Encryption remains top cyber defense for data-in-motion

How can enterprises and governments protect their data-in-motion against the growing threat of cybercrime without a heavy cost to performance, complexity and latency? Let's take a look at the latest advances in optical layer encryption technology.
Arthur Cole
Traffic streaks

Major cyberattacks, like the one that hit the US’s Colonial Pipeline recently, highlight the importance of data and infrastructure security for all businesses today, no matter how large or small.

But as disruptive as the Colonial attack was, it is important to draw some distinctions between what happened in that case and what still remains as the key vulnerability in most organizations’ digital infrastructure. The ransomware that afflicted Colonial was most likely attached to an email link that someone in the company opened, allowing the malware to slip past firewalls and other protective technologies to attack a critical back-office system. Reports indicate that it encrypted data-at-rest related to the company’s billing system, preventing the company from tracking orders and supplies.

While this is a significant attack, it nevertheless draws attention away from the fact that the most vulnerable data in any organization is not the data-at-rest tucked away in storage but the data-in-motion that is flowing across increasingly diverse and vulnerable public and private networks. The fact is that cybercriminals are well aware of the tools companies use to thwart intrusion into their internal infrastructure and are increasingly focusing their efforts on tapping into the Layer 1 and Layer 2 elements of the networks connecting data centers to each other and to the cloud.

Full performance

Encrypting this data should therefore be a top priority for any business. But one of the chief obstacles that most organizations encounter when trying to implement an effective network encryption scheme is how to do it effectively without throttling data speeds that have become the lifeblood of today’s business model.

Fortunately, modern optical layer encryption technology is proving to be highly effective at protecting critical data-in-motion without producing an appreciable impact on latency, even at heavy data loads. Encrypting on the transport layer basically safeguards all layers of the network stack because nothing else happens without transport. As well, transport layer encryption ensures that all data is encrypted, providing a level of data integrity post-encryption that cannot be matched at any other layer. At the same time, this comes without a performance penalty, which is why networks with the strictest latency requirements, including those fielded by financial institutions and government agencies, rely on the optical encryption capabilities of systems like the ADVA FSP 3000 with ConnectGuard.

 

Modern optical layer encryption technology is proving to be highly effective at protecting critical data-in-motion without producing an appreciable impact on latency.

 

Network encryption will become increasingly vital as more data collection and processing takes place on the edge where it can best serve the needs of IoT connected devices. While much of this data is likely to be ephemeral and not highly valuable in a broader sense, it is nevertheless vital to the smooth functioning of critical services like health care devices and autonomous transportation.

A key requirement on the edge, of course, is the ability to extend encryption across multiple domains and service provider networks. Solutions like MACsec, for instance, now offer the ability to provide end-to-end security across MEF Layer 2 cloud networks. This allows service providers to devise a wide range of targeted encryption-as-a-service offerings to their clients, while at the same time enabling compatible security frameworks with broader optical networks using tools like dynamic, quantum-safe key exchange and hardware tamper protection.

Quantum security leap

As cybercriminals begin to leverage the same quantum computing resources that many organizations are using for legitimate purposes, the need to fight fire with fire is rising. Thankfully, there are technologies available to mitigate the emerging quantum threat, most notably, post-quantum cryptography (PQC) and quantum key distribution (QKD). PQC applies classical encryption with quantum-safe algorithms. QKD uses the laws of physics to create tamper-proof encryption keys. The trick, however, is maintaining security of the keys while preserving the benefits of open line system (OLS) networks. To that end, ADVA has begun working with the European Commission’s OPENQKD program to create a secure European network based on quantum key distribution (QKD). Already, ADVA has played key roles in the establishment of the UK’s first QKD-based network and the first 100Gbbit/s quantum-safe optical link exceeding 2,800km using a post-quantum key exchange protocol. As well, ADVA is an early adopter of ETSI’s newest key delivery interface standard that brings QKD-based keys to commercial hardware encryption systems.

With each new cyberattack, enterprises learn more about how their systems can be penetrated and where the vulnerabilities lie. Beyond the firewall, however, data enters a no-man’s land where it can touch virtually any infrastructure supporting unknown levels and types of security. Encrypting this data in an effective and efficient manner will become a top priority as the cloud gives way to the edge and beyond. 

When the hardware and platforms are beyond your control, the only thing left to secure is your data itself.

Related articles