GSN Magazine June 2016 Digital Edition
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
network. Once the data leaves<br />
the building, it can be attacked<br />
and directly controlled from the<br />
outside.<br />
By encrypting sensitive data<br />
while in motion, you can rest<br />
easy that data accessed by unauthorized<br />
parties is useless in<br />
their hands.<br />
It’s a common misconception<br />
that any encryption of data in<br />
motion can lead to bandwidth<br />
losses, poor network performance<br />
and increased costs. But<br />
that doesn’t have to be the case.<br />
Data in motion can be protected<br />
at any level in the communication<br />
subsystem; where<br />
volumes are low, software encryption<br />
based on SSL/TLS may<br />
be enough.<br />
With greater demands on the<br />
network, you’ll need more efficient<br />
approaches, with encryption<br />
at either Layer 2 or Layer 3.<br />
As a refresher, Layer 2 devices<br />
such as network switches operate<br />
at the data link level (one<br />
above Layer 1, or the “physical<br />
layer”). Layer 3 is the next Layer<br />
up – also known as the Internet<br />
Layer, often made up of routers<br />
or “switch routers.”<br />
Layer 3 encryption is more<br />
commonly known as IPSec (Internet<br />
Protocol Security) encryption,<br />
is generally provided within<br />
the routers that are deployed<br />
throughout your data network.<br />
However, IPSec does affect the<br />
throughput performance of the<br />
data network. With Layer 3,<br />
overheads are typically 30-40%.<br />
While dedicated internal networks<br />
may be able to accommodate<br />
this, using Layer 3 encryption<br />
across public networks can<br />
be expensive.<br />
IPSec essentially imposes an<br />
encryption tax on your data.<br />
For that reason, in practice, the<br />
higher the network speed or the<br />
greater the bandwidth requirements,<br />
your more likely solution<br />
would be Layer 2 encryption.<br />
Layer 2 encryption can be applied<br />
in point-to-point, meshed,<br />
and VPN or MPLS networks.<br />
The most effective form of Layer<br />
2 encryption is provided by dedicated<br />
hardware systems that use<br />
the AES algorithm and encrypt<br />
with 256 bit keys. To ensure that<br />
these devices are secure you<br />
should always verify that they<br />
are appropriately accredited to<br />
international security standards.<br />
For federal agencies, that standard<br />
would be Federal Information<br />
Processing Standard Publication<br />
(FIPS) 140-2<br />
FIPS Publication 140-2 is a<br />
19<br />
U.S. government computer security<br />
standard used to accredit<br />
cryptographic modules. It is a<br />
joint effort mandated by both<br />
the United States and Canadian<br />
governments, and recognized by<br />
many other countries and institutions.<br />
Products that meet the security<br />
requirements of the FIPS 140-2<br />
Cryptographic Module demonstrate<br />
security and proficiency<br />
which both government and<br />
commercial customers can rely<br />
upon.<br />
When current best practice<br />
data encryption technology is<br />
implemented for data in motion<br />
and data at rest, the data gained<br />
by cyber-criminals is, of course,<br />
rendered completely useless assuring<br />
no risk of adverse consequences.<br />
Shawn Campbell is VP of Product<br />
Management, SafeNet Assured<br />
Technologies, LLC. He can<br />
be reached at Shawn.Campbell@<br />
safenetat.com
Change language