely to make most enterprises more secure. It is important to remember that Layer 1 security starts with ensuring the physical security of all the various network elements and facilities. Communication Service Providers (CSPs) and cloud providers are better equipped than most enterprises to ensure the physical security of their infrastructure, yielding an improvement to overall security. CSP network elements, for instance, are more tamper-resistant and difficult to deactivate or bypass than their enterprise counterparts. Also, the CSP can ensure the availability of network services with a robust assurance function that can provide the enterprise customer with much greater security than the typical enterprise network provides. It is a similar situation in cloud data centers.

With better physical security for network infrastructure and higher availability and uptime for network resources, the next level of protection is through network traffic encryption. Best practices call for a holistic security approach that includes a multi-layered, “defense-in-depth” strategy.

Encryption is costly at higher network layers. Layer 1 encryption reduces the cost per encrypted bit by integrating the encryption function into the transport system. Encryption at higher layers also adds significant overhead and data stream latency. In contrast, Layer 1 encryption adds almost no additional overhead or latency to the transport process. Hardware-based Layer 1 encryption solutions enable very high bandwidth with encryption of 10 or 100 Gbps wire speeds and higher. This is especially critical for services that require real-time traffic management to uphold service level agreement (SLA) requirements for application disk access and rich content delivery such as video and voice calls.

Of course, the encryption algorithm must rely on strong, quality keys. For “top secret” data requiring 256-bit strength, a strong AES-256 algorithm with 256-bit key size should be used. And the keys should come from a key generator that produces a truly random, quality key to match the strength of the encryption algorithm.

Key management, exchange and authentication can be labor-intensive and cumbersome when there are many separate encryption devices and encryption streams to manage. By centralizing key management, the CSP can ensure a single point of trust and consistent policy enforcement. It also streamlines administration by allowing updates to be made once, and cascaded automatically across the network. This enables single-point key revocation and one-point-to-force, multi-tenant synchronized key rotations.

Enterprises should feel more confident about distributing their applications across the wide area and utilizing cloud-based services. The new distributed, cloud model is changing many aspects of our digital world, perhaps none more so than the key role that CSPs play to provide a global, scalable and secure platform for the connection of everything to everything. Layer 1 security is the foundation for confidence and trust in securing data while in-flight.

Related Content:

 

Hector is focused on optical networking solutions. In this role, he develops and markets service provider solutions on topics including mobile fronthaul, mobile backhaul, and secure optical transport. Hector has over 25 years of telecommunications experience and has held a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9923
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9924
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.
CVE-2019-9925
PUBLISHED: 2019-03-22
S-CMS PHP v1.0 has XSS in 4.edu.php via the S_id parameter.
CVE-2019-9927
PUBLISHED: 2019-03-22
Caret before 2019-02-22 allows Remote Code Execution.
CVE-2019-9936
PUBLISHED: 2019-03-22
In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.