network encryption for financial services

© Ciena Confidential and Proprietary

Under Lock and Key: Network Encryption for

Financial Services

Secure your Critical Data

2 © Ciena Confidential and Proprietary

Jim Gerrity

Ciena Corporation

Chris Christiansen

IDC

Today’s Speakers


Agenda

Copyright 2012 IDC. Reproduction is forbidden unless authorized. All rights reserved.

Under Lock and Key: Network Encryption for Financial Services

Christian Christiansen

VP, Security Products & Services

IDC

© 2012 IDC

Why Encrypt?

• Enterprise Value resides in Bits not Atoms

Customer data

Intellectual property

• Protects critical business information

Enforces privacy

Facilitates secure sharing of data

Maintains data integrity

Deleting Cloud data

• Compliance requirements

© 2012 IDC

Compliance Regulations are Everywhere

Source: CSC and IDC, 2006

• New Zealand – Privacy Act 1993

• Australia – PA/PA(PS)A 1988/2000 2001

• South Korea – eCommerce Act 1999

• Taiwan – CPPDP Law 1995

• Hong Kong – Personal Data 1996

• Japan – J-SOX 2006

UK/Ireland

Canada • The Privacy Act 1983 • PIPEDA 2001

Asia Pacific

• Ireland – DP(A)A 1995/2003 • UK – DPA 1995/2000

South America • Chile – APPD 1998 • Argentina – PDPA 2000

• eCommerce Act 2000 Mexico

U.S.A. • FCRA 1970 • PA 1974/1975 • RFPA 1978 • CTVPA 1984 • ECPA 1986 • VPPA 1988 • HIPAA 1996/2002 • COPPA 1998/2000 • DMPEA 1999/2000 • FSMA/GLBA 1999/2001 • Sarbanes-Oxley 2002

Scandinavia

• Sweden – PDPA 1995/1998

• Finland – FPDA 1995/1999 • Denmark – DPRA 1978, APPD 1995/2000

• Italy – DPA 1995/1997

• Spain – DPA 1995/2000

• Portugal – PDPA 1995/1998 • Greece – PIPPD 1995/1997

• Belgium – LPPLRPPD 1992, DPA 1995/2001

• Austria – DPA 1995/2000 • Germany – FDPA 1995/2001

• Luxembourg – “EUD” 1995/2002 • Netherlands – PDPA 1995/2001 • France – ADPDFIL 1978, “EUD” 1995/Pending

• Eastern Europe – Estonia (96) Poland (98) Slovak (98) Slovenia (99) Hungary (99) Czech (00) Latvia (00) Lithuania (00)

Europe

• PCI 2004

© 2012 IDC

Percent of Factors Driving Deployment of Encryption within an organization selected as Extremely Significant

Reasons For Encrypting

29%

36%

37%

49%

59%

70%

51%

45%

0% 20% 40% 60%

Organization policy

Safeguard partner information

Protect executive or corporate

communications

Mitigate risk of financial liability

Regulatory, audit or legal compliance

Prevent public exposure, damage to brand or

reputation

Protect proprietary or critical company data

Safeguard client or customer information

N=349

© 2012 IDC

• Encryption is the lynchpin for data security. It is used to

protect data in-transit, data-at-rest, and data-in-use.

• Encryption not undertaken for fuzzy reasons.

• Neat Stats

1/3 to ½ Enterprises have some data encryption.

75% expect encryption use to increase

Percent of all data encrypted to increase

Encryption: Market Drivers

© 2012 IDC

Poll Question

What percentage of your corporation’s data is currently encrypted?

a) 0-25%

b) 26-50%

c) 51-75%

d) 76-100%

How much of your data do you expect to be encrypted in the next 24

months?

a) 0-25%

b) 26-50%

c) 51-75%

d) 76-100%

© 2012 IDC

"Of course you, you have this

encrypted data and then how do you

manage to use it when you need it?

You can archive something and

encrypt the data but what happens if

you lost the key? It is gone forever"

Key Management Perspectives: Quotes

"My key fear is I go out to the tape

and the key is dead, wrong,

expired, corrupted and I got no

backup.”

"This is a really dangerous

technology in that encryption

is a really good way to destroy

data as well as protect it."

"If you forget the key, you

are toast."

© 2012 IDC

Key Management Perspectives

© 2012 IDC

Encryption Silos

• Full Disk

• File Folder

• Storage

• Backup and Replication

• Email

• Database

• Network File

• Data Transfer

•Cloud

All of these need Key Management

© 2012 IDC

What is your greatest concern, problem or expectation associated with encryption key management? (Multiple response

possible)

Key Management Perspectives: Survey

20%

3%

3%

4%

6%

7%

11%

14%

21%

5%

3%

0% 5% 10% 15% 20%

None/Don't know

Cost/expense

Key expiration

Performance

Platform compatibility

Staff resources/training

System resources

Integrity

Losing the key

Safety/security of keys

Management/implementation

N=100

© 2012 IDC

Key Management System

• The Most Important Part of a Secure Encryption System

• The purpose of a KMS is to provide life-cycle management of

cryptographic keys in a great variety of scenarios.

• Strong KMS imperative to successful encryption operations

"Key management, it’s how do I make sure, absolutely sure that I can

take all this information off site in the event of a disaster and get valid

keys recovered so we can actually read the data."

• KMS must be robust, secure, and inspire confidence

© 2012 IDC

Enterprise Key Management Concept

Tape

Libraries

Disk

Arrays

SITE 2

NAS / File

Server

Tape

Libraries

Disk

Arrays

Database /

Application

SITE 3

SITE 1

Key Archive

Service

© 2012 IDC

EKMS Required Attributes

• Key Management Policy, Standards, Procedures

• Key Generation, Distribution, Retention, Destruction

• Scalability – multiple applications and locations

• Automation

• Audit

• Highest Level of Security - Hardware Protection

© 2012 IDC

Analyst Thoughts

• Technology is mature and

stable.

• Many see encryption as

unreliable and dangerous.

• Concerns must be met

head-on especially

regarding data recovery.

• Recommend hardware

keying material protection.

• Dedicated encryption

vendors can greatly

increase comfort level

© 2012 IDC

Closing Comments

• Information exceedingly valuable

• Encryption is the lynchpin for storage/information protection

• The amount of data being encrypted will continue to increase

• Many encryption silos but robust enterprise key management

can tie it together.

• Buy for Today, Plan for Tomorrow


Network Encryption for Financial Services Secure your critical data


Agenda: Part 2


Encryption for Financial Services Business Overview and Objectives

Financial services run on information. …… • Information needs to be networked and shared among geographically dispersed locations. • Institutions rely on secure, highly available networks to deliver applications and services. • Financial institutions have significant risks in the areas of data security, compliance and liability. • Financial firms must be vigilant in protecting IT infrastructure from increasing security threats.


Why Information Security is Critical for Financial Services Businesses

• Tougher compliance legislation Safe Harbor Act, EU Data Protection Act, and Data Protection and Misuse Act (UK), SEC, others

• Higher fines Sarbanes-Oxley, PCI-DSS and GLBA

• Tougher information security standards Basel II financial accords and the Sarbanes-Oxley (SOX) Act

Regulations & Privacy

Laws

• More frequent security breaches 58% increase reported in 2011/12 vs. previous year

• More costly incidents to $7.2m per incident in 2011 (compared to $1.5m in 2005)

Increasing Threats

• Security concerns hindering cloud services adoption delaying huge economic benefits for Financial Services companies.

Cloud Security

Concerns


Security Building Blocks

A comprehensive IT security

approach must encompass

not just server security and

at-rest encryption, but also a

robust in-flight encryption

solution

At-rest Encryption

In-flight Encryption

Server & Database Security


Common Mistakes About Optical Network Security

“I don’t see the business justification for encrypting my data”

1. My network transport technology is inherently safe. It’s fiber optic.

2. We transport so much data, nobody will ever find what they’re looking

for.

3. If someone is eavesdropping, we’ll detect it.

Don’t be fooled.

The only guaranteed preventive technique is encryption


Encryption 101

In cryptography, encryption is the process

of transforming information using an

algorithm to make it unreadable to anyone

except those possessing special knowledge.

The result of the process is encrypted

information.

Definition

Advanced Encryption

Standard (AES)

Key sizes (56-, 128-, 256-

bits)

e.g. AES-256

National Institute of

Standards and Technology

(NIST)

Federal Information

Processing Standard (FIPS)

FIPS 197

FIPS 140-2


What Type of Encryption?

1. Protect at the application

layer

Inefficient use of bandwidth

Added cost & complexity

Labour-intensive key

management

Can add serious latency

1. Protect at the network

transport layer

Fewer network elements

Wire-speed data

throughput

Ultra-low latency

Protocol-specific

Protocol-agnostic


Certified AES-256 Encryption Multi-client

Ethernet Fiber Channel

Secure the network Protect your data

Hardw are-based;

Protocol agnostic

Enterprise-managed

keys

Netw ork

independent

Netw ork Security

Dashboard

Ethernet, WDM, SONET/SDH or OTN

network

FIPS certif ied

Ciena Network Encryption Architecture

Efficient, hardware based, ultra-low latency AES-256 encryption

FIPS-certified solution with no throughput degradation and no service

impact

Protocol agnostic for a simplification of the encryption network

architecture; wire speed encryption from 10Mb/s – 10Gb/s

Encryption key management partitioned from transport management


Network Encryption Deployment Options

Add-on Appliance

Lowest OPEX

Full key control and visibility

of network performance

Carrier Managed Encryption

Service

Full network integration

Lowest CAPEX

Maintain in-house key

management and visibility of

network performance

Enterprise

managed

keys

Enterprise provided

and managed

Enterprise provided

and managed

Private or Service

Provider Network

Enterprise

managed

keys

Service Provider Managed Service


Encryption Key Management

Partitioning encryption

management from transport

management for managed

service applications

Service provider manages

transport network

End-customer manages

encryption provisioning

View access to encryption

alarms and logs

SP hosted web portal

Enterprise-managed keys

Service provider managed network

Bob, the Service Provider, monitors and manages the transport system Bob cannot view or edits keys provisioned by Mary

Mary, the bank’s CSO, manages the service’s encryption parameters (e.g. keys) Mary can view alarms related to her service but not those of the entire system

Network Security Dashboard (NSD)


Ciena Encryption Solutions

565*

2RU, Up to 2 10G services

5100*


5200*


* Integrated C/DWDM/OTN functionality

OTN Integrated Encryption

GigE MAN/WAN Encryption

SONET/SDH Network

Encryption

OTN Link

Encryption

5130

SAN/LAN Optimization

Appliance

2RU, Up to 4 1G encrypted

services

Hardware compression

Supports Layer 1, 2 and 3

WAN networks

10G and lower

speed (<10G)

encrypted

services


1G Link Encryption

Securely transport

compressed and encrypted

data across a carrier’s

MAN/WAN

Unsecured Network GbE, FC100

(clear text) Up to 6 independently GbE

encrypted and compressed

WAN ports

GbE, FC100

(clear text) Up to 6 independently GbE

encrypted and compressed

WAN ports

1. GigE Link Encryption

Securely transport compressed and encrypted GbE data across a carrier’s unsecured network



SONET/SDH Network

Encryption

OTN Link

Encryption


10G Link Encryption

Secure transport of 10GbE LAN PHY

across a carrier’s legacy STS-192

SONET/SDH infrastructure

SONET/SDH 10GE LAN PHY

(clear text) 10G SONET/SDH

(encrypted)

10GE LAN PHY

(clear text)

10G SONET/SDH

(encrypted)

2. SONET/SDH Encryption

Secure transport of 10GbE LAN PHY across a carrier’s legacy STS-192c /VC4-64c SONET/SDH infrastructure

OTN / WDM Multiple Client

Types G.709 OTU2(e)

(encrypted)

G.709 OTU2(e)

(encrypted) Switched OTN

infrastructure network

3. OTN Link Encryption

Securely transport encrypted data across a carrier’s switched Optical Transport Network (OTN) infrastructure

10GE LAN PHY

FC800/FC1200

OC-192/STM-64

OTU2(e) ----------------------

(indirect)

Uncompressed HD/3G Video

1GbE, FC100/FC200, OC-48, …



SONET/SDH Network

Encryption

OTN Link

Encryption

Securely transport encrypted data

across a carrier’s switched Optical

Transport Network (OTN)

infrastructure


10G Integrated Encryption

Light encrypted optical waves

directly on dark fiber or deploy

fully-integrated managed

wavelength services

OTN / WDM Multiple Client

Types 10GE LAN PHY

FC800/FC1200

OC-192/STM-64

OTU2(e) ----------------------

(indirect)

Uncompressed HD/3G Video

1GbE, FC100/FC200, OC-48, …

4. OTN Integrated Encryption

Light encrypted optical waves directly on dark fiber or deploy fully-integrated managed wavelength services



SONET/SDH Network

Encryption

OTN Link

Encryption


Features

Ultra-low latency AES-256 encryption

FIPS 197 and 140-2 Level 2 certified

Scalable from 1GE to multiple 10/40/100G

Reliable: Fast path protection; hitless SW upgrades

10GE mapping into commonly available WAN protocols i.e. SDH, WDM, OTN, Ethernet

Multi-client support

The security of a FIPS-certified low latency AES-256 encryption engine

The flexibility to optimize CAPEX and OPEX budgets

Deploy a secure private optical network or a carrier managed encryption service

Support for multiple client types and multiple network types

The control of in-house key management and visibility of network performance

Encryption key

management

partitioned from

transport management

Added flexibility in

either an operator or

enterprise-maintained

infrastructure.

Network Security Dashboard

Ciena Solution Benefits


Network Encryption Value Proposition for Financial Services

Under Lock and Key: The Need for Wire-Speed Encryption in Financial Services


Under Lock and Key:

The Need for Wire-Speed Encryption in Financial Services

Financial services firms are increasingly turning to wire-speed

encryption to ensure that sensitive data is protected across a

distributed enterprise. – Wall Street & Technology Journal, 2012

…data breaches against financial institutions

happen far more frequently than reported in the

media. “Everybody has data leakage; it’s just a

matter of when you find it,” - Ernst & Young VP quote in

Bank Systems & Technology, 2012

“Security leaders are more accountable to

the business now. Their audience is

expanding.” – CIO, Insurance IBM Security

Assessment Survey, 2012

“Security leaders are going to become more key to their

organizations, their budgets will increase and they will

move from the fringe to being embedded.” – Line-of-business

Director, Banking in IBM Security Assessment Survey, 2012

Wire-speed encryption can help

financial firms protect their data from

unauthorized users as it moves across

the network. – Wall Street & Technology,

2012

“In general, the role of information security will be moving away

from specific risks to global risks. The role will be much larger

than it used to be.” – Finance Director, Insurance IBM Security

Assessment Survey, 2012

A critical component of a comprehensive IT security strategy


Questions?


Thank you!

network encryption for financial services

Technology

data encryption

encrypted data

data security

data integrity

corporations data

secure sharing of data

hong kong personal data

deployment of encryption