What is optical encryption?
Large-scale data breaches are reported in the press almost daily, with devastating consequences for the organizations and individuals involved. With more than 22.7 billion records exposed in 2021, breaches have created numerous PR and economic disasters. Add the cloud and the Internet of Things (IoT) to the mix, and conventional perimeter defense strategies just don’t work .
In response to the rapidly evolving cybersecurity threat landscape, new regulations around the world are upping the pressure on organizations to protect their sensitive customer and operational data. As a result, organizations are continuously revisiting their security strategies to ensure they are doing everything they can to protect their data against these ongoing security threats.
Encryption technology has long protected data at rest, including data residing in databases, data center storage arrays, and laptop hard drives. Traditional in-flight data encryption solutions have also been around for a while, but can present several challenges, including painful key management, increased latency, inefficient use of bandwidth, and the need for application-specific hardware, which adds to the complexity of managing the network.
With in-flight data increasingly being carried over longer distances across high-capacity wavelengths—from 10G and 100G to 800G waves and beyond—optical encryption is a growing means of ensuring all critical in-flight data remains private and secure as it crosses cities, countries, borders, and even oceans.
Encryption of in-flight data at the optical layer has significant advantages over traditional encryption solutions that operate at higher layers of the network—particularly for high-capacity wavelengths. Optical encryption delivers maximum throughput without additional hardware or impacts to performance with transparent transport of any protocol, as the solution integrates directly into the transport network. This translates into a low-latency encryption solution that’s more bandwidth-efficient and doesn’t require a separate network appliance.
Optical encryption is a means of securing all in-flight data in the optical transport layer of the network by transforming the data using an algorithm (cipher) to make it unreadable to anyone except those possessing special knowledge (key).
It is also important to understand that in-flight data encryption solutions that rely on IPsec and MACsec encryption techniques don’t encrypt all the data being transferred, which exposes a vulnerable security gap. In today’s environment, it is not enough to encrypt the user data, as the metadata information that is exchanged (IP and MAC addresses protocol types in use) can be leveraged by adversaries to map out the network and plan attacks even without access to the encrypted application layer data. Only Layer 1 optical encryption renders all data undecipherable to a hacker that taps into the fiber strand. This ensures that metadata isn’t exposed to attackers and eliminates gaps within an organization’s in-flight data protection strategy.
This is wherewhere Ciena’s proven WaveLogicTM Encryption solution shines, providing a flexible, cost-effective, simple-to-implement bulk-encryption solution that protects all in-flight traffic on the network as it spans the globe. For example, the Waveserver® Family of interconnect platforms provides wire-speed optical encryption leveraging AES-256-GCM, including an industry-first 800G solution enabling up to 6.4 Tb of encrypted capacity in just 2RU. Using the 6500 family of converged packet-optical platforms, operators can offer 10G, 100G, or 200G encrypted services with a simple-to-use, dedicated encryption management end-user portal designed for segregated distributed management of the network. This enables the owner of the critical data—the end-user—to independently manage the encryption security parameters and alarms of their encrypted services remotely.
WaveLogic Encryption is purpose-built with the highest level of in-flight data security, offering the following key features:
- Provides hardware-based always-on encryption that guarantees that all traffic is always encrypted 24X7
- Offers external third-party certification to ensure that it is implemented with industry-standard algorithms, including a FIPS-certified AES-256 encryption engine
- Seamlessly integrates into existing enterprise Public Key Infrastructures (PKIs) using X.509 certificate-based authentication, and supports Pre-Shared Key (PSK) authentication
- Provides two distinct, independent sets of keys for authentication and data encryption functions
- Leverages fast encryption key rotation interval down to the second
- Deploys the highest-security cryptography algorithms available today, including Elliptic Curve Cryptography algorithms
- Offers additional security enhancements including:
- Secure Erase to permanently erase all configuration data, security data, licenses, user files, and logs that are stored in non-volatile storage on any module
- Enhanced protection against quantum computer attacks on key exchange algorithms with a quantum-resistant implementation of FIPS-compliant algorithms
WaveLogic Encryption builds on years of experience in coherent optics as well as in transport-layer encryption, delivering the industry’s first 100G/200G, 400G, and 800G optical encryption solutions, with simple-to-implement, always-on encryption over any distance—from metro to submarine. Now it’s easier than ever for customers to deploy 10G or programmable 100G to 800G encrypted wavelengths across their entire infrastructure, eliminating costly separate encryption boxes per application, which are cumbersome to deploy and impossible to manage with the increasing number of end-users running their own applications over the network.