• United States

Protecting against the next great heist by encrypting in-transit data

Jan 26, 20164 mins
Network SecuritySecurity

Adding extra security at the optical layer is essential in today's web-scale world.

Cast your mind back to the last time you were offline – not just when your connection was down, but a time when you were truly, unequivocally disconnected. That time may have been spent sending letters, physically going into a bank to make a deposit or withdrawal, and actually meeting with people to share information.

Nowadays, we’re far more efficient thanks to our reliance on connectivity and the network. During the past 20 years or so, information has evolved in line with the network, and become largely a digital commodity that can be sent and received with the click of a mouse. Electronic communications now cross organizations and oceans with relative ease, in volumes that seemed unfathomable during the days when postal mail was king. But all of this need for connectivity comes with a downside: criminal elements seeking to steal that data – and make no mistake, something as seemingly innocent as a personal email can be as valuable to a criminal as a bank transaction.

Our data can be used by others for monetary gain (stolen credit card numbers) or, in some instances, blackmail and identity theft. Passwords and authentication now act as the key to the front door for the myriad of valuable data behind it. So, to provide an additional layer of protection we began to encrypt the data – scrambling it in such a way that intruders could not easily decipher the information without another key.

Can people still get that data? With a bit of concerted effort, sure, getting through is a possibility – but that’s why we also have firewalls, anti-virus software and intrusion detection systems. We’re clearly serious about protecting our data when it’s at rest, meaning physically situated within the protected confines of a data center on storage arrays. But what about when you need to get that data from one side of the network to another, such as from a data center storage array to your smartphone?

Remember, The Great Train Robbery of 1963 occurred not when the caboose was at rest at a station, but while the train was between stations. It’s during transit – meaning, out there on the network and “in-flight” between end-points – that our data can be most vulnerable, especially given the focus we’ve placed on erecting barricades to protect it while at rest.

Encrypting sensitive and mission-critical data while in transit is essential to an overall data security strategy, especially with information moving like never before within the cloud between data centers.

Encryption at the optical layer during transport provides a strong and effective safeguard, offering an additional level of protection to enable end-to-end security. While it’s true that technologies like Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are increasingly used to secure connections to servers, the only way to secure everything on the communications link in and out of a facility is to encrypt at the physical layer. TLS and SSL solutions also generally rely on third-party certificate authorities that may themselves be compromised, allowing for man-in-the middle attacks. In addition, the traditional operational model for deploying and maintaining protocol-specific encryption solutions can quickly become cumbersome, complex, and costly with multiple encrypt/decrypt pairs being required to support a multi-protocol environment.

At the converged packet-optical transport layer, a wide variety of traffic types, such as Ethernet, Fibre Channel, OTN, SONET, and SDH, can be encrypted simultaneously. Further, optical layer encryption guarantees transparent encryption at wire-speed. In other words, the encryption process does not reduce the traffic throughput of the signal being encrypted, nor does it modify the user data in any way. Additionally, by encrypting all traffic before it enters the fiber, it ensures the entire data channel is encrypted no matter what application or device generated the signal.

Can security of our data ever truly be guaranteed? It remains an open question, especially as the sophistication of those keen to steal it increases. The best practice is to use a nested set of complementary tools to create a barrier between that valuable information and those who seek it.

The focus on protecting information at-rest has been a concerted one. However, it’s now imperative that we show similar dedication to protecting our data when it’s at its most vulnerable – while it’s in flight, out there, alone on the network, as it traverses tens to thousands of kilometers.


With more than 20 years of telecom experience, Mr. Alexander is currently serving as Ciena’s Senior Vice President and Chief Technology Officer. Mr. Alexander has held a number of positions since joining the Company in 1994, including General Manager of Ciena's Transport & Switching and Data Networking business units, Vice President of Transport Products and Director of Lightwave Systems.

From 1982 until joining Ciena, Mr. Alexander was employed at MIT Lincoln Laboratory, where he last held the position of Assistant Leader of the Optical Communications Technology Group. Mr. Alexander is an IEEE Fellow and was the recipient of the IEEE Communications Society Industrial Innovation Award in 2012. He is currently an Associate Editor for the IEEE / OSA Journal of Optical Communications and Networking. He has served as a member of the Federal Communications Commission Technological Advisory Council, as an Associate Editor for the Journal of Lightwave Technology, as a member of the IEEE / LEOS Board of Governors, and was a General Chair of the conference on Optical Fiber Communication (OFC) in 1997.

Mr. Alexander received both his B.S. and M.S. degrees in electrical engineering from the Georgia Institute of Technology. He has been granted 18 patents and has authored a text on Optical Communication Receiver Design as well as numerous conference and journal articles.

The opinions expressed in this blog are those of Steve Alexander and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.