Why in-flight encryption is a vital service opportunity for network service providers
Why in-flight encryption is a vital service opportunity for network service providers

We live in an age where security demands to be at the centre of public and private life.

Businesses and consumers alike are being exposed to data security breaches at a greater rate than ever before. Recent figures from the Information Commissioner's Office (ICO) show that 58 per cent more breaches were reported in 2011/2012 than in the previous year.

Further research from PwC shows some 70 per cent of large organisations in the UK detected significant attempts to break into their networks in the last 12 months, costing them on average between £110,000 and £250,000 a year.

The stakes are high for business and government entities and as such there is an increasing amount of response to this escalating threat, particularly through additional security mandates and regulations. Such requirements are becoming increasingly necessary today, particularly for organisations in sectors such as finance, healthcare and pharmaceuticals, where security is no longer just a convenience.

As a result, organisations go to great lengths to protect the information stored in their data centres ('at-rest' data) from potential hacks. Increasingly, an array of techniques is being used by senior IT staff to lock down critical IT infrastructure, including servers, databases, routers and switches, by closely managing user access and use of credentials.

However, the need to ensure security of information is also present beyond the walls of the data centre. As increasing volumes of sensitive information are distributed across global fibre optic networks, a comprehensive IT security approach must now encompass both 'at-rest' as well as 'in-flight' data security to protect information as it travels outside the confines of the enterprise.

Sophisticated in-flight encryption techniques are available that are able to disguise traffic, ensuring it cannot be manipulated or read and even hide the fact that there is traffic flowing through a corporation's networks at all.

While this technology is undoubtedly essential in preventing cyber crime and protecting intellectual assets, organisations must ensure processes are deployed in areas of their network where it will be most effective. Senior IT staff must therefore decide whether to use the technology to protect data flows at the application layer, or to protect the network transport layer.

Many applications in an enterprise network use IP (network Layer 3) for data transfer and communication, which would suggest that application-level IP encryption is the most logical choice. It ensures data is already encrypted when it reaches the optical network elements to be transmitted to another location. Providing the right encryption standards are used, it provides a high level of security for IT applications, especially those that are not data-intensive or time-sensitive.

While Layer 3 encryption is indeed the logical choice in some cases, when used with some critical enterprise IT applications, it can negatively affect operational efficiency. This is particularly relevant to applications such as real-time disk mirroring for business continuity and disaster recovery, or time-sensitive voice or video data transfer. Due to the fact that a sizeable overhead is often added to the payload data packets, the operational data throughput is effectively reduced.

Furthermore, the encryption process itself contributes considerable latency to the data transfer, which can adversely affect higher-level applications and create severe performance degradation.

In cases such as this, the benefits of a lower-layer optical transport encryption come into their own. For the more bandwidth-intensive or time-sensitive IT applications, a well-devised and properly implemented encryption solution integrated at the transport layer eliminates application delays while adhering to the highest security standards.

Protocol transparency is another key consideration. Enterprise networks are constantly evolving – which means that services that run over them today will probably be different from those utilised in the future. Considering this, it is important that the selected technology supports protocol-agnostic encryption to ensure flexibility to support a variety of transport types.

It goes without saying that the deployment of encryption solutions at the application layer does not come cheap. Individual traffic streams require separate encryption devices often specific to the protocol involved, and multiple ports on each WAN network element are consumed, adding to the cost and complexity.

With transport layer encryption, also referred to as 'bulk encryption', the entire traffic stream is encrypted, overheads and all, rather than individual applications. This eliminates the need for complicated frame checks and modifications to associated overhead, and provides 100 per cent throughput transport and seamless interworking across multi-vendor networks.

This approach also presents a significant opportunity for network service providers to offer carrier-managed network encryption. With the right transport solution, incorporating a standards-compliant encryption engine and encryption key management tools to enable their customers to control and monitor the security of their network, service providers are able to increase customer retention and loyalty, as well as differentiating their service offerings, leading to increased margins along with the opportunity to move up the value chain from traditional circuit revenue.

Malcolm Loro is director of enterprise industry marketing at Ciena