Optical Encryption: First Line of Defense for Network ServicesAn IHS Markit Technology Webinar

#NetworkSecurity

Today’s Speakers Optical Encryption: First Line of Defense for Network Services

Allen TataraManager

Webinar Events (Moderator)

IHS Markit

#NetworkSecurity

2

Sylvain ChenardProduct Line Manager

IP/Optical Networks

Nokia

Hector MenendezProduct Marketing Manager

IP/Optical Networks

Nokia

Heidi AdamsSenior Research Director

Transport Networks

IHS Markit

1 The Need for Secure Transport

5

4

2

3 Illusion of Security & Key Management

Case Studies

Audience Q&A

Nokia Approach

Conclusions6

7

Securing Data at the Optical Transport Layer

#NetworkSecurity

3

The Threat Is Real - And the Stakes Are High

Source: Breach Level Index

4

Cyber Crime

80.3%

Hacktivism

11.3%

Cyber

Espionage4.2%

Cyber Warfare

4.2%

Source: hackmageddon.com

Motivations Behind AttacksSeptember 2016

Notable Recent Breaches (Impacting Millions of Records)

Source: InformationisBeautiful.net

70m

145m

80m

76m

56m

77m

55m

30+ substations

5

Breaches Pose Substantial Financial Risk and More…

$252m

$39m

$100+m

$161m

$100m

Dir

ect

cost

($M

)

Records lost or stolen (m)

0 100

Direct cost of breaches (so far)

$250Enterprise: Lost revenue, credibility, critical IP assets

Government: Interruption of vital services

Finance: Loss of customer assets

Healthcare: Delivery of patient care, loss of confidence

FINANCIAL CREDIBILITY

6

Source: InformationisBeautiful.net

Transformations Driving Cybersecurity Tech

7

Rationalizing defense

New architectures

Evolving threats

Device proliferation

How to Deliver Network Security in a Multi-petabit World?

The Rise of 100G and Beyond

8Source: IHS Markit Telecom Optics & Components Market Tracker – November 2016

0%

25%

50%

75%

100%

0

25

50

75

100

125

CY14 CY15 CY16 CY17 CY18 CY19 CY20

Tran

sm

issio

n C

ap

acit

y

(P

eta

bit

s/

sec)

10G 40G 100G 200G+ Growth rate (%)

Annual Deployed Telecom Bandwidth and YoY Change

2

The Need for Secure Transport

Securing Data at the Optical Transport Layer

Illusion of Security & Key Management

Case Studies

Audience Q&A

5

4

6

1

3

79

Nokia Approach

Conclusions

#NetworkSecurity

Implementing a ‘Defense-in-depth’ Strategy

• Need to strengthen security beyond perimeter (e.g., firewalls)

• Must protect data integrity and confidentiality, including when data is in-flight

• Layer 1 security is an integral part of a multi-layered defense strategy

From Application to Layer 1 Security

Security Threats

SSL/TLS encryption

MacSec encryption

IPSec encryption

TCP, UDP privacy and data integrity protocols

L1 encryption, monitoring, intrusion detection, optical span protection

Physical

Data link

Network

Transport

Application

10

Why Secure at Layer 1?

Reduced cost

Ultra low latency and bandwidth efficiency

Lowest cost / encrypted bit

Low latency

Better scale and support for any traffic typeTransparency

High bandwidth wire speed encryptionBetter performance

Robust network protection with high availabilityHigh availability

Simpler security and network managementManagement

11

Moving Towards a 100G Connected World

Optical networks are rapidly approaching an inflection point

100G

10G

Better wavelengths

Efficient wavelengths

More wavelengths

Secure wavelengths

Large enterprises

Content providers

Comms providers

Strategic industries

Fixed/mobile

IP video

Cloud/IT

IoT

New level of scale required

100G

10G

12

Easily Adding Layer 1 Encryption to Existing Networks

DWDM METRO

AND LONG HAUL

@ 100G

InfiniBand

FC

Ethernet

InfiniBand

FC

Ethernet

Data Center XData Center A

IT operations

Enterprise ITNetwork

Management

KeyManagement

Security operations

Cyber security administration

LAN

SAN

HPC

LAN

SAN

HPC

13

Optical Transport Security Mechanisms

Wavelength monitoring OTDR – the fingerprint

Day 1

Day 3: New fiber route?

Protect your data and investment with a strong quality key

Key strength & management

CiphertextPlaintext Plaintext

Key authority

Detect and localize precisely any anomalies on fiber network

Allows power and fiber monitoring and reporting for each wavelength

14

3

The Need for Secure Transport

Illusion of Security & Key Management

5

4

6

1

2

715

Case Studies

Audience Q&A

Nokia Approach

Conclusions

Securing Data at the Optical Transport Layer

#NetworkSecurity

Illusion of Security

Security and Encryption – The Typical House Lock Analogy

House Security

We need well-balanced cryptographic solutions with a tamper-resistant lock and quality key

Almost every home has locks on doors.

90+% house locks can be forced in less than 15 secondswithout any evidence of unauthorized entry.

Transport Encryption

Almost all optical transport solutions claim they are secure.

Many solutions do not meet current recommendations on minimum key strength.

16

It’s All about Key Strength

17

Comparative Key Strength

Symmetric key size (bits)

Asymmetric key size (bits)

80 1,024

112 2,048

128 3,072

192 7,680

256 15,360

Symmetric encryption Asymmetric encryptionComparative key strength

Sender

Same private key forencryption/decryption

CiphertextPlaintext Plaintext

256 bitsReceiver Sender

Receiver’spublic key

CiphertextPlaintext Plaintext

RSA 2048Receiver112 bits

Receiver’sprivate key

Symmetric vs. Asymmetric Algorithms

SYMMETRIC CRITERIA ASYMMETRIC

Secure private Key type Public and private

Low CPU power needed High

True random key Entropy Integer factorization

18

Cryptographically Sound Solutions Ensure Key Quality for the Future

Algorithm Key length

Effective key strength/security level

Conventional computing

Quantum computing

RSA-1024 1013 bits 80 bits 0 bits

RSA-2048 2048 bits 112 bits 0 bits

ECC-256 256 bits 128 bits 0 bits

ECC-384 384 bits 256 bits 0 bits

AES-128 128 bits 128 bits 64 bits

AES-256 256 bits 256 bits 128 bits

Comparison of conventional and quantum security levels of some popular ciphers

Must Balance Cipher and Key Strength

19

Key Management Comparison

Keymanager

Keymanager

Keymanager

Centralized Distributed

Keymanager

Keymanager

CENTRALIZED CRITERIA DISTRIBUTED

Single Points of trust Multiple

Consistent Policy enforcement Inconsistent

Unified Key revocation Uncoordinated

Good Scalability Poor

20

Standardcriteria

Third-partyevaluation

Secure development

Validated against open security standards

The assurance pyramid

Insist on Independently Certified Solutions

Independent certification is proof of due diligence

Developed in accordance with a rigorous manufacturing process

21

Case Studies

5

3

6

1

2

7

4

22

The Need for Secure Transport

Audience Q&A

Nokia Approach

Conclusions

Securing Data at the Optical Transport Layer

Illusion of Security & Key Management

#NetworkSecurity

Security Is Essential to All Mission-critical Networks

• Enterprise WAN

• Government: multi-agency networks

• Smart city infrastructure: IoT

• Financial: advanced branch and banking

• Healthcare: telemedicine, telehealth

• Utilities: smart grid, teleprotection and SCADA

• Transportation: railway signaling, ITS

Legacy systems

Confidentialityintegrity

availability

Security

IP-centric apps

Datacenter

Cloud

23

Case Study 1: Private Mission-critical Network

Key requirements:

• Highly reliable grid communications

• Full support of SCADA and teleprotection

• Secure transport

Solution:

• Provides the highest level of reliability, safety, and security across the entire grid

Converged IP and Optical network

Profile

• National grid operator in Europe connecting over 1,200 nodes for sub-station communications

Solution details

IP-MPLS for SCADA and teleprotection

Secure optical transport with low latency L1 encryption and optical intrusion detection

Nationwide Grid Control Network (GCN)

Generation

Transmission

Distribution

Optical

Cyber security admin

24

Key requirements:

• Low latency for synchronous replication

• High security (encryption)

• Service migration to a new data center

Solution:

• Provides a highly reliable, scalable and secure network supporting all mission-critical applications

Optical transport network combining FOADM, CWDM and DWDM

Profile

• National bank connected to private banks and Eurosystem (European banking network)

Solution details

Scalable network with high SLA supporting mission-critical applications

Low latency Layer 1 encryption for all services

Private network connecting data centers and HQ

Case Study 2: National Bank Mission-critical Network

Cyber security admin

NOC

Data center

Data center Data center

25

Nokia Approach

3

6

1

2

7

5

4

26

The Need for Secure Transport

Audience Q&A

Conclusions

Securing Data at the Optical Transport Layer

Illusion of Security & Key Management

Case Studies

#NetworkSecurity

Nokia Secure Optical Transport SolutionCertified Layer 1 Encryption with Trusted Centralized Key Management

Nokia 1830 Security Management Server

• Effective Layer 1 encryption

• Optical intrusion detection

• Centralized, unified key mgmt.

• Fully independently certified(Common Criteria, ANSSI, NIST)

1830 PSS 1830 PSSencryption card

End-to-end Managed Layer 1 Encrypted Service

MicrowaveNetwork

9500 MPR

27

Conclusions

3

1

2

7

4

6

5

28

The Need for Secure Transport

Audience Q&A

Securing Data at the Optical Transport Layer

Illusion of Security & Key Management

Case Studies

Nokia Approach

#NetworkSecurity

Summary

29

Data breaches pose high risk to corporate revenues and impact credibility and customer trust

Optical transport layer security including L1 encryption provides a first line of defense complimenting security strategies at other layers of the network

Simple, unified key management required: ensure solutions are certified and independently validated

Solutions are available today and are actively being deployed in mission-critical networks

Audience Q&A

3

1

2

4

5

7

6

30

The Need for Secure Transport

Securing Data at the Optical Transport Layer

Illusion of Security & Key Management

Case Studies

Nokia Approach

Conclusions

#NetworkSecurity

Audience Q&AOptical Encryption: First Line of Defense for Network Services

Allen TataraManager

Webinar Events (Moderator)

Allen.Tatara@ihsmarkit.com

IHS Markit

#NetworkSecurity

31

Sylvain ChenardProduct Line Manager

IP/Optical Networks

Sylvain.Chenard@nokia.com

Nokia

Hector MenendezProduct Marketing Manager

IP/Optical Networks

Hector.Menendez@nokia.com

Nokia

Heidi AdamsSenior Research Director

Transport Networks

Heidi.Adams@ihsmarkit.com

IHS Markit

Thank YouThis webcast will be available on-demand for 90 days.

For additional IHS Markit events, visit:https://technology.ihs.com/events

Follow us on Twitter: @IHS | @IHS4Tech | @IHS4TechEvents