Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Network Encryption for Financial Services


Published on

These are the presentation slides for a recent Ciena and IDC webinar on the topic of Network Encryption in the Financial Services market. Speakers were Chris Christiansen, analyst at IDC, and Jim Gerrity of Ciena.

An archive of this webinar, including slides and audio, is available on at the following link:

Published in: Technology

Network Encryption for Financial Services

  1. 1. Under Lock and Key: Network Encryption for Financial Services Secure your Critical Data© Ciena Confidential and Proprietary
  2. 2. Today’s Speakers Chris Christiansen IDC Jim Gerrity Ciena Corporation2 © Ciena Confidential and Proprietary
  3. 3. Agenda3 © Ciena Confidential and Proprietary
  4. 4. Under Lock and Key:Network Encryption forFinancial ServicesChristian ChristiansenVP, Security Products & ServicesIDCCopyright 2012 IDC. Reproduction is forbidden unless authorized. All rights reserved.
  5. 5. Why Encrypt?• Enterprise Value resides in Bits not Atoms  Customer data  Intellectual property• Protects critical business information  Enforces privacy  Facilitates secure sharing of data  Maintains data integrity  Deleting Cloud data• Compliance requirements© 2012 IDC
  6. 6. Compliance Regulations are Everywhere UK/Ireland • Ireland – DP(A)A 1995/2003 Scandinavia • UK – DPA 1995/2000 • Finland – FPDA 1995/1999 • Denmark – DPRA 1978, APPD 1995/2000 • Sweden – PDPA 1995/1998 Canada • The Privacy Act 1983 • PIPEDA 2001 Europe • Belgium – LPPLRPPD 1992, DPA 1995/2001 • Italy – DPA 1995/1997U.S.A. • Germany – FDPA 1995/2001 • Portugal – PDPA 1995/1998• FCRA 1970 • Austria – DPA 1995/2000 • Greece – PIPPD 1995/1997• PA 1974/1975 • Luxembourg – “EUD” 1995/2002 • Eastern Europe – Estonia• RFPA 1978• CTVPA 1984 Mexico • Netherlands – PDPA 1995/2001 (96) Poland (98) Slovak (98) • eCommerce Act 2000 • France – ADPDFIL 1978, “EUD” 1995/Pending Slovenia (99) Hungary (99)• ECPA 1986 • Spain – DPA 1995/2000 Czech (00) Latvia (00)• VPPA 1988• HIPAA 1996/2002 Lithuania (00)• COPPA 1998/2000• DMPEA 1999/2000• FSMA/GLBA 1999/2001• Sarbanes-Oxley 2002 Asia Pacific • Australia – PA/PA(PS)A 1988/2000 2001• PCI 2004 South America • New Zealand – Privacy Act 1993 • Chile – APPD 1998 • Hong Kong – Personal Data 1996 • Argentina – PDPA 2000 • Taiwan – CPPDP Law 1995 • South Korea – eCommerce Act 1999Source: CSC and IDC, 2006 • Japan – J-SOX 2006 © 2012 IDC
  7. 7. Reasons For EncryptingPercent of Factors Driving Deployment of Encryption within an organization selected as Extremely Significant Safeguard client or customer information 70% Protect proprietary or critical company data 59% Prevent public exposure, damage to brand or reputation 51% Regulatory, audit or legal compliance 49% Mitigate risk of financial liability 45% Protect executive or corporate communications 37% Safeguard partner information 36% Organization policy 29% 0% 20% 40% 60% N=349© 2012 IDC
  8. 8. Encryption: Market Drivers• Encryption is the lynchpin for data security. It is used toprotect data in-transit, data-at-rest, and data-in-use.• Encryption not undertaken for fuzzy reasons.• Neat Stats  1/3 to ½ Enterprises have some data encryption.  75% expect encryption use to increase  Percent of all data encrypted to increase© 2012 IDC
  9. 9. Poll QuestionWhat percentage of your corporation’s data is currently encrypted?a) 0-25%b) 26-50%c) 51-75%d) 76-100%How much of your data do you expect to be encrypted in the next 24months?a) 0-25%b) 26-50%c) 51-75%d) 76-100%© 2012 IDC
  10. 10. Key Management Perspectives: Quotes "If you forget the key, you "Of course you, you have this are toast." encrypted data and then how do you manage to use it when you need it? You can archive something and encrypt the data but what happens if you lost the key? It is gone forever" "This is a really dangerous technology in that encryption"My key fear is I go out to the tape is a really good way to destroy and the key is dead, wrong, data as well as protect it." expired, corrupted and I got no backup.” © 2012 IDC
  11. 11. Key Management Perspectives© 2012 IDC
  12. 12. Encryption Silos• Full Disk• File Folder• Storage• Backup and Replication• Email• Database• Network File• Data Transfer•CloudAll of these need Key Management© 2012 IDC
  13. 13. Key Management Perspectives: SurveyWhat is your greatest concern, problem or expectation associated with encryption key management? (Multiple responsepossible) Management/implementation 21% Safety/security of keys 14% Losing the key 11% Integrity 7% System resources 6% Staff resources/training 5% Platform compatibility 4% Performance 3% Key expiration 3% Cost/expense 3% None/Dont know 20% 0% 5% 10% 15% 20% N=100© 2012 IDC
  14. 14. Key Management System• The Most Important Part of a Secure Encryption System• The purpose of a KMS is to provide life-cycle management ofcryptographic keys in a great variety of scenarios.• Strong KMS imperative to successful encryption operations"Key management, it’s how do I make sure, absolutely sure that I cantake all this information off site in the event of a disaster and get validkeys recovered so we can actually read the data."• KMS must be robust, secure, and inspire confidence© 2012 IDC
  15. 15. Enterprise Key Management Concept SITE 1 Key Archive Service SITE 2 SITE 3 Database / Application Tape Tape Libraries Libraries NAS / File Server Disk Disk Arrays Arrays© 2012 IDC
  16. 16. EKMS Required Attributes• Key Management Policy, Standards, Procedures• Key Generation, Distribution, Retention, Destruction• Scalability – multiple applications and locations• Automation• Audit• Highest Level of Security - Hardware Protection© 2012 IDC
  17. 17. Analyst Thoughts• Technology is mature andstable.• Many see encryption asunreliable and dangerous.• Concerns must be methead-on especiallyregarding data recovery.• Recommend hardwarekeying material protection.• Dedicated encryptionvendors can greatlyincrease comfort level© 2012 IDC
  18. 18. Closing Comments• Information exceedingly valuable• Encryption is the lynchpin for storage/information protection• The amount of data being encrypted will continue to increase• Many encryption silos but robust enterprise key managementcan tie it together.• Buy for Today, Plan for Tomorrow© 2012 IDC
  19. 19. Network Encryption for Financial Services Secure your critical data© Ciena Confidential and Proprietary
  20. 20. Agenda: Part 220 © Ciena Confidential and Proprietary
  21. 21. Encryption for Financial Services Business Overview and ObjectivesFinancial services run on information. ……• Information needs to be networked and shared among geographically dispersed locations.• Institutions rely on secure, highly available networks to deliver applications and services.• Financial institutions have significant risks in the areas of data security, compliance and liability.• Financial firms must be vigilant in protecting IT infrastructure from increasing security threats. 21 © Ciena Confidential and Proprietary
  22. 22. Why Information Security is Critical for FinancialServices Businesses • Tougher compliance legislation  Safe Harbor Act, EU Data Regulations Protection Act, and Data Protection and Misuse Act (UK), SEC, others & Privacy • Higher fines  Sarbanes-Oxley, PCI-DSS and GLBA Laws • Tougher information security standards  Basel II financial accords and the Sarbanes-Oxley (SOX) Act • More frequent security breaches  58% increase reported in Increasing 2011/12 vs. previous year Threats • More costly incidents  to $7.2m per incident in 2011 (compared to $1.5m in 2005) Cloud • Security concerns hindering cloud services adoption  delaying Security huge economic benefits for Financial Services companies. Concerns22 © Ciena Confidential and Proprietary
  23. 23. Security Building Blocks  A comprehensive IT security approach must encompass Server & not just server security and Database At-rest Encryption at-rest encryption, but also a Security robust in-flight encryption solution  In-flight Encryption 23 © Ciena Confidential and Proprietary
  24. 24. © Ciena Confidential and Proprietary
  25. 25. Common Mistakes About Optical Network Security “I don’t see the business justification for encrypting my data” 1. My network transport technology is inherently safe. It’s fiber optic. 2. We transport so much data, nobody will ever find what they’re looking for. 3. If someone is eavesdropping, we’ll detect it. Don’t be fooled. The only guaranteed preventive technique is encryption25 © Ciena Confidential and Proprietary
  26. 26. Encryption 101 DefinitionIn cryptography, encryption is the process  Advanced Encryptionof transforming information using an Standard (AES)algorithm to make it unreadable to anyone Key sizes (56-, 128-, 256-except those possessing special knowledge. bits)The result of the process is encrypted e.g. AES-256information.  National Institute of Standards and Technology (NIST)  Federal Information Processing Standard (FIPS) FIPS 197 FIPS 140-2 26 © Ciena Confidential and Proprietary
  27. 27. What Type of Encryption? 1. Protect at the application layer Inefficient use of bandwidth Added cost & complexity Labour-intensive key managementProtocol-specific Can add serious latency 1. Protect at the network transport layer Fewer network elements Wire-speed data throughput Ultra-low latency Protocol-agnostic 27 © Ciena Confidential and Proprietary
  28. 28. © Ciena Confidential and Proprietary
  29. 29. Ciena Network Encryption Architecture Secure the network Netw ork Security Dashboard Protect your data Enterprise-managed keys FIPS certified Multi-client Ethernet Certified AES-256 EncryptionFiber Channel Ethernet, WDM, SONET/SDH or OTN network Netw ork Hardw are-based; Protocol agnostic independent Efficient, hardware based, ultra-low latency AES-256 encryption FIPS-certified solution with no throughput degradation and no service impact Protocol agnostic for a simplification of the encryption network architecture; wire speed encryption from 10Mb/s – 10Gb/s Encryption key management partitioned from transport management 29 © Ciena Confidential and Proprietary
  30. 30. Network Encryption Deployment Options Enterprise managed keys  Add-on Appliance Lowest OPEX Full key control and visibility of network performance Enterprise provided Enterprise provided and managed and managed Private or Service Provider Network Carrier Managed Encryption Enterprise managed Service keys Full network integration Lowest CAPEX Maintain in-house key management and visibility of Service Provider Managed Service network performance 30 © Ciena Confidential and Proprietary
  31. 31. Encryption Key Management Mary, the bank’s CSO, manages the service’s encryption parameters (e.g. keys) Mary can view alarms related to her service but not those of the entire system Enterprise-managed keys Network Security Dashboard (NSD)  Partitioning encryption management from transport management for managed service applications Service provider manages transport network Service provider managed network End-customer manages encryption provisioning Bob, the Service Provider, monitors and View access to encryption manages the transport system alarms and logs Bob cannot view or edits keys provisioned by Mary SP hosted web portal31 © Ciena Confidential and Proprietary
  32. 32. Ciena Encryption Solutions GigE SONET/SDH OTN OTN MAN/WAN Network Link Integrated Encryption Encryption Encryption Encryption 10G and lower speed (<10G) encrypted services 5130  565*  SAN/LAN Optimization 2RU, Up to 2 10G services Appliance 5100*  2RU, Up to 4 1G encrypted 2RU, Up to 4 10G services services 5200*  Hardware compression 11RU, Up to 16 10G services Supports Layer 1, 2 and 3 WAN networks * Integrated C/DWDM/OTN functionality32 © Ciena Confidential and Proprietary
  33. 33. 1G Link Encryption  Securely transport GigE SONET/SDH OTN OTN compressed and encryptedMAN/WANEncryption Network Encryption Link Encryption Integrated Encryption data across a carrier’s MAN/WAN 1. GigE Link Encryption Securely transport compressed and encrypted GbE data across a carrier’s unsecured network Unsecured Network GbE, FC100 GbE, FC100 (clear text) Up to 6 independently GbE Up to 6 independently GbE (clear text) encrypted and compressed encrypted and compressed WAN ports WAN ports33 © Ciena Confidential and Proprietary
  34. 34. Secure transport of 10GbE LAN PHY10G Link Encryption  across a carrier’s legacy STS-192 SONET/SDH infrastructure GigE SONET/SDH OTN OTN Securely transport encrypted dataMAN/WAN Network Link Integrated across a carrier’s switched OpticalEncryption Encryption Encryption Encryption Transport Network (OTN) infrastructure 2. SONET/SDH Encryption Secure transport of 10GbE LAN PHY across a carrier’s legacy STS-192c /VC4-64c SONET/SDH infrastructure SONET/SDH 10GE LAN PHY 10G SONET/SDH 10G SONET/SDH 10GE LAN PHY (clear text) (encrypted) (encrypted) (clear text) 3. OTN Link Encryption Securely transport encrypted data across a carrier’s switched Optical Transport Network (OTN) infrastructure 10GE LAN PHY FC800/FC1200 OC-192/STM-64 OTU2(e) ---------------------- OTN / WDM (indirect) G.709 OTU2(e) G.709 OTU2(e) Multiple Client Uncompressed HD/3G Video (encrypted) (encrypted) Types 1GbE, FC100/FC200, OC-48, … Sw itched OTN infrastructure network34 © Ciena Confidential and Proprietary
  35. 35. 10G Integrated Encryption  Light encrypted optical waves GigE SONET/SDH OTN OTN directly on dark fiber or deployMAN/WAN Network Link Integrated fully-integrated managedEncryption Encryption Encryption Encryption wavelength services 4. OTN Integrated Encryption Light encrypted optical waves directly on dark fiber or deploy fully-integrated managed wavelength services Multiple Client OTN / WDM Types 10GE LAN PHY FC800/FC1200 OC-192/STM-64 OTU2(e) ---------------------- (indirect) Uncompressed HD/3G Video 1GbE, FC100/FC200, OC-48, …35 © Ciena Confidential and Proprietary
  36. 36. Ciena Solution Benefits The security of a FIPS-certified low latency AES-256 encryption engine The flexibility to optimize CAPEX and OPEX budgets Deploy a secure private optical network or a carrier managed encryption service Support for multiple client types and multiple network types The control of in-house key management and visibility of network performance  Features Network Security Dashboard Ultra-low latency AES-256 encryption FIPS 197 and 140-2 Level 2 certified Encryption key management Scalable from 1GE to multiple 10/40/100G partitioned from Reliable: Fast path protection; hitless SW transport management upgrades Added flexibility in 10GE mapping into commonly available either an operator or WAN protocols i.e. SDH, WDM, OTN, Ethernet enterprise-maintained infrastructure. Multi-client support 36 © Ciena Confidential and Proprietary
  37. 37. Network Encryption Value Proposition for Financial ServicesUnder Lock and Key: The Need for Wire-Speed Encryption in Financial Services 37 © Ciena Confidential and Proprietary
  38. 38. Under Lock and Key:The Need for Wire-Speed Encryption in Financial Services Financial services firms are increasingly turning to wire-speed encryption to ensure that sensitive data is protected across a distributed enterprise. – Wall Street & Technology Journal, 2012 “Security leaders are more accountable to …data breaches against financial institutions the business now. Their audience is happen far more frequently than reported in the expanding.” – CIO, Insurance IBM Security media. “Everybody has data leakage; it’s just a Assessment Survey, 2012 matter of when you find it,” - Ernst & Young VP quote in Bank Systems & Technology, 2012 “Security leaders are going to become more key to their Wire-speed encryption can help organizations, their budgets will increase and they will financial firms protect their data from move from the fringe to being embedded.” – Line-of-business unauthorized users as it moves across Director, Banking in IBM Security Assessment Survey, 2012 the network. – Wall Street & Technology, 2012 “In general, the role of information security will be moving away from specific risks to global risks. The role will be much larger than it used to be.” – Finance Director, Insurance IBM Security Assessment Survey, 2012 A critical component of a comprehensive IT security strategy 38 © Ciena Confidential and Proprietary
  39. 39. Questions?© Ciena Confidential and Proprietary
  40. 40. Thank you!© Ciena Confidential and Proprietary