www.thalesgroup.com/issThe role of encryptionin securing data centreconnectivity>Introduction ……………………………………………………………………………………………………………………………….. 3A growing dependence …………………………………………………………………………………………………….. 4Key issues and challenges in protecting data in transit ……………………… 5The cost of data breachesCompliance pressuresReducing operating costsUnderstanding the security risks associated with data in transitEncryption holds the key ………………………………………………………………………………………………… 7Understanding encryption ……………………………………………………………………………………………… 8Choosing the right encryptionConclusion ……………………………………………………………………………………………………………………………….. 10>>ContentsThe role of encryption in securing data centre connectivityThales – Information Systems Security 2As the volume of data used to conduct day-to-day business continues to grow,enterprises are looking for reliable and cost-effective ways to access, manage, andtransport information to ensure maximum availability and minimum impact tooperations. In their quest for the perfect balance between data availability and costsavings, companies need to ensure that data security does not get pushed down thepriority list.While businesses are generally aware of data breach risks associated with data instorage, they are typically less knowledgeable regarding security proceduresassociated with data in transit between storage and processing sites. As such,sensitive data often remains unprotected at certain points in the processing chainresulting in significant threats. This situation is exacerbated by popular perceptionthat the computing power required to secure data exchanged through encryption canharm the business by slowing down operational efficiencies. Yet, as global playersbecome increasingly dependent on interconnected systems, a thoroughunderstanding of issues around data transport security is now of vital importance.A data infrastructure is only as strong as its weakest link which can be in many casesdata transport. This Guide analyses the security of data in transit, and offers ChiefInformation Security Officers and Network Architects advice on how encryption canplay a positive role without adversely impacting operational performance to enablecost-effective utilisation of data transport resources.>>IntroductionThe role of encryption in securing data centre connectivityThales – Information Systems Security 3Global business is growing more and more reliant on interconnected systems. Thesesystems are increasingly responsible for carrying critically important data – frompersonal information on clients and employees and sensitive strategic detailsexchanged on corporate activities, to financial transactions and confidentialinformation vital for business continuity and success. At the same time, corporatedata storage requirements have also kept growing; therefore placing a greaterdemand for high-speed/high-bandwidth services to accommodate this data overloadover an increasingly distributed environment.Let’s take the example of an insurance company. Typically, an insurance company willretain a record of clients’ previous claims or other sensitive data and make itaccessible to the client 24/7 through call centres that can be spread around theworld. At any given point, a call can be placed by any given customer and it will bepromptly answered by a call centre representative most likely based miles away fromwhere the data is physically stored. Nowadays, most companies are expected to offerthis level of service and deal with enquires without delay. Yet, the information requiredto answer a simple question a customer may have, often needs to travel around theworld. This means that the risk of exposure of the data is significant. Today, companiesneed to be aware of the fact that not only is the volume of data itself growing, but alsothe number of occasions when data can be exposed to fraudulent attacksWith more data potentially prone to interception over these distributed systems, theprotection of its confidentiality and integrity is becoming more and more important.Security breaches can easily cause significant damage both in terms of financiallosses and corporate reputation. The latest research by the Ponemon Institute hasfound that data breaches continue to be very costly for UK businesses. In fact, theaverage costs per compromised record increased in 2009 by 7% although theaverage organisational cost decreased slightly from £1.73 in 2008 to £1.68 in2009. Consequently, ensuring end-to-end data security should be a key priority for allbusinesses looking to reduce unwanted risk and protect their reputation.>>A growing dependenceThe role of encryption in securing data centre connectivityThales – Information Systems Security 4The cost of data breachesEfficiency pressures combined with the growing volume of data used by the enterpriseand reliance on interconnected systems are all driving the need for securing data intransit. Moreover, companies need to take into account the cost – both monetary andin terms of their reputation should a data breach occur. When a business sustainsa data breach, the price is not limited to the mere cost associated with patching thevulnerability, but it also includes mitigating the impact of the breach on the company’sreputation. The list of consequences continues with potential legal costs as companiescould be exposed to court cases and subsequent judicial actions. Moreover,businesses which find themselves victim of a fraudulent attack could facecumbersome administrative costs. For example, if credit card data is exposed as aresult of a compromised data backup system, not only does that information channelneed to be re-secured, but card issuers will also need to produce and distribute newcredit cards to all affected customers.Compliance pressuresCompanies are already struggling to come to terms with securing critical dataelements to meet the requirements of regulations such as the Payment Card IndustryData Security Standard (PCI/DSS), European Union Data Protection Directives, andBasel II to name just a few. In the near future, existing laws are likely to be modifiedin order to mandate more specifically the details of what companies should do toachieve compliance. In addition, new and tougher regulations are also expected tomake their entrance into the regulatory arena. Many in the industry believe thatregulation should go one step further and require entities that are compromised togo public with their breach. Regulations to this effect have already been put in placein certain countries and jurisdictions. In the State of California a law requirescompanies doing business in the State to inform customers if their records had beenleaked and put at risk. About 40 other US states have now followed this lead andadoption of similar legislation throughout Europe is increasingly being discussed.Reducing operating costsIn addition to the challenges mentioned above, businesses are faced with the everpresentpressure to reduce operating costs and increase revenues. Yet, growingdata volumes mean more complex infrastructures and increased costs. Companiesneed to be able to distribute data in a reliable and speedy manner adopting aconfiguration that allows multiple users to share the same infrastructure.When transferring data, businesses can opt to rent a dedicated private line incurringhigh costs or choose to use a shared infrastructure by buying the bandwidth neededin a much larger pipeline. Whilst the second option is more cost-effective, the datain a shared pipeline is also more exposed to the possibility of interception. As such,businesses are confronted with a dilemma: is it better to choose an expensivededicated infrastructure or opt for a cheaper shared pipeline exposing data to agreater risk of being breached?Key issues and challenges in protectingdata in transit>>The role of encryption in securing data centre connectivityThales – Information Systems Security 5Understanding the security risks associated with data in transitThere is a pressing need to increase awareness around the risks associated withdata in transit and to correct the misconception that data at rest is more vulnerableto attacks because it is stored in one location. Data centres are typically securedthrough both physical and virtual access control mechanisms; there are specificindustry standards that define protection measures against a wide range of threatsfrom fraudulent attacks to natural disasters that may cause a data centre to loseinformation. By way of contrast, data in transit has a dramatically higher level ofexposure. However, because there is generally limited knowledge about what happensto data in transit, it is difficult to determine the real extent of the threats. Therefore,it is crucial to have the certainty that data hasn’t been copied, altered orcompromised at any point during processing including storage and transit. Forexample, the information may have been copied and still reach its final destination ordata may have been altered in such a subtle way that, if undetected, could causesubsequent harm.The role of encryption in securing data centre connectivityThales – Information Systems Security 6The tried and tested technique of data encryption is already widely used to protectstorage networks holding highly confidential and mission-critical data. Because datain transit is part of this overall fabric, security of the transport infrastructure mustbe part of the solution to the challenge. Encryption is widely accepted as the mosteffective way of securing data on the market today and, while it may not be the silverbullet to ensure complete data security, it can go a long way towards addressing thesecurity issues affecting today’s highly distributed business environment. For example,organisations that use disaster recovery sites typically rely on periodic backup datatransfer connections or tapes sent via a secure courier. If the information isintercepted in transit or if the courier misplaces a tape bearing sensitive data, thecompany will then incur all the costs already mentioned. However, if the samescenario occurs and the intercepted connection or lost tape contains encrypted data,the information would not be accessible to an unauthorised party and will thus remainuncompromised. As an end-to-end security mechanism, encryption is increasinglyfavoured by regulators and policy makers. Because of the black and white nature ofthe technology, data is either secure or unsecure; a very measurable parameter thatis well received by auditors and regulators. In addition, by encrypting data, businessescan achieve a more secured end-to-end environment that enables them to use sharedinfrastructure for data transit without compromising security.>>Encryption holds the keyThe role of encryption in securing data centre connectivityThales – Information Systems Security 7The basic purpose of encryption is to take ‘clear text’, such as the text you are nowreading, and apply a predefined algorithm to this text to make it unreadable to anunauthorised user entity. An encryption algorithm is a mathematical processperformed on the clear text data that turns the clear text into this protected text. Thealgorithms used are industry-standard ciphers such as the Data Encryption Standard(DES) or the Advanced Encryption Standard (AES). Often these algorithms performmathematical functions on each byte of data or they shift and move data withinindividual bytes; alternatively, they can perform a combination of these actions.Anything but the simplest of encryption algorithms use encryption keys to make thealgorithm more complex or harder to crack, thereby making the encrypted text moresecure. The encryption key is a unique string of data that is added into the encryptionalgorithm and assists or alters the way in which the encryption algorithm works.Encryption keys are often generated from passwords or random data.Encryption is a powerful security resource that enterprises can use to provide a morein-depth security strategy. If other security measures such as physical barriers,firewalls, or intrusion detection systems fail, then encryption can act as the last lineof defence and ensure that stolen data is still not readable to the unauthorised entity.Unfortunately, at present, encryption often goes unused at certain points in the dataprocessing chain as the computing power it requires can sometimes slow downoperations or transactions depending on where it is applied. For example, manybusinesses today rely on Network Layer 3 Internet Protocol (IP) encryption for mostsecurity needs. Layer 3 encryption – referring to the Open System Interconnect (OSI)model for data networking – can add significant overhead to the data exchanged andcan adversely impact the efficiency of operations. Encryption however can take manydifferent forms and it is a matter of using the most efficient and suitable form toeffectively protect a company’s data.Choosing the right encryptionMany data centres today rely on Layer 3 encryption based on IP Security (IPSec).IPSec is the standard typically used in Virtual Private Networks (VPNs) that segregateand protect private traffic within a public shared network infrastructure. There areseven layers where encryption can be applied, each corresponding to the layersdefined by the OSI model for data networking. These include: physical, data link,network, transport, session, presentation and application. These range from Layer1 encryption which concerns the physical connections all the way up to Layer 7 whichencrypts applications. As previously stated, Layer 3 encryption significantly expandsthe size of the data packet, thus impacting operational throughput by up to 40 percent and adding latency or transfer delay by up to 60 per cent, depending on the typeof data packets being processed. Because data centres process large amounts ofdata, the inefficiency of this technology has become unacceptable for manybusinesses, particularly in the current economic climate as they look to cut costs. Analternative is Layer 2 or Data Link Layer encryption, which only adds minimal dataframe expansion, resulting in a significant performance advantage, allowingbusinesses to reduce operating costs and increase operational capacity.>>Understanding encryptionThe role of encryption in securing data centre connectivityThales – Information Systems Security 8Layer 2 backbones are primarily used for high-speed/high-data throughput connectingnetwork nodes in point-to-point and increasingly fully-meshed multipoint configurations.In order to achieve high-speeds, hardware encryption is predominantly employed.Encryption at this level encapsulates all protocols crossing the link, unlike Layer 3where only IP packets are encrypted. A Layer 2 encryptor does not consider thenature of the traffic, it is only concerned with deciding whether a link with a particulardestination must be encrypted or not, so consequently its decision database has farfewer rules, resulting in a solution that is simpler and less expensive to manage.Layer 2 encryption is also independent of network configurations, so changes to theLocal or Wide Area Network (LAN/WAN) do not require the involvement of themanager responsible for the encryption devices.For these reasons, Layer 2 encryption is much more flexible and also providesplatform independence because client systems do not require special software orhardware to manage routing decisions. Layer 2 solutions, because of their simplicity,can also save time and money as they require little or no configuration andmaintenance once deployed.Layer 2 encryption is characterised by the fact that it creates the least latency andoverhead drain on a network over any other encryption alternative. Encryptionsolutions for Layer 2 are commonly used from sub 1 Mbps speeds copperinfrastructures up to 10 Gbps or higher with optical fibre connections. Typicalapplications of Layer 2 encryption at the enterprise level include data centreconnectivity to branch sites, and point-to-point and fully-meshed multipoint connectionsbetween sites where – because of the nature of the traffic – latencies cannot betolerated, and where – because of the nature of the operation – a simplified solutionwith little or no configuration and maintenance is desired for deployment.Layer 2 encryption technology allows organisations to implement a security solutionquickly with minimal network disruption while preserving current investments.Businesses requiring both security and multiple protocols often consider strongencryption at Layer 2 to protect sensitive mission-critical functions for the networkbackbone and network access.The role of encryption in securing data centre connectivityThales – Information Systems Security 9Encryption does not have to be slow and expensive. If properly implemented andmanaged, it is a valuable business tool and constitutes a clear advantage. Not onlydoes encryption protect data at rest, but it also has an important role to play inmaking data in transit more secure by protecting its confidentiality and integrity, andenabling the enterprise to take advantage of more cost-effective shared andinterconnected systems.Moreover, regulations, market forces and sheer practicality are already shifting theencryption landscape. The debate has moved beyond whether or if encryption shouldbe adopted and now the conversation is about how and where encryption should bedeployed. A well thought-through approach to encryption and key management whichencompasses end-to-end data, including data in transit, will stand any company ingood stead in meeting its current and future data security requirements.>>ConclusionThe role of encryption in securing data centre connectivityThales – Information Systems Security 10ThalesSecurity Solutions & Services>>>© Thales • February 2010 • MGD0951AmericasTHALES e-SECURITY, INC.2200 North Commerce ParkwaySuite 200WestonFlorida33326. USAT: +1 888 744 4976 or +1 954 888 6200F: +1 954 888 6211E: [email protected] PacificTHALES TRANSPORT & SECURITY(HONG KONG) LTD.Units 2205-0622/F Vicwood Plaza199 Des Voeux Road CentralHong Kong, PRCT: +852 2815 8633F: +852 2815 8141E: [email protected], Middle East, AfricaTHALES e-SECURITY LTD.Meadow View HouseLong CrendonAylesburyBuckinghamshireHP18 9EQ. UKT: +44 (0)1844 201800F: +44 (0)1844 208550E: [email protected] document is issued by Thales Information Systems Security (hereafter referred to asThales Information Systems Security) in confidence and is not to be reproduced in wholeor in part without the prior written approval.