Insider attacks. Surveillance. Hackers wanting to break into a network. Today's ubiquitous and always-on connectivity has meant that IT administrators should take extra precautions to safeguard their information assets from snoopers.
Consider the following:
A recent survey of north American enterprises by Infonetics in January 2014 showed that 60% of respondents rated data security as the biggest barrier to deploy a cloud service. This concern from IT administrators is understandable because reports of data theft continue to fill the airwaves and our newsfeeds.
In today's global enterprise, multi-site connectivity is delivered over a third-party provider network. In an information-based economy, how does one ensure that data flowing between sites is protected from intrusion?
Many industries have strict regulations around data protection. As enterprise boundaries become more fluid with the use of outsourced providers for anything outside an enterprise's core competence, it becomes essential for the "outsourcer" to take adequate security measures. The outsourcer can be any provider of a service-- a law firm, a marketing event-management firm, a human-resource provider, payroll processor etc.
Data security to ensure only authorized access to data has to be addressed at multiple levels. This includes security measures to handle data-at-rest as well as data-in-flight. Historically, the approach to ensuring such privacy for data-in-flight has primarily been at the application layer. E.g. https, SSL, secure file transfer protocols are all mechanisms to achieve this. All these are absolutely required but isn’t it time we looked at data privacy as a foundational element of the network? Wouldn't it be so much more efficient if the underlying network could assure the privacy of data in flight via appropriate encryption mechanisms? Not only does such network-level encryption mechanisms make data exchange more secure irrespective of the application; it also prevents eavesdroppers from collecting valuable metadata. In certain cases (e.g. inter-data center links), handling encryption at the network-level is the most optimal way to do this. In other situations, network-level encryption prevents collection of meta-data, which itself could provide valuable clues to the snooper.
Network-level encryption can be done at the Ethernet link-layer using MacSec or at the IP layer using IPsec. MacSec is now standardized as part of IEEE 802.1AE. Similarly, a suite of protocols have been standardized for IPsec as part of several IETF RFCs. Network-level encryption is not new. Now, thanks to concurrent advances in both encryption and semiconductor technologies, the result is the potential to encrypt at high-performance, at scale and at a dramatically lower cost. Administrators can then have a new tool in their portfolio to insure against violations in data security during data-in-flight transfers.
The 2013 Data Breach Investigations Report by Verizon mentions that 66% of data breaches remain undetected for months! As an IT administrator, wouldn’t implementing network-level encryption provide you better peace of mind to protect your enterprise’s valuable data from unauthorized attempts to access it?