You’ve prepared. Your company has a comprehensive security strategy. All your security patches are up-to-date. You require all employees to take an annual security awareness training session. And you even have an encryption strategy, not just for the data at rest sitting on your servers, but even for in-flight data that traverses between your data centers.

But if that in-flight data encryption strategy relies on Transport Layer Security (TLS) and Secure Sockets Layer (SSL) techniques, you may not be as secure as you think.

While it's true that higher layer encryption techniques like TLS and SSL are increasingly used to secure connections to servers, they don’t encrypt all the data being transferred, which exposes a vulnerable gap within your security strategy.  This is particularly true when one considers the amount of ‘metadata’ that is generated by various services/devices on a network that is not encrypted, even when using application layer encryption such as TLS/SSL.

In today’s environment, it is not enough to encrypt the user data, as this metadata information can be used by adversaries to map out the network and plan attacks even without access to the encrypted application layer data.

Yes, that same metadata that makes headlines in the world of consumer privacy can also be used as an effective method to reveal details about your network and its vulnerabilities. According to the Washington Post, “Metadata is so rich with clues that entities from Google and eBay to the world’s largest spy agency, the National Security Agency, are collecting and mining this deceptively innocuous information”.

What type of information is exchanged as part of this metadata? IP and MAC addresses, protocol types in use, and other potentially critical network information is exchanged in the clear even when the actual user data is encrypted. In today’s environment, it is not enough to encrypt the user data, as this metadata information can be used by adversaries to map out the network and plan attacks even without access to the encrypted application layer data. Additionally, TLS and SSL solutions also generally rely on third-party certificate authorities that may themselves be compromised, allowing for man-in-the middle attacks.

The number and effectiveness of attacks continues to rise, partly driven by the increasing ease, and lower cost, of staging an attack.  There has been a proliferation of hacking toolkits that are being more widely used and whose cost continues to drop, enabling bad actors to execute more sophisticated attacks for less investment. These hacking toolkits include easy-to-obtain fiber tapping tools, such as the one featured in this video, and many online how-to guides that explain in detail how to steal sensitive data from a fiber optic cable.  When considering the enormous amount of data carried by optical fiber cables and the distances that this data spans, coupled with the fact that fiber-optic cables are often surprisingly accessible, they have become valuable targets for attackers.

So how do you fill this hole in your enterprise encryption strategy? Simple, encrypt at the lowest layer possible on the network.

Only a Layer 1 optical encryption approach renders ALL data undecipherable to any hacker that taps into the fiber strand. This ensures that metadata isn’t exposed to attackers and eliminates gaps within an organization’s in-flight data protection strategy. Ciena’s proven WaveLogic Encryption solutions guarantee that everything on the communications link in and out of a facility is always secure, 24/7, no matter what.