Modular Security for Data-Center Interconnection

Todd Bundy
Digital padlock

Today’s data centers are state-of-the-art, heavily secured facilities in which extraordinary efforts are undertaken—at sometimes extraordinary expense—to protect a company’s most highly sensitive information assets.

But what happens when the data leaves the building? Today’s weak link in data-center security typically is the connection from one facility to another—one that is either owned and maintained by the enterprise or procured from a carrier.

Sufficiently protecting data along these connections—without jeopardizing the performance of a company’s most demanding local and storage area network (LAN and SAN) applications that are carried across them—demands an end-to-end, modular approach to security that can be tailored to varying needs. There are multiple principles of security that must be drawn from. Solutions based on Layer 3 encryption protocols such as Internet Protocol Security (IPSec) and Secure Socket Layer (SSL) Virtual Private Network (VPN) are often not appropriate for securing a company’s most time-sensitive LAN and SAN services, for example, because of the security scheme’s impact on latency and other key performance parameters. Data-center managers require a security solution that at the same time delivers ample protection and supports necessary levels of application speed, throughput and configuration simplicity.

End-to-end monitoring of optical-layer performance and power is particularly valuable for data mirroring and other synchronous services. Without increasing a data-center network’s bandwidth requirements or latency, enabling intrusion detection at the physical layer can support fast identification, isolation and mitigation to network events such as malicious breaches, cable breaks, receiver overloads and data-signal loss or weakness. Violation of software-adjustable switching thresholds, for example, can reveal fiber cuts. Fiber degradation can be revealed by alarms related to adjustable minimum/maximum fiber-attenuation thresholds. Keeping an eye toward typical power signatures can serve as a tool against fiber intrusion, and a spatial fault locator leveraging in-service Optical Time Domain Reflection (OTDR) measurement can help fiber problems such as taps be quickly pinpointed for more rapid resolution. Monitoring long-term fiber performance via databases, meanwhile, can help data-center managers avert issues over time.

Together, these capabilities provide substantial protection against intrusion on the optical connections among data centers, but even these capabilities aren’t enough. The security task facing data-center managers today has grown significantly more challenging, as the methods and opportunities of accessing data in transit across optical fiber have multiplied and grown harder to detect over the last decade as companies have sought to share more and more valuable information assets over longer and longer distances. For example, low-cost, passive, non-intrusive optical monitoring devices have emerged and are widely available. Because they can be used to view data in transit without actually harming the fiber link, data-center managers require an additional measure of protection beyond intrusion detection.

To address this issue, encryption can be added per channel on an as-needed basis in some implementations of Wavelength Division Multiplexing (WDM) transmission. Some WDM systems allow for the strategic, selective encryption of certain Ethernet, Fibre Channel, InfiniBand or other service at the physical layer on the transponder card itself. This modularity is critical because no cloud provider, for example, could afford to deploy and manage hundreds of encryption devices at the ends of all of their optical links to their users. Rather, by enabling per-channel encryption via a single, customer-owned card—inserted into the service provider’s existing WDM system that is already performing the multiplexing of protocols—data security is achieved for key links without need of additional boxes or real estate. A customer maintains control of its cards and encryption keys.

With such a complete and integrated, modular approach to protection—leveraging physical-layer monitoring, per-channel encryption and security-hardened software—critical information is protected without jeopardizing superior, low-latency performance for an enterprise’s most demanding applications. Companies cost-effectively comply with information-protection regulations and protect their businesses, and carriers and service providers are positioned to serve new customers in key verticals and differentiate offerings by enabling new encryption services such as transmission and encryption management.

The unique ability to fully encrypt payloads and monitor for intrusions at the physical layer is yet another reason that WDM figures to be the unifying platform for data-center interconnection for the foreseeable future. Enabling native-speed performance for any standard protocol, supporting lowest-latency transmission and offering unlimited bandwidth, sophisticated security and investment protection, WDM provides data-center managers with an unmatched set of capabilities for simplifying support of their companies’ full array of LAN and SAN applications.

Related articles