Why network-level data encryption matters in the cloud

Arthur Cole
Virtual padlock

Enterprise infrastructure has become increasingly dependent on the cloud, which is naturally leading to growing concerns about data security.

While the cloud in many ways offers better security than the traditional on-premises data center, this should not obscure the fact that complex architectures tend to have more vulnerabilities than simple ones, and the cloud is nothing if not complex.

One of the key challenges is securing data as it navigates between the cloud and the user. Whether this journey runs across town or halfway around the world, data is likely to transition between multiple network providers and other handlers even if the entire wide area infrastructure is harnessed under a single WAN or SD-WAN solution. Not only does this introduce gaps in security that can be exploited, it also often leads to the deployment of multiple encryption and other security mechanisms, all of which act to hamper performance and diminish the kind of visibility the enterprise needs to manage traffic flows.

Full network protection

This is why many organizations are turning to network-level encryption for their entire cloud ecosystem. By roping all data communications under a single solution, organizations are finding that they can quickly fulfill the requirements of emerging regulatory regimes like GDPR and PCI DSS across their distributed data footprints, while at the same time cut down on the management headaches of having to oversee countless service- or provider-based solutions.

According to Markets and Markets, the network encryption market is set to expand from $29 billion today to $4.6 billion by 2023, a compound annual growth rate of 9.8%. This is, in fact, one of the few areas of the IT stack that is expected to be dominated by hardware rather than software in the coming years. With a solid hardware foundation, network security benefits from top performance in high-speed, low-latency environments, and a single platform can provide robust security across all endpoints, networks and applications.

This trend can be seen in companies like Colt Technology Services, which recently began providing an Ethernet Line Encryption service using the ADVA FSP 150 appliance running the ConnectGuard security system. In this way, the company provides end-to-end data protection on low-latency infrastructure up to 10Gbit/s, all while meeting the stringent regulatory environments of Europe, North America and Asia.

Encryption in a box

The FSP 150 is a Layer 2/3 service demarcation solution that provides forwarding, filtering and other advanced services for IP traffic. When combined with the ConnectGuard™ system, the device provides L2 MACsec encryption at line rate on a per-EVC basis, as well as robust AES encryption and a key distribution mechanism based on the IEEE 802.1X standard coupled with a dynamic key exchange process using the Diffie-Hellman algorithm.

All of these tools can be implemented with only microseconds of added latency and virtually no impact on throughput, something that cannot be said of competing solutions like IPSec. 

Going forward, we can expect the vast majority of network traffic to be encrypted, which means vital services will slow to a crawl (or fail to emerge at all, as in the case of rising IoT infrastructure) unless there is a performance penalty-free way of protecting data on the network level.

The key challenge for enterprises migrating to the cloud is to implement network encryption before workloads become scattered across multiple providers and platforms each with their own solution. A distributed data architecture is already complicated enough without having to go back and reconfigure something as fundamental as data encryption – particularly when diminished, or even disrupted, service will have such detrimental consequences to the business model.

Related articles