In an age when privacy is splashed across the news, confidentiality is at the root of many of the issues we read about every day—whether it’s a breach of financial data at a bank, a leak of medical records from a hospital, or one of the high-profile celebrity hacks—the result is a breach of confidentiality. No one—the victims or the companies involved—wants to be in the headlines for this kind of security issue.

Ensuring Data Remains Private
The core rationale for any data security approach is to ensure data—it might be a company’s data, personal data, or partner data—remains confidential at all times. This requires an end-to-end security approach that protects network traffic from the endpoint to the data center. Security used to mean ensuring that data in a fixed location remained safe, but in this era, when data is always on the move, securing it in transit to ensure it remains confidential until it reaches its intended destination is critical.

So, how does data confidentiality work? In the network, it begins at the physical layer, where the adversaries can use fiber tapping devices to grab sensitive data without even being detected. To avoid this kind of exposure, a well-secured network should bulk encrypt all in-flight data from end-to-end, making it completely unreadable and useless to hackers.

The core rationale for any data security approach is to ensure data—it might be a company’s data, personal data, or partner data—remains confidential at all times.

Securing the network in this way is an important part of ensuring data confidentiality. Another element that can also be leveraged involves adding selective service layer encryption at the edge. Today, a very cost-effective way for companies to accomplish this is by deploying next-generation, virtualized security solutions. This approach can reduce legacy infrastructure costs but it requires a flexible, open infrastructure that can rapidly deliver and provision virtual network functions (VNFs) in real time.

A multi-layered security solution that has confidentiality as its core aim should use virtual security appliances like firewalls, intrusion detection systems, and identity/access management systems. A little deception is good as well though, so routing of traffic to virtual honeypots will help fool and expose bad actors. Making it all work seamlessly might look like magic, but a virtualized security environment depends on advanced analytics and orchestration tools to make sure all VNFs work together effectively.

Another critical component of confidentiality includes intrusion detection. Ciena’s PinPoint Integrated Optical Time Domain Reflectometer (OTDR) detects fiber tapping and protects valuable traffic from long term exposure. PinPoint automatically scans fiber plant at turn-up and during faults and spots high losses or reflections in seconds; this enables quick troubleshooting and repair. In addition, it enables proactive monitoring and maintenance by finding potential fiber issues and avoiding future outages. It also ensures fiber plant is properly conditioned for optimal performance.

Securing the Network Itself
In today’s environment, it is not enough to encrypt user data, there is also metadata information which can be used by adversaries to map out the network and plan attacks even without access to the encrypted application layer data.  What type of information is exchanged as part of this metadata? IP and MAC addresses, protocol types in use, and other potentially critical network information is exchanged in the clear even when the actual user data is encrypted.

So how do you fill this hole in your enterprise encryption strategy? You must secure the network itself and not just the end-user data, but encrypting at the lowest layer possible on the network. Only a Layer 1 optical encryption approach renders ALL data undecipherable to any hacker that taps into the fiber strand. This ensures that metadata isn’t exposed to attackers and eliminates gaps within an organization’s in-flight data protection strategy. 

You must secure the network itself and not just the end-user data.

Securing the network communications channels is also critical in protecting the network itself against attacks that would attempt to take the network down or alter its intended functions. This can be done by encrypting selected ODU/OTU overhead and network management traffic to ensure that it can’t be accessed by hackers. This ensures that the information required for communications between all nodes in the network is kept private – this is essential for the network to function as it is designed to.

Data Confidentiality Laws
Confidentiality is at the core of the EU’s GDPR—the General Data Protection Regulation, which went into effect on May 25, 2018. Under the GDPR, companies must notify authorities within 72 hours of discovering a personal data breach, and, in serious cases, the data subjects affected by the breach must also be notified. Fines have gone up significantly.

Financial services organizations that do business in New York State have to conform to the 23 NYCRR Part 500, which went into effect on March 1, 2017, and requires that entities such as New York insurance companies, banks, and other regulated financial services institutions (including agencies and branches of non-US banks licensed in New York) assess their cybersecurity risk profile and create a robust program to addresses those risks.

Okay—so that sounds daunting, doesn’t it? Trying to run a business is tough enough. Now you have to worry about so many other issues—like keeping your customers’ data confidential. How can you pull that off? Fortunately, Ciena knows how to help.

How Ciena Helps
At Ciena, we use our WaveLogic Encryption solutions to provide data protection that ensures data remains private and secure from theft and secures all in-flight data all the time. This is critical to ensuring that data remains confidential no matter where it is going. Wavelogic Encryption utilizes field-proven techniques that are widely deployed across the globe in finance, legal, healthcare, military, utilities, ICPs, service provider networks, and government networks.

Enterprises like Switzerland’s Helvetia choose Ciena as the infrastructure they rely on to securely transfer data between critical enterprise hubs. With Ciena, Helvetia can benefit from always-on encryption to send more data securely by taking advantage of the ability to transport encrypted data at 200 Gb/s across distances up to 130km.

Network operators cannot just stop at encrypting the end-users’ data, they must protect their entire network by securing at the lowest level and utilizing integrated OTDR capabilities for better visibility to detect intrusions.

The world can be scary. So much is riding on your network. Ciena is equipped to make sure that your confidential information stays secure. At the same time, we’ll help you conform to the increasingly complex regulatory environment.