What if?

What if we told you that upcoming changes in European data protection law, specifically in the area of a data breach, could have a significant impact on any organisation that controls personal data (defined as any information that can identify a living individual)? Is that you?

What is a "Data Breach"?

Under European data protection law, organisations that control personal data have an obligation to take appropriate technical and organisational measures to prevent unauthorised access to it. Examples of a data breach include physically tampering optical fibre to access in-flight data, exploiting IT security vulnerabilities to hack into secure systems, or even leaving an un-encrypted laptop on a train.

So What's Changed?

In May 2018, a new law - the General Data Protection Regulation (or GDPR) - will be implemented across the European Union. The GDPR replaces existing national and EU data protection laws and harmonises them across all 28 Member States. Companies must now notify the relevant authorities within 72 hours of discovering a personal data breach, and, in serious cases, the data subjects affected by the breach must also be notified. Some countries, notably The Netherlands, are not waiting for the GDPR to come into force, and already have laws in place to reflect these new requirements.  The United Kingdom will still be an EU Member State when the GDPR comes into force in May 2018, so it will also apply in the UK from that date. In addition, companies that are not based in the EU, but provide goods and services into the EU, must also comply with the GDPR.

Why Does it Matter?

A number of high-profile incidents - notably the Democratic National Committee hack during the US election campaign - have put data breaches firmly in the news. These types incidents involve unauthorised access to (and release) of personal data. Under current data protection laws, the maximum fine for personal data breach is capped at €500,000. The GDPR will substantially increase fines for data breach involving personal data to €10,000,000 - or 2% of total worldwide annual turnover - whichever is higher.

How Does it Impact You?

The potentially eye-watering fines under the new GDPR are bringing significant board-level focus to personal data breach, especially at companies in consumer-focused businesses (such as banking, healthcare and retail). Companies must show that they are taking appropriate technical and organisational measures to prevent such breaches and also to minimise their impact.

Given the increasing risk of in-flight data being compromised by fibre optic network intrusion (this Ciena video shows that it is possible to hack into optical fibre), it is even more important to minimise the potential damage of a data breach by encrypting data as it traverses the network. This is equally relevant for both corporate data and personal data.

The Solution

Ciena’s WaveLogic Encryption solution offers compelling protection:

a) Set-and-forget always on encryption eliminates the risk associated with the human factor;

b) Throughput – as a hardware based Layer 1 solution, Ciena’s WaveLogic Encryption delivers 100% throughput, which is critical for high-bandwidth connections as it can significantly delay the applications running over it. By comparison IPsec throughput can fall to 50% or less depending on data being encrypted.

c) Latency - the hardware based Layer 1 solution delivers ultra-low latency, adding less than 1 microsecond. The time it takes for the data to travel across the link is critical for data connections since most applications signal back and forward to ensure accuracy, and if this takes too long it can degrade or even stop the data transfer. Latency can also impact customer experience.

d) Standards Compliant: Ciena’s WaveLogic Encryption complies with stringent US Federal Information Processing Standards (FIPS) (e.g. FIPS 197 certified AES-256 engine; and FIPS 140-2 Level 2/3 certified solution);

  • Elliptic Curve Cryptography (ECC);
  • X.509 certificate based authentication for seamless integration into existing Public Key Infrastructures (PKIs); and
  • Other security features such as fast and hitless key rotation, and independent sets of keys which make it harder to crack.

e) Protocol Agnostic - WaveLogic Encryption encrypts multiple protocols carried on the same wavelength on the optical fibre.

f) Dedicated Encryption Management – this solution offers a capability separate to network management, giving the end customer's security team total control of security settings whilst the network operator manages network functionality. The end customer has sole access to the encryption keys and can change the parameters of the encryption services with the MyCrypto online portal.

g) Deployment Experience - Ciena has extensive proven, world-wide encryption deployments that include major service providers as well as financial institutions, data centre operators, healthcare providers, government entities and utilities.

Virtual encryption solutions:

For smaller sites or data centres where bandwidth and latency are not such a big issue, and the connectivity is over a service provider leased line, a virtual encryption with end-customer encryption key management can ensure data security.

Ciena virtual network function (VNF)-based solution leverages the 3906, which includes an onboard server slot, and Certes, a Blue Orbit ecosystem partner, enables encryption as a VNF.