Protecting against the next great heist by encrypting in-transit data

Adding extra security at the optical layer is essential in today's web-scale world.

Cast your mind back to the last time you were offline – not just when your connection was down, but a time when you were truly, unequivocally disconnected. That time may have been spent sending letters, physically going into a bank to make a deposit or withdrawal, and actually meeting with people to share information.

Nowadays, we're far more efficient thanks to our reliance on connectivity and the network. During the past 20 years or so, information has evolved in line with the network, and become largely a digital commodity that can be sent and received with the click of a mouse. Electronic communications now cross organizations and oceans with relative ease, in volumes that seemed unfathomable during the days when postal mail was king. But all of this need for connectivity comes with a downside: criminal elements seeking to steal that data – and make no mistake, something as seemingly innocent as a personal email can be as valuable to a criminal as a bank transaction.

Our data can be used by others for monetary gain (stolen credit card numbers) or, in some instances, blackmail and identity theft. Passwords and authentication now act as the key to the front door for the myriad of valuable data behind it. So, to provide an additional layer of protection we began to encrypt the data – scrambling it in such a way that intruders could not easily decipher the information without another key.

Can people still get that data? With a bit of concerted effort, sure, getting through is a possibility – but that's why we also have firewalls, anti-virus software and intrusion detection systems. We're clearly serious about protecting our data when it's at rest, meaning physically situated within the protected confines of a data center on storage arrays. But what about when you need to get that data from one side of the network to another, such as from a data center storage array to your smartphone?

Remember, The Great Train Robbery of 1963 occurred not when the caboose was at rest at a station, but while the train was between stations. It's during transit – meaning, out there on the network and “in-flight” between end-points – that our data can be most vulnerable, especially given the focus we've placed on erecting barricades to protect it while at rest.

Encrypting sensitive and mission-critical data while in transit is essential to an overall data security strategy, especially with information moving like never before within the cloud between data centers.

Encryption at the optical layer during transport provides a strong and effective safeguard, offering an additional level of protection to enable end-to-end security. While it's true that technologies like Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are increasingly used to secure connections to servers, the only way to secure everything on the communications link in and out of a facility is to encrypt at the physical layer. TLS and SSL solutions also generally rely on third-party certificate authorities that may themselves be compromised, allowing for man-in-the middle attacks. In addition, the traditional operational model for deploying and maintaining protocol-specific encryption solutions can quickly become cumbersome, complex, and costly with multiple encrypt/decrypt pairs being required to support a multi-protocol environment.

At the converged packet-optical transport layer, a wide variety of traffic types, such as Ethernet, Fibre Channel, OTN, SONET, and SDH, can be encrypted simultaneously. Further, optical layer encryption guarantees transparent encryption at wire-speed. In other words, the encryption process does not reduce the traffic throughput of the signal being encrypted, nor does it modify the user data in any way. Additionally, by encrypting all traffic before it enters the fiber, it ensures the entire data channel is encrypted no matter what application or device generated the signal.

Can security of our data ever truly be guaranteed? It remains an open question, especially as the sophistication of those keen to steal it increases. The best practice is to use a nested set of complementary tools to create a barrier between that valuable information and those who seek it.

The focus on protecting information at-rest has been a concerted one. However, it's now imperative that we show similar dedication to protecting our data when it's at its most vulnerable – while it's in flight, out there, alone on the network, as it traverses tens to thousands of kilometers.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)