Upload
ciena
View
806
Download
5
Embed Size (px)
Citation preview
Presenters
Sterling PerrinSenior Analyst, Heavy Reading
Paulina Gomez, Specialist, Product and Technology MarketingCiena
Patrick ScullyDirector, Product Line Management, Networking Platforms DivisionCiena
• Encryption Trends: Heavy Reading Perspective• Impact of new data breach laws and how to respond• Considerations for in-flight data encryption
deployments• How to differentiate with new simple-to-implement
optical encryption technology • Deployment models and key applications for optical
encryption• 10G, 100G and 200G optical encryption momentum • Questions & Answers
Agenda
Data Breaches Mount in an On-Line Age
2007 2008 20102009 201520122011 2013 2014
130 million credit and debit cards exposed
102 million subscriber records exposed
40 million credit and debit card numbers stolen
200 million personal records breached
50M
100M
150M
200M
50 million user records hacked
76 million veterans records exposed 37 million
personal records hacked
Tax records for 330,000 taxpayers stolen
94 million credit and debit cards exposed
Cloud and Virtualization Drive New Security Concerns for SPs/Businesses
1.42 1.55 1.68 1.81 1.94 2.08
1.652.28
3.053.99
5.136.50
0
1
2
3
4
5
6
7
8
9
10
2013 2014 2015 2016 2017 2018
Zett
abyt
es p
er Y
ear
Cloud DataCenterTraditional DataCenter
Source: Cisco Global Cloud Index and Cisco VNI, 2014
• Migration from traditional DC to cloud DC means that more and more traffic cross shared networks and is housed in shared facilities
• Data encryption viewed as key requirement to product subscriber privacy in SDN/NFV
Data Center IP Traffic, 2013-2018
0% 10% 20% 30% 40% 50%
Vulnerability scanners
Data loss prevention
Logging and audit trail
DDoS prevention
Privileged user management
Data integrity and authenticity
Data encryption
Strong authentication
Q: Which of the following will provide the greatest value in protecting subscriber privacy in an SDN/NFV environment?
Source: Heavy Reading 2015 SDN/NFV Security Survey, April 2015
Fiber Vulnerability is Now Well UnderstoodUSS Jimmy Carter as state-of-the-art fiber tapping in 2005
Source: Wikipedia
Passive fiber-optic tap
Fiber-optic transmission was once thought extremely secure but incidents over the past decade have dispelled this myth
• In May 2006, the NSA installed beam-splitters in fiber-optic Internet backbone trunks that routed copies of backbone traffic to a special San Francisco snooping
• Documents leaked by NSA whistleblower Edward J. Snowden in 2013 revealed other incidents of government eavesdropping – domestic and foreign
• The FBI reports that there were 16 known attacks on fiber-optic cables in the San Francisco area in 2015
• Fiber-optic cable tapping was reportedly one of the main missions of the $3.2 billion USS Jimmy Carter (2005)
New laws and heavy fines impact the bottom line
Averageorganizationalbreach cost
UNITED STATES• 47 states have laws requiring
notification of breach involving personal information.
• 29 states have laws that require entities to destroy, dispose, or make personal information unreadable or undecipherable
• Operators will be required to notify affected individuals, unless the compromised data is encrypted or otherwise unintelligible to 3rd parties.
• FINES OF up to € 810,000 or 10% of the organization’s annual net turnover.
New Law in NETHERLANDS (Jan 2016)
* Sources: IBM and Ponemon Institute LLC. 2015 Cost of Data Breach Study: Global Analysis.
Losses to an organization include:• Damaging reputation/brand
• Lost revenue
• Lost customers
At-rest Encryption
In-flight Encryption
Server & Database Security
Are you doing everything you can to protect your data?
FibreChannel
SONET/SDH
Ethernet
Traditional Encryption Solutions Can Be Cumbersome and Costly
Throughput comparison at different frame sizes
L2/L3 solutions can add serious latency vs L1 solutionsIncreased latency directly impacts the user-experience
Amazon reported a one percent revenue increase for every 100 milliseconds of improvement to their site speed.*
* Source: https://www.lireo.com/website-speed-the-power-of-one-second-infographic/
10G
Unencrypted 10G Point to Point service = $2.5K/month*
NPV = $302K
$56K*
Standard 10G service
10G
$56K*
$- $20,000 $40,000 $60,000 $80,000
$100,000 $120,000 $140,000 $160,000 $180,000
1 2 3 4 5
Annu
al C
ost
Year
Maintenance on CPE10G TransportCPE
15% Maintenance
Enterprise managed certificates
10G
Encrypted 10G Point to Point service = $3K/month*
*20% premium for encrypted 10G vs unencrypted 10G
$0.00
$10,000.00
$20,000.00
$30,000.00
$40,000.00
1 2 3 4 5
Maintenance onCPEEncrypted 10GTransportCPE
NPV = $180K
10G
X
X
Healthcare Secure ultra-low latency transport for highest quality healthcare and efficient collaboration, complying with HIPAA requirements for protecting health information
Secure financial applications and information with ultra-low latency FIPS-certified encryption that adheres to new and modified cybersecurity lawsFinance
Protect sensitive citizen and agency data with FIPS-certified encryption that complies with NIST and DHS requirements, as well as Suite B algorithmsGovernment
• Enables operators to leverage their choice of 10G, 100G or 200G encrypted wavelengths
FLEXIBLECAPACITY
• Ensures proper implementation of cryptographic algorithms and standards
3RD PARTY CERTIFICATION
• Eliminates human error• Guarantees all traffic is always encrypted 24/7
ALWAYS-ON ENCRYPTION
• Provides dedicated key management interface for full end-user control of all security parameters
DEDICATED KEYMANAGEMENT
• Deploys the strongest public key algorithms available including AES-256 and ECC algorithms
STRONG CRYPTOGRAPHY
Elliptic Curve
Cryptography
• Offers ultra-low latency & programmable modulation for coherent 100G/200G encryption
ENCRYPTION IN COHERENT DSP
In cryptography, encryption is the process of transforming information (plaintext) using an algorithm (cipher) to make it unreadable to anyone except those possessing special knowledge (key).
The result of the process is encrypted information (ciphertext)
Definition
Key
CiphertextCipherPlaintext
2. Encrypted Data Exchange
1. Authentication = TRUSTAuthentication refers to the ability to confirm the identity of other entity. In other words, before sending and receiving data, the receiver and sender identity are verified.
Solutions can leverage industry standard Public Key Infrastructures (PKIs) for authentication purposes
Authentication
Diffie-Hellman (DH) AlgorithmDefines secure key exchange over clear channel
Elliptic Curve Cryptography (ECC) AlgorithmsAn approach to public-key cryptography requiring smaller keys to achieve the same level of security as 1st-gen public key cryptography systems
Encryption Algorithms
Advanced Encryption Standard (AES)Defines the encryption engine; supports various key sizes (56-, 128-, 256-bits)
Federal Information Processing Standard (FIPS) FIPS 197 certifies the AES -256 algorithmFIPS 140-2 certifies the full cryptographic solution
Encryption Standards
X.509 Certificate Authentication
Supports X.509 certificates for authentication, enabling integration into existing enterprise Public Key Infrastructures (PKI).
Offers distinct keys for authentication & encryption functions making it more difficult to infiltrate vs a solution that uses only one set of keys or derives one key from the other Two Sets Of Keys
Encryption Session Keys Fast key rotation AES-256 certified
Authentication Keys X.509 certificate-based authentication
Provides fast, hitless key rotation each second making it much harder to crack the encryption algorithm vs a solution with a slow key rotation period of minutes or longerFast Key Rotation
Best-in-class encryption ensures the highest level of in-flight data security
Security Officer / Enterprise managed keys
Transport Network is Managed Separately
* Source: Thales e-Security & Ponemon Institute© Global Encryption & Key Management Trends Study April 2015
56% Encryption key and certificate management is painfulEnterprises rated the “pain” associated with managing keys/certificates as severe*
Optical encryption solutions should include simplified end-user security management
Enterprise customer manages the security-related aspects of the service at both ends and has full visibility of network performance.
Carrier owns and operates the transport aspects of the end-to-end network. Enterprise customer manages the security-related aspects of the service at both ends.
CSO managed keys
Enterprise provided and managed
Enterprise provided and managed
Service Provider Circuit or dark fiber
Enterprise managed keys
Service Provider Managed Service
• 10G solutions widely deployed• 100G/200G encryption not only a
backbone or infrastructure play – now requested in many enterprise and government projects
Scaling 10G, 100G and 200G encryption to a variety of applications
Demand for 200G encryption is real