Security breaches continue to grow at an alarming rate. And with cybercrime costing companies over $400 billion annually, enterprises and network operators must upgrade security for their business-critical information — including both data at rest and in flight.
One crucial step in this process is to establish effective Layer 1 encryption and key management as part of a multi-layered security strategy. Layer 1 encryption not only protects business-critical data; it also lowers the cost of ongoing security management.
Why stronger data security is essential now
According to Gemalto’s breach level index, since 2013, security breaches have resulted in the loss or theft of an estimated 5.9 billion data records from enterprises worldwide. This translates into about 47 records every second. In only about 4 percent of these breaches were records encrypted, rendering stolen information useless.
To counteract these trends, enterprises and network operators must recognize that network firewalls and other network perimeter technologies are not sufficient in today’s environment, where data is distributed well beyond the organization’s boundaries.
Familiar perimeter tools must be supplemented by technologies that protect the data itself, particularly when it is in flight, traversing the network. This approach helps ensure that data confidentiality and integrity are preserved and that the network remains highly available and reliable.
Start with an overall strategy
Data security cannot be implemented as an add-on or an afterthought. Instead, best practices call for a holistic security strategy that includes encryption, key generation and distribution, connectivity planning, proper access control, role-based operation, personnel training, and the necessary certifications to ensure compliance with industry standards.
The strategy should also include the coordinated use of multiple security countermeasures to protect the integrity of the enterprise’s information assets. This multi-layered defense approach, also referred to as a “defense-in-depth” strategy, enables a higher level of security for all data.
Build in the benefits of Layer 1 security
Layer 1 encryption is an essential part of an overall security strategy. It delivers wide-ranging cost and performance benefits as well as helping to prevent data breaches:
- Reduced cost – At higher network layers, encryption is costly because many security appliances are needed to protect each data stream, service protocol, and client. Performing data encryption at Layer 1 reduces the cost per encrypted bit by integrating the encryption function into the transport system.
- Lower latency - Higher-layer encryption technologies add significant overhead and multiply the latency of the data stream. Layer 1 encryption, on the other hand, adds almost no additional latency to the transport process (see Figure 1). So it’s highly suitable for low latency, business-critical applications.
- Bandwidth efficiency – Encryption at higher layers (using IPSec or MACSec) adds overhead bytes to the payload, which can substantially reduce the useful payload that can be transported — especially as the packet size decreases. Layer 1 encryption does not add overhead bytes. And therefore can provide the highest bandwidth efficiency, regardless of packet size.
- Transparency – Layer 1 encryption is protocol agnostic, which allows the network to support a variety of client and transport interfaces for both current and future services.
- Improved performance – Hardware-based Layer 1 encryption solutions enable very high bandwidth with encryption of 10/100 Gbps wire speeds and higher. They can provide the scale needed to support current and future services.
- High availability – by employing protection at layer 1, within the transport network, network operators can benefit from mechanisms, like optical span protection, that increases the accessibility of mission-critical data to its rightful owners.
- Management – Key management, exchange, and authentication can be labor-intensive and cumbersome when there are many separate encryption devices and encryption streams to manage. But with Layer 1 encryption, only one encrypted circuit needs to be managed, rather than many IPSec tunnels.
Use strong keys and balanced crypto solutions
The longer it takes to decrypt a message without knowing the key, the stronger an algorithm is considered to be. Say an attacker takes years to decrypt an encoded message. Then breaking the code would not be worth the effort involved, because the information would probably be irrelevant and stale when finally decrypted.
Unbalanced crypto solutions marketed as AES-256–compliant may give the illusion of providing 256-bit security strength when in reality they do not, because they use weak keys. There is a traditional trade-off between encryption strength and its impact on system performance. As a result, the minimum strength necessary is often used, in an effort to affect performance as little as possible.
Asymmetric key negotiation, providing 256-bit security key strength (for example, RSA 15360) is computationally intensive. As a result, many vendors have chosen asymmetric key negotiation (such as RSA 2048) that better fits their control plane processing power. This choice results in substantially weaker security key strength, having only 112-bit strength.
Figure 2 shows that asymmetric keys using RSA 2048 with 112-bit strength are susceptible to quantum computing attacks, leaving them vulnerable to hackers. In contrast, symmetric keys using AES-256 provide 256 bits of strength which are quantum proof.
Therefore, it’s important to match key strength to the encryption algorithm’s strength. Each overall solution will only be as strong as the weaker of those two elements, just as the security of a house is only as good as its weakest lock. For this reason, a “top secret” security standard requiring 256-bit strength should use an AES-256 algorithm with 256-bit key size.
Centralize key management
To be most effective, key management should be centralized across the enterprise or network. This approach offers the following benefits:
- Single point of trust - The number of locations in which keys reside is limited, minimizing the potential for exposure.
- Consistent policy enforcement - Administrators can enforce standards and policies consistently across the network.
- Better encryption and scale – Keys can be created by the central key manager and sent securely for “off-board” encryption and decryption. This method frees up host CPU capacity on the hardware security module and allows the use of stronger, more complex keys. It is especially beneficial when large volumes of data need to be encrypted and decrypted.
- Streamlined administration - Updates can be made once (centrally) and cascaded automatically across the network. For example, this approach enables single-point key revocation and one point to force multi-tenant, synchronized key rotations.
- Unified auditing and remediation - Network security audits, policy compliance, and remediation can all be simplified through the use of audit logs containing all key-related activities. Regular analysis of these logs can enable ongoing improvement in preventative measures.
Get independent validation
Product vendors may state that their products include cryptographic features, are designed to meet industry standards, and follow secure development practices. However, customers must rely solely on a vendor’s trustworthiness, unless independent certification confirms all these statements.
Independent, third-party validation of vendor claims can promote greater confidence that products will perform as described by the vendor — especially if the validations are performed using open, international standards where products are “certified to meet” these standards.
Benefits of third-party validations include:
- Consistent results - Standardized validation methods help to guarantee consistent, unbiased results.
- Credibility – Third parties that use open processes for standards development and publication of results achieve the broadest credibility.
- Higher confidence - Examination against recognized industry-standard metrics and criteria promotes higher confidence that the measures are relevant and complete.
For more information on secure optical transport solutions, see the related materials we’ve provided.
Whitepaper - Security for microwave links
Webpage - Secure Optical Transport solution
Webpage - 1830 Security Management Server