network encryption for financial services
TRANSCRIPT
© Ciena Confidential and Proprietary
Under Lock and Key: Network Encryption for
Financial Services
Secure your Critical Data
2 © Ciena Confidential and Proprietary
Jim Gerrity
Ciena Corporation
Chris Christiansen
IDC
Today’s Speakers
3 © Ciena Confidential and Proprietary
Agenda
Copyright 2012 IDC. Reproduction is forbidden unless authorized. All rights reserved.
Under Lock and Key: Network Encryption for Financial Services
Christian Christiansen
VP, Security Products & Services
IDC
© 2012 IDC
Why Encrypt?
• Enterprise Value resides in Bits not Atoms
Customer data
Intellectual property
• Protects critical business information
Enforces privacy
Facilitates secure sharing of data
Maintains data integrity
Deleting Cloud data
• Compliance requirements
© 2012 IDC
Compliance Regulations are Everywhere
Source: CSC and IDC, 2006
• New Zealand – Privacy Act 1993
• Australia – PA/PA(PS)A 1988/2000 2001
• South Korea – eCommerce Act 1999
• Taiwan – CPPDP Law 1995
• Hong Kong – Personal Data 1996
• Japan – J-SOX 2006
UK/Ireland
Canada • The Privacy Act 1983 • PIPEDA 2001
Asia Pacific
• Ireland – DP(A)A 1995/2003 • UK – DPA 1995/2000
South America • Chile – APPD 1998 • Argentina – PDPA 2000
• eCommerce Act 2000 Mexico
U.S.A. • FCRA 1970 • PA 1974/1975 • RFPA 1978 • CTVPA 1984 • ECPA 1986 • VPPA 1988 • HIPAA 1996/2002 • COPPA 1998/2000 • DMPEA 1999/2000 • FSMA/GLBA 1999/2001 • Sarbanes-Oxley 2002
Scandinavia
• Sweden – PDPA 1995/1998
• Finland – FPDA 1995/1999 • Denmark – DPRA 1978, APPD 1995/2000
• Italy – DPA 1995/1997
• Spain – DPA 1995/2000
• Portugal – PDPA 1995/1998 • Greece – PIPPD 1995/1997
• Belgium – LPPLRPPD 1992, DPA 1995/2001
• Austria – DPA 1995/2000 • Germany – FDPA 1995/2001
• Luxembourg – “EUD” 1995/2002 • Netherlands – PDPA 1995/2001 • France – ADPDFIL 1978, “EUD” 1995/Pending
• Eastern Europe – Estonia (96) Poland (98) Slovak (98) Slovenia (99) Hungary (99) Czech (00) Latvia (00) Lithuania (00)
Europe
• PCI 2004
© 2012 IDC
Percent of Factors Driving Deployment of Encryption within an organization selected as Extremely Significant
Reasons For Encrypting
29%
36%
37%
49%
59%
70%
51%
45%
0% 20% 40% 60%
Organization policy
Safeguard partner information
Protect executive or corporate
communications
Mitigate risk of financial liability
Regulatory, audit or legal compliance
Prevent public exposure, damage to brand or
reputation
Protect proprietary or critical company data
Safeguard client or customer information
N=349
© 2012 IDC
• Encryption is the lynchpin for data security. It is used to
protect data in-transit, data-at-rest, and data-in-use.
• Encryption not undertaken for fuzzy reasons.
• Neat Stats
1/3 to ½ Enterprises have some data encryption.
75% expect encryption use to increase
Percent of all data encrypted to increase
Encryption: Market Drivers
© 2012 IDC
Poll Question
What percentage of your corporation’s data is currently encrypted?
a) 0-25%
b) 26-50%
c) 51-75%
d) 76-100%
How much of your data do you expect to be encrypted in the next 24
months?
a) 0-25%
b) 26-50%
c) 51-75%
d) 76-100%
© 2012 IDC
"Of course you, you have this
encrypted data and then how do you
manage to use it when you need it?
You can archive something and
encrypt the data but what happens if
you lost the key? It is gone forever"
Key Management Perspectives: Quotes
"My key fear is I go out to the tape
and the key is dead, wrong,
expired, corrupted and I got no
backup.”
"This is a really dangerous
technology in that encryption
is a really good way to destroy
data as well as protect it."
"If you forget the key, you
are toast."
© 2012 IDC
Key Management Perspectives
© 2012 IDC
Encryption Silos
• Full Disk
• File Folder
• Storage
• Backup and Replication
• Database
• Network File
• Data Transfer
•Cloud
All of these need Key Management
© 2012 IDC
What is your greatest concern, problem or expectation associated with encryption key management? (Multiple response
possible)
Key Management Perspectives: Survey
20%
3%
3%
4%
6%
7%
11%
14%
21%
5%
3%
0% 5% 10% 15% 20%
None/Don't know
Cost/expense
Key expiration
Performance
Platform compatibility
Staff resources/training
System resources
Integrity
Losing the key
Safety/security of keys
Management/implementation
N=100
© 2012 IDC
Key Management System
• The Most Important Part of a Secure Encryption System
• The purpose of a KMS is to provide life-cycle management of
cryptographic keys in a great variety of scenarios.
• Strong KMS imperative to successful encryption operations
"Key management, it’s how do I make sure, absolutely sure that I can
take all this information off site in the event of a disaster and get valid
keys recovered so we can actually read the data."
• KMS must be robust, secure, and inspire confidence
© 2012 IDC
Enterprise Key Management Concept
Tape
Libraries
Disk
Arrays
SITE 2
NAS / File
Server
Tape
Libraries
Disk
Arrays
Database /
Application
SITE 3
SITE 1
Key Archive
Service
© 2012 IDC
EKMS Required Attributes
• Key Management Policy, Standards, Procedures
• Key Generation, Distribution, Retention, Destruction
• Scalability – multiple applications and locations
• Automation
• Audit
• Highest Level of Security - Hardware Protection
© 2012 IDC
Analyst Thoughts
• Technology is mature and
stable.
• Many see encryption as
unreliable and dangerous.
• Concerns must be met
head-on especially
regarding data recovery.
• Recommend hardware
keying material protection.
• Dedicated encryption
vendors can greatly
increase comfort level
© 2012 IDC
Closing Comments
• Information exceedingly valuable
• Encryption is the lynchpin for storage/information protection
• The amount of data being encrypted will continue to increase
• Many encryption silos but robust enterprise key management
can tie it together.
• Buy for Today, Plan for Tomorrow
© Ciena Confidential and Proprietary
Network Encryption for Financial Services Secure your critical data
20 © Ciena Confidential and Proprietary
Agenda: Part 2
21 © Ciena Confidential and Proprietary
Encryption for Financial Services Business Overview and Objectives
Financial services run on information. …… • Information needs to be networked and shared among geographically dispersed locations. • Institutions rely on secure, highly available networks to deliver applications and services. • Financial institutions have significant risks in the areas of data security, compliance and liability. • Financial firms must be vigilant in protecting IT infrastructure from increasing security threats.
22 © Ciena Confidential and Proprietary
Why Information Security is Critical for Financial Services Businesses
• Tougher compliance legislation Safe Harbor Act, EU Data Protection Act, and Data Protection and Misuse Act (UK), SEC, others
• Higher fines Sarbanes-Oxley, PCI-DSS and GLBA
• Tougher information security standards Basel II financial accords and the Sarbanes-Oxley (SOX) Act
Regulations & Privacy
Laws
• More frequent security breaches 58% increase reported in 2011/12 vs. previous year
• More costly incidents to $7.2m per incident in 2011 (compared to $1.5m in 2005)
Increasing Threats
• Security concerns hindering cloud services adoption delaying huge economic benefits for Financial Services companies.
Cloud Security
Concerns
23 © Ciena Confidential and Proprietary
Security Building Blocks
A comprehensive IT security
approach must encompass
not just server security and
at-rest encryption, but also a
robust in-flight encryption
solution
At-rest Encryption
In-flight Encryption
Server & Database Security
© Ciena Confidential and Proprietary
25 © Ciena Confidential and Proprietary
Common Mistakes About Optical Network Security
“I don’t see the business justification for encrypting my data”
1. My network transport technology is inherently safe. It’s fiber optic.
2. We transport so much data, nobody will ever find what they’re looking
for.
3. If someone is eavesdropping, we’ll detect it.
Don’t be fooled.
The only guaranteed preventive technique is encryption
26 © Ciena Confidential and Proprietary
Encryption 101
In cryptography, encryption is the process
of transforming information using an
algorithm to make it unreadable to anyone
except those possessing special knowledge.
The result of the process is encrypted
information.
Definition
Advanced Encryption
Standard (AES)
Key sizes (56-, 128-, 256-
bits)
e.g. AES-256
National Institute of
Standards and Technology
(NIST)
Federal Information
Processing Standard (FIPS)
FIPS 197
FIPS 140-2
27 © Ciena Confidential and Proprietary
What Type of Encryption?
1. Protect at the application
layer
Inefficient use of bandwidth
Added cost & complexity
Labour-intensive key
management
Can add serious latency
1. Protect at the network
transport layer
Fewer network elements
Wire-speed data
throughput
Ultra-low latency
Protocol-specific
Protocol-agnostic
© Ciena Confidential and Proprietary
29 © Ciena Confidential and Proprietary
Certified AES-256 Encryption Multi-client
Ethernet Fiber Channel
Secure the network Protect your data
Hardw are-based;
Protocol agnostic
Enterprise-managed
keys
Netw ork
independent
Netw ork Security
Dashboard
Ethernet, WDM, SONET/SDH or OTN
network
FIPS certif ied
Ciena Network Encryption Architecture
Efficient, hardware based, ultra-low latency AES-256 encryption
FIPS-certified solution with no throughput degradation and no service
impact
Protocol agnostic for a simplification of the encryption network
architecture; wire speed encryption from 10Mb/s – 10Gb/s
Encryption key management partitioned from transport management
30 © Ciena Confidential and Proprietary
Network Encryption Deployment Options
Add-on Appliance
Lowest OPEX
Full key control and visibility
of network performance
Carrier Managed Encryption
Service
Full network integration
Lowest CAPEX
Maintain in-house key
management and visibility of
network performance
Enterprise
managed
keys
Enterprise provided
and managed
Enterprise provided
and managed
Private or Service
Provider Network
Enterprise
managed
keys
Service Provider Managed Service
31 © Ciena Confidential and Proprietary
Encryption Key Management
Partitioning encryption
management from transport
management for managed
service applications
Service provider manages
transport network
End-customer manages
encryption provisioning
View access to encryption
alarms and logs
SP hosted web portal
Enterprise-managed keys
Service provider managed network
Bob, the Service Provider, monitors and manages the transport system Bob cannot view or edits keys provisioned by Mary
Mary, the bank’s CSO, manages the service’s encryption parameters (e.g. keys) Mary can view alarms related to her service but not those of the entire system
Network Security Dashboard (NSD)
32 © Ciena Confidential and Proprietary
Ciena Encryption Solutions
565*
2RU, Up to 2 10G services
5100*
2RU, Up to 4 10G services
5200*
11RU, Up to 16 10G services
* Integrated C/DWDM/OTN functionality
OTN Integrated Encryption
GigE MAN/WAN Encryption
SONET/SDH Network
Encryption
OTN Link
Encryption
5130
SAN/LAN Optimization
Appliance
2RU, Up to 4 1G encrypted
services
Hardware compression
Supports Layer 1, 2 and 3
WAN networks
10G and lower
speed (<10G)
encrypted
services
33 © Ciena Confidential and Proprietary
1G Link Encryption
Securely transport
compressed and encrypted
data across a carrier’s
MAN/WAN
Unsecured Network GbE, FC100
(clear text) Up to 6 independently GbE
encrypted and compressed
WAN ports
GbE, FC100
(clear text) Up to 6 independently GbE
encrypted and compressed
WAN ports
1. GigE Link Encryption
Securely transport compressed and encrypted GbE data across a carrier’s unsecured network
OTN Integrated Encryption
GigE MAN/WAN Encryption
SONET/SDH Network
Encryption
OTN Link
Encryption
34 © Ciena Confidential and Proprietary
10G Link Encryption
Secure transport of 10GbE LAN PHY
across a carrier’s legacy STS-192
SONET/SDH infrastructure
SONET/SDH 10GE LAN PHY
(clear text) 10G SONET/SDH
(encrypted)
10GE LAN PHY
(clear text)
10G SONET/SDH
(encrypted)
2. SONET/SDH Encryption
Secure transport of 10GbE LAN PHY across a carrier’s legacy STS-192c /VC4-64c SONET/SDH infrastructure
OTN / WDM Multiple Client
Types G.709 OTU2(e)
(encrypted)
G.709 OTU2(e)
(encrypted) Switched OTN
infrastructure network
3. OTN Link Encryption
Securely transport encrypted data across a carrier’s switched Optical Transport Network (OTN) infrastructure
10GE LAN PHY
FC800/FC1200
OC-192/STM-64
OTU2(e) ----------------------
(indirect)
Uncompressed HD/3G Video
1GbE, FC100/FC200, OC-48, …
OTN Integrated Encryption
GigE MAN/WAN Encryption
SONET/SDH Network
Encryption
OTN Link
Encryption
Securely transport encrypted data
across a carrier’s switched Optical
Transport Network (OTN)
infrastructure
35 © Ciena Confidential and Proprietary
10G Integrated Encryption
Light encrypted optical waves
directly on dark fiber or deploy
fully-integrated managed
wavelength services
OTN / WDM Multiple Client
Types 10GE LAN PHY
FC800/FC1200
OC-192/STM-64
OTU2(e) ----------------------
(indirect)
Uncompressed HD/3G Video
1GbE, FC100/FC200, OC-48, …
4. OTN Integrated Encryption
Light encrypted optical waves directly on dark fiber or deploy fully-integrated managed wavelength services
OTN Integrated Encryption
GigE MAN/WAN Encryption
SONET/SDH Network
Encryption
OTN Link
Encryption
36 © Ciena Confidential and Proprietary
Features
Ultra-low latency AES-256 encryption
FIPS 197 and 140-2 Level 2 certified
Scalable from 1GE to multiple 10/40/100G
Reliable: Fast path protection; hitless SW upgrades
10GE mapping into commonly available WAN protocols i.e. SDH, WDM, OTN, Ethernet
Multi-client support
The security of a FIPS-certified low latency AES-256 encryption engine
The flexibility to optimize CAPEX and OPEX budgets
Deploy a secure private optical network or a carrier managed encryption service
Support for multiple client types and multiple network types
The control of in-house key management and visibility of network performance
Encryption key
management
partitioned from
transport management
Added flexibility in
either an operator or
enterprise-maintained
infrastructure.
Network Security Dashboard
Ciena Solution Benefits
37 © Ciena Confidential and Proprietary
Network Encryption Value Proposition for Financial Services
Under Lock and Key: The Need for Wire-Speed Encryption in Financial Services
38 © Ciena Confidential and Proprietary
Under Lock and Key:
The Need for Wire-Speed Encryption in Financial Services
Financial services firms are increasingly turning to wire-speed
encryption to ensure that sensitive data is protected across a
distributed enterprise. – Wall Street & Technology Journal, 2012
…data breaches against financial institutions
happen far more frequently than reported in the
media. “Everybody has data leakage; it’s just a
matter of when you find it,” - Ernst & Young VP quote in
Bank Systems & Technology, 2012
“Security leaders are more accountable to
the business now. Their audience is
expanding.” – CIO, Insurance IBM Security
Assessment Survey, 2012
“Security leaders are going to become more key to their
organizations, their budgets will increase and they will
move from the fringe to being embedded.” – Line-of-business
Director, Banking in IBM Security Assessment Survey, 2012
Wire-speed encryption can help
financial firms protect their data from
unauthorized users as it moves across
the network. – Wall Street & Technology,
2012
“In general, the role of information security will be moving away
from specific risks to global risks. The role will be much larger
than it used to be.” – Finance Director, Insurance IBM Security
Assessment Survey, 2012
A critical component of a comprehensive IT security strategy
© Ciena Confidential and Proprietary
Questions?
© Ciena Confidential and Proprietary
Thank you!