Secure Optical Transport: Not All Solutions Are Equal
Historically, cyber security meant use of perimeter protection -- firewalls and passwords, intended to keep bad guys from entering the enterprise domain. This is no longer sufficient. What’s needed are countermeasures that provide multiple layers of protection against a variety of threats. This defense-in- depth concept must now be applied to securing optical networks.
Mar 19th, 2017
Current events reveal many reasons why cybersecurity threats are troubling. Any user of modern data systems should be concerned about the safety of their personal, business, or government data whether at rest in a data center or in-flight across a network. Compromised data is costly and disruptive, resulting in lost revenue, reduced market share, and damaged credibility for those affected. Lloyds reported in 2015 that cyber-attacks cost companies $400 billion per year. The cost has increased since and the threat has spread throughout society, even the democratic process, affecting public confidence. Historically, cyber security meant use of perimeter protection -- firewalls and passwords, intended to keep bad guys from entering the enterprise domain. This is no longer sufficient. What’s needed are countermeasures that provide multiple layers of protection against a variety of threats. This defense-in-depth concept must now be applied to securing optical networks.
What is secure optical transport?
In-flight data faces two primary threats: theft and destruction. Theft is when financial value or intelligence is stolen from the data’s rightful owner. Destruction is where an enemy simply prevents data from reaching its destination, thereby paralyzing commerce, critical infrastructure, or defense forces. Protecting against both threats to in- flight data should be a primary goal for optical networks. Secure optical transport protects cyber threats through: Strong data encryption and keys: Layer 1 encryption using the AES-256 (Advanced Encryption Standard- 256-bit key length) forms the foundation. The AES-256 cipher provides excellent protection against brute-force attacks, and a successful analytical attack has yet to be found. Efficient to implement in both hardware and software, AES-256 is likely to remain relevant for decades. However, use of the AES-256 cipher must be complemented with strong, quality keys. Key negotiation and management must be designed to avoid a reduction in effective strength. Resilient network design: Such design involves trusted equipment design, redundant systems, and fault isolation. Resiliency is a common goal in communications networks; its importance relative to security should not be overlooked. Independent certification: Standards bodies such as NIST, Common Criteria, and others have established methods for confirming the security of a network. Certification by an independent body gives the end user assurance that a security approach is verified and trustworthy.