By Casimer DeCusatis
Making Light Work of Encryption
Data security has been in the news a lot lately, and your organization has good reason to be concerned. While cybersecurity was once considered a niche market, we now live in an era where privacy, ethics, and security make headlines on a daily basis. So far this year alone, we’ve seen a
virus crafted from stolen military technology that knocked out hospital operating theatres and forced ambulances to re-route to different destinations; multiple
attacks against nuclear and other types of electric utilities, including
one that left 600,000 people in the dark in the middle of winter; and one of the country’s largest
credit bureaus losing personal data on half the U.S. population. Many computer security experts feel that we’re approaching a tipping point in the way we deal with the growing number and frequency of online threats; decisions we make in the coming months may affect our lives for many years to come. Data security has many facets, and there’s no single silver bullet that can solve all our problems. However, as optical engineers, educators, and technical professionals, we should do what we can to help close the window of vulnerability facing all of our major computer systems.
OFC has certainly demonstrated an interest in cybersecurity for many years. Their annual report on optical capacity, reach, agility, and control is a bellwether for the optical fiber industry, and suggests novel approaches to security involving SDN, NFV, and other technologies. In this blog, I’d like to talk about one aspect of this work, namely the growing interest in physical layer encryption.
Growing Interest in Physical Layer Encryption
High quality encryption (AES 256 or above) with cryptographic random number generation can be applied to the application, transport, IP, or MAC layers (and sometimes to multiple layers at once). But for large enterprises and cloud service providers, it can be challenging keeping track of which layers are encrypted for which application; miss just one, and you’ve provided an opening for a cyberattack. Encryption at the physical layer has the advantage of being the last step before your data is transmitted across a fiber optic network, so encryption can protect all the applications above the optical layer. There’s been a lot of interest in this topic, with most of the major long distance optical network equipment providers offering some form of protection. For example, Ciena’s WaveLogic platform offers line rate encryption up to 200 Gbit/second, fast encryption key rotation (on the order of seconds), and AES 256 with Elliptic Curve Cryptography (ECC). These features are so important that a dedicated security portal manager (MyCryptoTool) is available to provide an end-to-end view of network security. Similarly, Adva has offered an encryption domain manager, ConnectGuard, which is separate from their typical network management system (to improve security). The additional latency and power penalties associated with data encryption is an important tradeoff to consider, and solutions such as those from Adva and Ciena attempt to design in low latency to keep encryption transparent to the end user. This is particularly important for cloud computing environments, prompting many
other companies to present their energy efficient, low latency hardware solutions at OFC.
Service Providers
Most recently,
Level 3 announced their adoption of AES 256 encryption technology for their SDN network platforms. The company is currently in the process of being acquired by CenturyLink in a $34Billion deal that started last year. This acquisition is intended to make both companies more competitive with their chief rivals by increasing the total fiber mileage and providing additional fiber access in key metropolitan cities and overseas markets. Verizon currently controls about 800,000 route miles of fiber, while AT&T has nearly a million route miles; the Level 3 acquisition would almost double CenturyLink’s fiber route miles to about 450,000. Not only will optical encryption solutions be available on such a huge fraction of the network market, Level 3’s technology will be supported by Google Cloud Platform and Amazon Web Services (currently, neither Microsoft Azure or IBM SoftLayer has announced support for this feature).
Traditional enterprise computing centers are exploring other ways to secure their data.
While most cloud platforms use low cost, commodity X86 type servers, many Fortune 500 companies still rely on
mainframe-class enterprise computers for their back end workloads. The high performance of these platforms makes it possible for them to support direct network security session termination within the server (as opposed to placing network appliances in front of the server). Many of these companies may rely on optical encryption as only part of their overall solution, while the enterprise servers use other approaches such as dedicated cryptographic co-processors, symmetric hardware-based encryption engines, direct termination of web socket interfaces, and native support for third-party authentication gateways, supported by major college research collaborations. The tension between these two approaches is likely to be another hot topic for discussion at the next OFC annual meeting.
What do you think…are you in favor of as much encryption-hardened fiber as we can get, or (like another colleague of mine) are you one of those people whose password was compromised so often they had to rename their cat three times last year? Drop me a line on my completely unsecured Twitter account @Dr_Casimer, and let me know what kind of security you’ll be deploying in your optical network.
Posted: 23 October 2017 by
Casimer DeCusatis
| with 0 comments