Encryption webinar: Don't let your network be a security leak

Don’t Let Your Network Be a Security Leak

Sponsored by:

Presenters

Sterling PerrinSenior Analyst, Heavy Reading

Paulina Gomez, Specialist, Product and Technology MarketingCiena

Patrick ScullyDirector, Product Line Management, Networking Platforms DivisionCiena

• Encryption Trends: Heavy Reading Perspective• Impact of new data breach laws and how to respond• Considerations for in-flight data encryption

deployments• How to differentiate with new simple-to-implement

optical encryption technology • Deployment models and key applications for optical

encryption• 10G, 100G and 200G optical encryption momentum • Questions & Answers

Agenda

Data Breaches Mount in an On-Line Age

2007 2008 20102009 201520122011 2013 2014

130 million credit and debit cards exposed

102 million subscriber records exposed

40 million credit and debit card numbers stolen

200 million personal records breached

50M

100M

150M

200M

50 million user records hacked

76 million veterans records exposed 37 million

personal records hacked

Tax records for 330,000 taxpayers stolen

94 million credit and debit cards exposed

Cloud and Virtualization Drive New Security Concerns for SPs/Businesses

1.42 1.55 1.68 1.81 1.94 2.08

1.652.28

3.053.99

5.136.50

0

1

2

3

4

5

6

7

8

9

10

2013 2014 2015 2016 2017 2018

Zett

abyt

es p

er Y

ear

Cloud DataCenterTraditional DataCenter

Source: Cisco Global Cloud Index and Cisco VNI, 2014

• Migration from traditional DC to cloud DC means that more and more traffic cross shared networks and is housed in shared facilities

• Data encryption viewed as key requirement to product subscriber privacy in SDN/NFV

Data Center IP Traffic, 2013-2018

0% 10% 20% 30% 40% 50%

Vulnerability scanners

Data loss prevention

Logging and audit trail

DDoS prevention

Privileged user management

Data integrity and authenticity

Data encryption

Strong authentication

Q: Which of the following will provide the greatest value in protecting subscriber privacy in an SDN/NFV environment?

Source: Heavy Reading 2015 SDN/NFV Security Survey, April 2015

Fiber Vulnerability is Now Well UnderstoodUSS Jimmy Carter as state-of-the-art fiber tapping in 2005

Source: Wikipedia

Passive fiber-optic tap

Fiber-optic transmission was once thought extremely secure but incidents over the past decade have dispelled this myth

• In May 2006, the NSA installed beam-splitters in fiber-optic Internet backbone trunks that routed copies of backbone traffic to a special San Francisco snooping

• Documents leaked by NSA whistleblower Edward J. Snowden in 2013 revealed other incidents of government eavesdropping – domestic and foreign

• The FBI reports that there were 16 known attacks on fiber-optic cables in the San Francisco area in 2015

• Fiber-optic cable tapping was reportedly one of the main missions of the $3.2 billion USS Jimmy Carter (2005)

New laws and heavy fines impact the bottom line

Averageorganizationalbreach cost

UNITED STATES• 47 states have laws requiring

notification of breach involving personal information.

• 29 states have laws that require entities to destroy, dispose, or make personal information unreadable or undecipherable

• Operators will be required to notify affected individuals, unless the compromised data is encrypted or otherwise unintelligible to 3rd parties.

• FINES OF up to € 810,000 or 10% of the organization’s annual net turnover.

New Law in NETHERLANDS (Jan 2016)

* Sources: IBM and Ponemon Institute LLC. 2015 Cost of Data Breach Study: Global Analysis.

Losses to an organization include:• Damaging reputation/brand

• Lost revenue

• Lost customers

Presenter

Presentation Notes

At-rest Encryption

In-flight Encryption

Server & Database Security

Are you doing everything you can to protect your data?

FibreChannel

SONET/SDH

Ethernet

Traditional Encryption Solutions Can Be Cumbersome and Costly

Throughput comparison at different frame sizes

L2/L3 solutions can add serious latency vs L1 solutionsIncreased latency directly impacts the user-experience

Amazon reported a one percent revenue increase for every 100 milliseconds of improvement to their site speed.*

* Source: https://www.lireo.com/website-speed-the-power-of-one-second-infographic/

Optical encryption solutions encrypt ALL in-flight data

Any Protocol

Moving encryption deployments from cumbersome to commonplace

10G

Unencrypted 10G Point to Point service = $2.5K/month*

NPV = $302K

$56K*

Standard 10G service

10G

$56K*

$- $20,000 $40,000 $60,000 $80,000

$100,000 $120,000 $140,000 $160,000 $180,000

1 2 3 4 5

Annu

al C

ost

Year

Maintenance on CPE10G TransportCPE

15% Maintenance

Enterprise managed certificates

10G

Encrypted 10G Point to Point service = $3K/month*

*20% premium for encrypted 10G vs unencrypted 10G

$0.00

$10,000.00

$20,000.00

$30,000.00

$40,000.00

1 2 3 4 5

Maintenance onCPEEncrypted 10GTransportCPE

NPV = $180K

10G

X

X

Healthcare Secure ultra-low latency transport for highest quality healthcare and efficient collaboration, complying with HIPAA requirements for protecting health information

Secure financial applications and information with ultra-low latency FIPS-certified encryption that adheres to new and modified cybersecurity lawsFinance

Protect sensitive citizen and agency data with FIPS-certified encryption that complies with NIST and DHS requirements, as well as Suite B algorithmsGovernment

• Enables operators to leverage their choice of 10G, 100G or 200G encrypted wavelengths

FLEXIBLECAPACITY

• Ensures proper implementation of cryptographic algorithms and standards

3RD PARTY CERTIFICATION

• Eliminates human error• Guarantees all traffic is always encrypted 24/7

ALWAYS-ON ENCRYPTION

• Provides dedicated key management interface for full end-user control of all security parameters

DEDICATED KEYMANAGEMENT

• Deploys the strongest public key algorithms available including AES-256 and ECC algorithms

STRONG CRYPTOGRAPHY

Elliptic Curve

Cryptography

• Offers ultra-low latency & programmable modulation for coherent 100G/200G encryption

ENCRYPTION IN COHERENT DSP

In cryptography, encryption is the process of transforming information (plaintext) using an algorithm (cipher) to make it unreadable to anyone except those possessing special knowledge (key).

The result of the process is encrypted information (ciphertext)

Definition

Key

CiphertextCipherPlaintext

2. Encrypted Data Exchange

1. Authentication = TRUSTAuthentication refers to the ability to confirm the identity of other entity. In other words, before sending and receiving data, the receiver and sender identity are verified.

Solutions can leverage industry standard Public Key Infrastructures (PKIs) for authentication purposes

Authentication

Diffie-Hellman (DH) AlgorithmDefines secure key exchange over clear channel

Elliptic Curve Cryptography (ECC) AlgorithmsAn approach to public-key cryptography requiring smaller keys to achieve the same level of security as 1st-gen public key cryptography systems

Encryption Algorithms

Advanced Encryption Standard (AES)Defines the encryption engine; supports various key sizes (56-, 128-, 256-bits)

Federal Information Processing Standard (FIPS) FIPS 197 certifies the AES -256 algorithmFIPS 140-2 certifies the full cryptographic solution

Encryption Standards

X.509 Certificate Authentication

Supports X.509 certificates for authentication, enabling integration into existing enterprise Public Key Infrastructures (PKI).

Offers distinct keys for authentication & encryption functions making it more difficult to infiltrate vs a solution that uses only one set of keys or derives one key from the other Two Sets Of Keys

Encryption Session Keys Fast key rotation AES-256 certified

Authentication Keys X.509 certificate-based authentication

Provides fast, hitless key rotation each second making it much harder to crack the encryption algorithm vs a solution with a slow key rotation period of minutes or longerFast Key Rotation

Best-in-class encryption ensures the highest level of in-flight data security

Security Officer / Enterprise managed keys

Transport Network is Managed Separately

* Source: Thales e-Security & Ponemon Institute© Global Encryption & Key Management Trends Study April 2015

56% Encryption key and certificate management is painfulEnterprises rated the “pain” associated with managing keys/certificates as severe*

Optical encryption solutions should include simplified end-user security management

Presenter

Presentation Notes

Source: Thales e-Security & Ponemon Institute© Research Report Managing keys or certificates is painful. Fifty-six percent of respondents rate the overall “pain” associated with managing keys or certificates within their organizations as severe (7+ on a scale of 1 = minimal impact to 10 = severe impact). Ponemon Institute is pleased to present the findings of the 2015 Global Encryption & Key Management Trends Study, sponsored by Thales e-Security. We surveyed 4,714 individuals across multiple industry sectors in 10 countries - the United States, United Kingdom, Germany, France, Australia, Japan, Brazil, the Russian Federation and for the first time Mexico and India. The purpose of this research is to examine how the use of encryption has evolved over the past ten years and the impact of this technology on the security posture of organizations.

Enterprise customer manages the security-related aspects of the service at both ends and has full visibility of network performance.

Carrier owns and operates the transport aspects of the end-to-end network. Enterprise customer manages the security-related aspects of the service at both ends.

CSO managed keys

Enterprise provided and managed

Enterprise provided and managed

Service Provider Circuit or dark fiber

Enterprise managed keys

Service Provider Managed Service

Any Protocol

10G / 100G / 200G

• 10G solutions widely deployed• 100G/200G encryption not only a

backbone or infrastructure play – now requested in many enterprise and government projects

Scaling 10G, 100G and 200G encryption to a variety of applications

Demand for 200G encryption is real