Stopping Spies When Data Is in Motion

Woman and man back to back

When I was a kid, spying was something countries did to maintain the upper hand in war, trade negotiations, bragging rights and financial gain. The tools of the spy trade included listening/recording devices, super telephoto lenses, a submarine, a stylish and aloof international man or woman and, most importantly, a very fast car, plane or speed boat. At least, that’s what the James Bond movies led us all to believe.

Thieves got the goods by learning and then exploiting a person’s habits, rituals, weaknesses and friends. It took hard work, a lot of time and a personalized approach.

Now that so much of our lives is captured as digital data, thieves in the form of governments, special interest groups, organized criminals or bored teenagers have a much quicker, surer way to steal our money, our secrets, and even our physical safety. They can use tools like email, software, key loggers and fiber taps to spy on our data as it sits on a platform or portal, or as it flows from one machine to another. And they can do all that with automated precision and massive scale.

We hear a lot about protecting data with ever more sophisticated ways to make it difficult for a thief to gain access to our passwords and then our bank, email, health care or online communities. Once they get access they can take things, change things, learn things and expose things.

Protecting Packets Secures Data in Motion

Many experts are working on the “stored” data security problem. But protecting data in motion as it moves over optical fibers from one machine/platform to another by encrypting all data makes it nearly impossible to tap. This is especially important at a time when fairly simple yet powerful fiber-tapping devices can be created from low-cost items purchased from the local electronics store.

In May, I participated in a panel discussion led by Heavy Reading analyst Sterling Perrin that discussed the benefits of optical line encryption at the Big Communications Event (BCE) in Austin. He said that it was originally believed that the optical line network was inherently secure but that that has proved to be incorrect. He went on to say that recent efforts to shed light on the data spying of leading governments, including the release of classified documents by Edward Snowden, show that massive sweeps of data are collected by political bodies and organizations with purely nefarious intent.

Optical Line Encryption Is Safe, High-Performance and Cost-Effective

Encryption at the physical network level is a cost-effective, elegant and automated way to mass-protect moving data. Encryption at Layer 1 has three significant advantages over encryption at other levels. It bullet-proofs any information as it leaves one premises until it arrives safely at the next. It does this without slowing down transport and it’s also the lowest cost solution. It’s virtually impossible for fiber taps to gain meaningful information from data that is encrypted in this way and when encryption equipment is placed at the premises it eliminates the need for other equipment. That’s what makes it far simpler and more cost effective than application layer encryption.

According to the IBM Security Services 2016 Cyber Security Intelligence Index, the healthcare industry shot to the top of the list of most attacked industries in 2015. In fact, they coined 2015 as “the year of the healthcare breach.”

The IBM security team explain that electronic health records fetch a high price on the black market because they are packed with a wealth of exploitable information. Their reports goes on to say, “They typically contain credit card data, email addresses, social security numbers, employment information and medical history records – much of which will remain valid for years, if not decades. Cyber thieves are using that data to launch spear phishing attacks, commit fraud and steal medical identities.”

We are seeing the same uptick in breaches and therefore heightened customer interest in encryption solutions. For the panel at BCE, I presented two use cases, one of which involves data center interconnect for a healthcare insurance company with several thousand offices in Germany. To ensure regulatory compliance, this company operates a twin data center architecture, a master data center with a backup data center that provides synchronous data mirroring for redundancy and five-nines availability.

The network set up for the company’s two data centers is a high-speed, high-performance short run over leased lines: 1/10/40 Gigabit Ethernet, 8/16G Fibre Channel and 5G InfiniBand. It’s a decent size operation – they’ve got over 50 wavelengths transporting more than 100 services. Everything needs to be architected for transparency and lowest latency. And, it’s got to be secured. With ADVA Optical Networking’s FSP 3000 ConnectGuard™, this company is encrypting data at Layer 1 as it races from one data center to the twin and back. With this integrated solution, performance is not hindered and latency is very low. Because we handle everything in a single box, this is the most cost-effective manner for assuring data when performance must be high and latency very low.

Encryption at the Network Layer Is the No-Compromise Option

Encryption at the transport layer is working so well with the data centers that we are now working with the company to provide secure Layer 2 connectivity for their most relevant branch offices. The capacity is lower and in the range of a few hundred Megabits per second. So in this case we will be providing Layer 2 encryption with the same attributes as we are achieving between the twin data centers.

The other example I presented is a global bank with offices in Europe, Asia and North America. We started with the same data center interconnection solution with Layer 1 encryption to serve the bank’s six twin data center locations. Bank IT executives then decided to extend the secured connectivity to their wide area network, which is massive. They are operating a 10GbE OTN-based corporate backbone and are putting the optical encryption gear in to first convert the Ethernet connection into OTN connect and at the same time encrypt the data so the data flows securely over the global WAN.

This is a great example because they basically don’t introduce any overhead. They are saving 40 to 50 percent on global capacity costs when compared with the extra appliances that would be used on the IP or application layer.

Network level encryption is working extremely well for data center interconnect and enterprise WAN applications today. We’re focusing on providing encryption integrated into a single transport network appliance located at the premises for high-throughput applications. With the ADVA FSP 3000 ConnectGuard™ encryption equipment, our customers are spending half as much to secure their data.

Customers are realizing they no longer need to compromise. When it comes to securing data in motion they can achieve maximum security together with highest performance and lowest cost.

Related articles