The role of encryption in securing data centre connectivity

Transcription

1 > The role of encryption in securing data centre connectivity

2 >> Contents Introduction... 3 A growing dependence... 4 Key issues and challenges in protecting data in transit... 5 The cost of data breaches Compliance pressures Reducing operating costs Understanding the security risks associated with data in transit Encryption holds the key... 7 Understanding encryption... 8 Choosing the right encryption Conclusion

3 >> Introduction As the volume of data used to conduct day-to-day business continues to grow, enterprises are looking for reliable and cost-effective ways to access, manage, and transport information to ensure maximum availability and minimum impact to operations. In their quest for the perfect balance between data availability and cost savings, companies need to ensure that data security does not get pushed down the priority list. While businesses are generally aware of data breach risks associated with data in storage, they are typically less knowledgeable regarding security procedures associated with data in transit between storage and processing sites. As such, sensitive data often remains unprotected at certain points in the processing chain resulting in significant threats. This situation is exacerbated by popular perception that the computing power required to secure data exchanged through encryption can harm the business by slowing down operational efficiencies. Yet, as global players become increasingly dependent on interconnected systems, a thorough understanding of issues around data transport security is now of vital importance. A data infrastructure is only as strong as its weakest link which can be in many cases data transport. This Guide analyses the security of data in transit, and offers Chief Information Security Officers and Network Architects advice on how encryption can play a positive role without adversely impacting operational performance to enable cost-effective utilisation of data transport resources. 3

4 >> A growing dependence Global business is growing more and more reliant on interconnected systems. These systems are increasingly responsible for carrying critically important data from personal information on clients and employees and sensitive strategic details exchanged on corporate activities, to financial transactions and confidential information vital for business continuity and success. At the same time, corporate data storage requirements have also kept growing; therefore placing a greater demand for high-speed/high-bandwidth services to accommodate this data overload over an increasingly distributed environment. Let s take the example of an insurance company. Typically, an insurance company will retain a record of clients previous claims or other sensitive data and make it accessible to the client 24/7 through call centres that can be spread around the world. At any given point, a call can be placed by any given customer and it will be promptly answered by a call centre representative most likely based miles away from where the data is physically stored. Nowadays, most companies are expected to offer this level of service and deal with enquires without delay. Yet, the information required to answer a simple question a customer may have, often needs to travel around the world. This means that the risk of exposure of the data is significant. Today, companies need to be aware of the fact that not only is the volume of data itself growing, but also the number of occasions when data can be exposed to fraudulent attacks With more data potentially prone to interception over these distributed systems, the protection of its confidentiality and integrity is becoming more and more important. Security breaches can easily cause significant damage both in terms of financial losses and corporate reputation. The latest research by the Ponemon Institute has found that data breaches continue to be very costly for UK businesses. In fact, the average costs per compromised record increased in 2009 by 7% although the average organisational cost decreased slightly from 1.73 in 2008 to 1.68 in Consequently, ensuring end-to-end data security should be a key priority for all businesses looking to reduce unwanted risk and protect their reputation. 4

5 >> Key issues and challenges in protecting data in transit The cost of data breaches Efficiency pressures combined with the growing volume of data used by the enterprise and reliance on interconnected systems are all driving the need for securing data in transit. Moreover, companies need to take into account the cost both monetary and in terms of their reputation should a data breach occur. When a business sustains a data breach, the price is not limited to the mere cost associated with patching the vulnerability, but it also includes mitigating the impact of the breach on the company s reputation. The list of consequences continues with potential legal costs as companies could be exposed to court cases and subsequent judicial actions. Moreover, businesses which find themselves victim of a fraudulent attack could face cumbersome administrative costs. For example, if credit card data is exposed as a result of a compromised data backup system, not only does that information channel need to be re-secured, but card issuers will also need to produce and distribute new credit cards to all affected customers. Compliance pressures Companies are already struggling to come to terms with securing critical data elements to meet the requirements of regulations such as the Payment Card Industry Data Security Standard (PCI/DSS), European Union Data Protection Directives, and Basel II to name just a few. In the near future, existing laws are likely to be modified in order to mandate more specifically the details of what companies should do to achieve compliance. In addition, new and tougher regulations are also expected to make their entrance into the regulatory arena. Many in the industry believe that regulation should go one step further and require entities that are compromised to go public with their breach. Regulations to this effect have already been put in place in certain countries and jurisdictions. In the State of California a law requires companies doing business in the State to inform customers if their records had been leaked and put at risk. About 40 other US states have now followed this lead and adoption of similar legislation throughout Europe is increasingly being discussed. Reducing operating costs In addition to the challenges mentioned above, businesses are faced with the everpresent pressure to reduce operating costs and increase revenues. Yet, growing data volumes mean more complex infrastructures and increased costs. Companies need to be able to distribute data in a reliable and speedy manner adopting a configuration that allows multiple users to share the same infrastructure. When transferring data, businesses can opt to rent a dedicated private line incurring high costs or choose to use a shared infrastructure by buying the bandwidth needed in a much larger pipeline. Whilst the second option is more cost-effective, the data in a shared pipeline is also more exposed to the possibility of interception. As such, businesses are confronted with a dilemma: is it better to choose an expensive dedicated infrastructure or opt for a cheaper shared pipeline exposing data to a greater risk of being breached? 5

6 Understanding the security risks associated with data in transit There is a pressing need to increase awareness around the risks associated with data in transit and to correct the misconception that data at rest is more vulnerable to attacks because it is stored in one location. Data centres are typically secured through both physical and virtual access control mechanisms; there are specific industry standards that define protection measures against a wide range of threats from fraudulent attacks to natural disasters that may cause a data centre to lose information. By way of contrast, data in transit has a dramatically higher level of exposure. However, because there is generally limited knowledge about what happens to data in transit, it is difficult to determine the real extent of the threats. Therefore, it is crucial to have the certainty that data hasn t been copied, altered or compromised at any point during processing including storage and transit. For example, the information may have been copied and still reach its final destination or data may have been altered in such a subtle way that, if undetected, could cause subsequent harm. 6

7 >> Encryption holds the key The tried and tested technique of data encryption is already widely used to protect storage networks holding highly confidential and mission-critical data. Because data in transit is part of this overall fabric, security of the transport infrastructure must be part of the solution to the challenge. Encryption is widely accepted as the most effective way of securing data on the market today and, while it may not be the silver bullet to ensure complete data security, it can go a long way towards addressing the security issues affecting today s highly distributed business environment. For example, organisations that use disaster recovery sites typically rely on periodic backup data transfer connections or tapes sent via a secure courier. If the information is intercepted in transit or if the courier misplaces a tape bearing sensitive data, the company will then incur all the costs already mentioned. However, if the same scenario occurs and the intercepted connection or lost tape contains encrypted data, the information would not be accessible to an unauthorised party and will thus remain uncompromised. As an end-to-end security mechanism, encryption is increasingly favoured by regulators and policy makers. Because of the black and white nature of the technology, data is either secure or unsecure; a very measurable parameter that is well received by auditors and regulators. In addition, by encrypting data, businesses can achieve a more secured end-to-end environment that enables them to use shared infrastructure for data transit without compromising security. 7

8 >> Understanding encryption The basic purpose of encryption is to take clear text, such as the text you are now reading, and apply a predefined algorithm to this text to make it unreadable to an unauthorised user entity. An encryption algorithm is a mathematical process performed on the clear text data that turns the clear text into this protected text. The algorithms used are industry-standard ciphers such as the Data Encryption Standard (DES) or the Advanced Encryption Standard (AES). Often these algorithms perform mathematical functions on each byte of data or they shift and move data within individual bytes; alternatively, they can perform a combination of these actions. Anything but the simplest of encryption algorithms use encryption keys to make the algorithm more complex or harder to crack, thereby making the encrypted text more secure. The encryption key is a unique string of data that is added into the encryption algorithm and assists or alters the way in which the encryption algorithm works. Encryption keys are often generated from passwords or random data. Encryption is a powerful security resource that enterprises can use to provide a more in-depth security strategy. If other security measures such as physical barriers, firewalls, or intrusion detection systems fail, then encryption can act as the last line of defence and ensure that stolen data is still not readable to the unauthorised entity. Unfortunately, at present, encryption often goes unused at certain points in the data processing chain as the computing power it requires can sometimes slow down operations or transactions depending on where it is applied. For example, many businesses today rely on Network Layer 3 Internet Protocol (IP) encryption for most security needs. Layer 3 encryption - referring to the Open System Interconnect (OSI) model for data networking - can add significant overhead to the data exchanged and can adversely impact the efficiency of operations. Encryption however can take many different forms and it is a matter of using the most efficient and suitable form to effectively protect a company s data. Choosing the right encryption Many data centres today rely on Layer 3 encryption based on IP Security (IPSec). IPSec is the standard typically used in Virtual Private Networks (VPNs) that segregate and protect private traffic within a public shared network infrastructure. There are seven layers where encryption can be applied, each corresponding to the layers defined by the OSI model for data networking. These include: physical, data link, network, transport, session, presentation and application. These range from Layer 1 encryption which concerns the physical connections all the way up to Layer 7 which encrypts applications. As previously stated, Layer 3 encryption significantly expands the size of the data packet, thus impacting operational throughput by up to 40 per cent and adding latency or transfer delay by up to 60 per cent, depending on the type of data packets being processed. Because data centres process large amounts of data, the inefficiency of this technology has become unacceptable for many businesses, particularly in the current economic climate as they look to cut costs. An alternative is Layer 2 or Data Link Layer encryption, which only adds minimal data frame expansion, resulting in a significant performance advantage, allowing businesses to reduce operating costs and increase operational capacity. 8

9 Layer 2 backbones are primarily used for high-speed/high-data throughput connecting network nodes in point-to-point and increasingly fully-meshed multipoint configurations. In order to achieve high-speeds, hardware encryption is predominantly employed. Encryption at this level encapsulates all protocols crossing the link, unlike Layer 3 where only IP packets are encrypted. A Layer 2 encryptor does not consider the nature of the traffic, it is only concerned with deciding whether a link with a particular destination must be encrypted or not, so consequently its decision database has far fewer rules, resulting in a solution that is simpler and less expensive to manage. Layer 2 encryption is also independent of network configurations, so changes to the Local or Wide Area Network (LAN/WAN) do not require the involvement of the manager responsible for the encryption devices. For these reasons, Layer 2 encryption is much more flexible and also provides platform independence because client systems do not require special software or hardware to manage routing decisions. Layer 2 solutions, because of their simplicity, can also save time and money as they require little or no configuration and maintenance once deployed. Layer 2 encryption is characterised by the fact that it creates the least latency and overhead drain on a network over any other encryption alternative. Encryption solutions for Layer 2 are commonly used from sub 1 Mbps speeds copper infrastructures up to 10 Gbps or higher with optical fibre connections. Typical applications of Layer 2 encryption at the enterprise level include data centre connectivity to branch sites, and point-to-point and fully-meshed multipoint connections between sites where - because of the nature of the traffic - latencies cannot be tolerated, and where - because of the nature of the operation - a simplified solution with little or no configuration and maintenance is desired for deployment. Layer 2 encryption technology allows organisations to implement a security solution quickly with minimal network disruption while preserving current investments. Businesses requiring both security and multiple protocols often consider strong encryption at Layer 2 to protect sensitive mission-critical functions for the network backbone and network access. 9

10 >> Conclusion Encryption does not have to be slow and expensive. If properly implemented and managed, it is a valuable business tool and constitutes a clear advantage. Not only does encryption protect data at rest, but it also has an important role to play in making data in transit more secure by protecting its confidentiality and integrity, and enabling the enterprise to take advantage of more cost-effective shared and interconnected systems. Moreover, regulations, market forces and sheer practicality are already shifting the encryption landscape. The debate has moved beyond whether or if encryption should be adopted and now the conversation is about how and where encryption should be deployed. A well thought-through approach to encryption and key management which encompasses end-to-end data, including data in transit, will stand any company in good stead in meeting its current and future data security requirements. 10

11 Thales Security Solutions & Services > > > Americas THALES e-security, INC North Commerce Parkway Suite 200 Weston Florida USA T: or F: E: Asia Pacific THALES TRANSPORT & SECURITY (HONG KONG) LTD. Units /F Vicwood Plaza 199 Des Voeux Road Central Hong Kong, PRC T: F: E: Europe, Middle East, Africa THALES e-security LTD. Meadow View House Long Crendon Aylesbury Buckinghamshire HP18 9EQ. UK T: +44 (0) F: +44 (0) E: Thales February 2010 MGD0951 This document is issued by Thales Information Systems Security (hereafter referred to as Thales Information Systems Security) in confidence and is not to be reproduced in whole or in part without the prior written approval.