Knowing the possible fines for non-compliance, there is a very real risk that a data breach could lead to company failure.
Given the growing acceptance that a breach is a ‘when’ not ‘if’ event, organisations have evolved beyond perimeter only security models to increasingly lock down data – both at rest and in motion. The key problem is the way in which encryption has been deployed to date. Traditionally an organisation’s infrastructure is broken down into seven layers – following the Open Systems Interconnection model (OSI model), from the physical (Layer 1) through to Application (Layer 7). The usual technique of adding encryption at Layer 2 (Data Link) and Layer 3 (Network) essentially means asking routers and switches to undertake an additional – and demanding - task.
The result is not only drastically compromised network performance but also significant management and troubleshooting issues – often bad enough to drive organisations to switch off the encryption solution. In addition, as soon as Layer 2 and Layer 3 encryption is switched on, the organisation is completely blind to the traffic going across the network: it is not just the data that is encrypted but the file headers and network packets. The only option, therefore, when the application team needs to investigate performance problems is to switch off encryption – creating additional risk and leading to a security/operations stand-off.
Layer 4 Encryption
The answer to the continued friction between operational goals and security imperatives is to decouple encryption from the infrastructure completely. Rather than being embedded in routers, switches or firewalls, Layer 4 encryption technology is completely separate from the underlying infrastructure. By creating an overlay solution that is dedicated to providing the level of trust for data in motion and applications moving across the infrastructure, this model avoids any impact on network performance and complexity. Furthermore, Layer 4 operates in ‘stealth’ mode: it is only the data payload that is encrypted – not the entire network data packet.
This approach has two essential benefits. Firstly, a hacker that cannot see that encryption has been turned on (because the file headers are not encrypted), will have no idea whether the data is sensitive or not – it all looks like worthless data, malformed and of no use. Secondly, if the organisation needs to troubleshoot, key information – such as source/destination ports and IP Address information is still visible, enabling investigation and remedial work to be undertaken whilst the encryption is still turned on. All of the complex management and maintenance problems created by Layer 2 and Layer 3 encryption are removed. The data in motion is secure without adding complexity or compromising operational performance of the infrastructure.