By Scott Palmquist

In today’s worldwide business environment, organizations are sending vast amounts of customer data, product plans and other highly sensitive information across networks all over the world. Most of these companies are sending this data across multiple carrier networks in several different countries. Shockingly, 65% of them are sending their data in clear text, according to a recent Ponemon Institute study.

Many experts agree that encryption is the simplest and single most effective step any organization can take to protect this sensitive information. With the technical advances in the encryption industry and recent headlines about data breaches, network-wide encryption should be deployed by any organization sending data beyond its physically controlled network.

Recently, a lot of attention has been given to encryption technologies that solve the “data-at-rest” problem due to the highly publicized cases of lost or stolen laptops and data breaches. Hard drive encryption, tape encryption, database encryption are all newer technologies that assist in the protection of data at rest. These useful technologies mitigate the risk of data compromise due to a lost or stolen laptop, which is too often a common experience, or against someone hacking into to your database, or against data leakage from backup tapes being lost as they are physically moved to an archive location.

However, it seems that we tend to forget that data moves. There is hardly a business today that does not rely on a network for collaboration and moving data from one place to another. Data moving is also data at risk, though the risk is different than for data at rest. People don’t steal networks, like the laptop example above. Today, they are after your data, wherever it happens to be.

Let’s explore the three key reasons why now is the time for your organization to take a look at deploying a network-wide encryption solution. 

Reason #1- The Buck Stops with You

You are the custodian of your company’s data, whether the data is your own intellectual property or your customers’ personal identifiable information. The fact that you have been entrusted with this information means you have the responsibility to protect it. Ultimately, this responsibility cannot be transferred.

The bottom line is this: no matter how or where a breach happens, it will always be your fault. You can outsource your security, but you cannot outsource your responsibility. It is your data and you own the responsibility for its safekeeping. Your employees, partners and, perhaps most importantly, your customers trust that you are doing all you can to keep their data safe.  

Reason #2- Privacy Regulations and Intellectual Property Rights Vary by Country

Today’s businesses operate within a worldwide context. The past 20 years of network deployments in the business environment have flattened the earth. Ironically though, the concept of data privacy and intellectual property rights is as varied as the multiple cultures most businesses now operate in.

Some cultures have very stringent rules and regulations on data privacy and intellectual property protection. Other cultures do not have any rules or regulations, or do not enforce them. As a worldwide business, you are sending data to many different countries with varying interpretations of what “private” means.

Around the world, countries are changing the way they look at data privacy. For example, recent regulations in the European Union and in the United States now require corporations to disclose if personal identifiable information has been compromised. Also, in 2005, Japan passed a privacy law for corporations doing business in Japan.

Regardless, laws and regulations change from border to border and you still hold ultimate responsibility for protecting your data. 

Reason #3- Simplified Network-wide Encryption Solutions

Most people wonder, given the topics mentioned above, the global nature of business, and the intense focus on data protection, why more companies are not being more proactive in protecting sensitive information as it travels across these various networks.

The simple answer is that, until recently, there has not been a viable, cost-effective solution. Each generation of networking brings about its own class of solutions. Internet Protocol Security (IPSec) addressed confidential transmissions for companies using the Internet. Transport Layer Security (TLS) solved the transmission security issue for Internet-based Web users. Firewalls address protecting your corporate network from the Internet. Intrusion detection and prevention systems attempt to alert you to anomalous behaviors on the network.

These are very useful network security technologies and they address specific threats to your network. However, once you send your data beyond the border of your physically-controlled network, all of those solutions become irrelevant. End-to-end data transmission encryption is the only protection that actually travels with the data.

End-to-end data protection over multiple network providers introduces the problem of how to quickly and simply add transmission protection on a worldwide scale. To make comprehensive transmission encryption a reality, three technical obstacles had to be overcome: the elimination of tunnels, centralized grouping, and compatibility with real-time communication technology.

Three recent advances in cipher key distribution technology have removed these limitations usually associated with a large-scale, end-to-end encryption deployment.

Elimination of Tunnels

Tunneling is a well-proven networking concept where one data protocol is embedded inside a different protocol. Using tunnels to carry encrypted traffic is the basis of the IPSec security standard and it works well in point-to-point and traditional hub-and-spoke remote access networks. However, the secure tunnel locks the two points together. The encrypted traffic then travels the same path between these two points and essentially creates a secure, but static tunnel for the data within the network.

Secure tunneling does not work when you move from traditional network topologies to more dynamic networking technologies such as MPLS. MPLS networks inherently enable mesh style network topologies. With a mesh topology, any-to-any communications are now possible on the corporate backbone. End-to-end security with any-to-any connections cannot be accomplished using the old tunneling concept.

The ability now exits to encrypt the data payload, while keeping the original addressing information in a clear text form. This is commonly referred to as tunnel-less encryption. The packet is still authenticated and encrypted, but the addressing information is preserved which allows the network to dynamically select the best route for the traffic to travel. Static tunnels across the network are no longer required.

To illustrate the complexity and management burden of tunnels in a network, consider the following example. If you have a 100-branch network all communicating to a headquarters location, you would require only 100 tunnels in a traditional network topology. With a meshed network, those 100 branches would each require 100 tunnels, 1 tunnel to corporate and 99 additional tunnels to their other peers, for a total of 10,000 tunnels. To add one more remote location to the mesh you will need an additional 201 tunnels.

There is another aspect of secure tunneling that also had change. It deals with how cipher keys are used. Secure tunnels set up a key exchange between the secure tunnel endpoints. Hence each tunnel uses a specific key pair. With any-to-any communications, using secured tunnels at all possible endpoints would require them to each have all possible key pairs.

Tunnel-less encryption allows endpoints to be grouped together so they can all share the same cipher key material. Now you can create a group for your entire network, so all endpoints have the same key, or you can segment the network into functional groups. For example, engineering locations could use different keys than the sales offices.

Centralized Grouping Capability

Creating groups with the same cipher keys introduces the next obstacle that had to be overcome for true end-to-end, any-to-any encryption: scalable creation and dynamic distribution of cipher keys. The question is, how do you generate and distribute keys to all the end-points in your worldwide network securely and quickly? The answer is distributing the same key to all members of a secure group.

The most effective way to distribute these keys is from a central location, but the distribution also needs to be automated. As the security administrator, you set the rules, also called policies, and then key generation and distribution needs to be automatic. This automated generation and secure distribution of group keys is the function of the key server. One or more key servers generate, distribute and control termination or rekey of the cipher key material across all groups.

Compatibility with Real-Time Communications

The third challenge to overcome was securing newer, latency-sensitive protocols. Voice and Video over IP and IPTV behave in an any-to-any manner but also bring with them the need for all participants to have the same cipher key material. They also introduce high throughput and low latency requirements. The availability of purpose built encryption appliances with wire-speed throughput and low latency enables organizations to deploy a comprehensive data encryption across their worldwide network without disrupting these critical business traffic applications.

Conclusion
Sending data transmissions across multiple carrier networks, in multiple countries, in the clear is like playing Russian Roulette with your information. The difference is that with your unprotected data streams, it’s not really a question of if you’ll get breached, but when.

The good news is that there is a simple solution. Recent technological advances have made network-wide encryption easy to install, simple to manage and cost effective to operate. There is no longer any reason to gamble with your data.

Scott Palmquist is senior vice president of product management at CipherOptics.