Encryption: How to protect our data “in transit”
Pablo Duranti. Director Sales Engineering, Transtelco
Gabriel Grifasi. Partner Development Director, Transtelco
June 8, 2021
Companies make many efforts to protect the integrity of their information in their dependencies or data centers against attacks such as malware, spoofing, phishing, distributed attacks, etc., Still they are unprotected against attacks that target data in transit or “in-flight”.
An effective security strategy must contemplate the protection of data in the transmission medium. Achieving this security level requires the technology, processes and experience for obtaining efficient encryption solutions in high capacity end-to-end communication services, complementing in this way the security of data at “rest”. On the other hand, these encryption solutions must meet the standards that each industry requires. The Financial and Health sectors are the strictest in terms of requirements due to the sensitivity of the information they handle. These solutions are known as Optical Level Encryption (Layer 1 Encryption) or Ethernet Encryption (Layer 2 Encryption).
Below you will find a description of these types of encryption and the comparative advantages offered by their technologies.
Types of Encryption for Data in Transit
Depending on the application and use cases, companies can choose different types of encryption ranging from the physical layer to higher layers of application, according to the Open Systems Interconnection Model, better known as the “OSI model”:
- Optical encryption is a way to protect data at the physical layer (or layer 1), while transmitting protected signals through a fiber optic system. This type of encryption is especially useful for applications in the financial and healthcare sectors running over very high-speed communication links (10 Gbps, 40 Gbps, 100 Gbps).
- At the link layer, or layer 2, Ethernet Encryption has the possibility of encrypting information using MACsec (Media Access Control Security) when using Ethernet protocol regardless of the transmission medium. HIPAA, PCI and Sarbanes-Oxley among others already use MACsec as valid mechanisms to secure communications networks up to high capacities (<10G).
- Moving up in the OSI model layers, IPSec (Internet Protocol Security) is available as a framework and protocol to establish secure tunnels, commonly called VPNs (Virtual Private Networks) between sites connected by a layer 3 or IP. IPSec is widely used in almost all industries to establish secure communications over the Internet, in capacities that generally do not exceed 1G and there are standardized protocols supported by various brands.
- For traffic encryption in higher application layers (layer 4 to layer 7), there are various protocols such as TLS (Transport Layer Security) created to protect sessions in Client-Server environments.
Advantages of Optical Encryption
Different encryption mechanisms offer advantages and disadvantages depending on the use case. If we are in a scenario where the transmission of high volumes of information is necessary for applications subject to strict regulations then the advantages of optical encryption can be summarized in three main aspects:
- Flexibility: as this encryption is provided on optical signals with total independence from the information transmitted in higher layers, optical encryption supports a wide variety of information formats, making this technology completely agnostic to the protocol chosen by the users.
- Efficiency: higher layer protocols make use of headers for encryption of information, reducing the available capacity for sending useful data for applications. This situation is more evident for applications that use small information packets where the information used for encryption is significant with respect to the amount of information used to transmit data relevant to the application. On the contrary, the encryption in the optical layer does not make use of these headers allowing the use of 100% of the available capacity for sending valuable information, as can be seen in the following graph:
- Delay: the delay introduced during the encoding/decoding of optical signals is significantly lower (almost negligible) compared to other encryption mechanisms in higher layers.
Advantages of Ethernet Encryption
In the same way as Optical encryption, Ethernet encryption adapts very well to scenarios where it is necessary to transmit information in high capacities with very strict security regulations. The use of the MACsec protocol for encryption in this layer has the following advantages:
- Transport Independence: unlike Optical encryption that needs OTN (Optical Transport Networking) to operate, MACsec establishes a secure data transfer between two devices regardless of the intermediate devices or networks as long as an Ethernet format is offered at the ends.
- Costs: the cost for layer 2 encryption through the MACSec protocol for equivalent capacities, considering the cost of equipment, is higher than that offered by optical encryption.
- Efficiency: despite not being as efficient and having slightly longer delays compared to optical encryption, Layer 2 encryption services are still far superior for the described environments than higher-layered transit data protection mechanisms.
In the following table we can see how the different variables of cost and quality of service result according to the layer in which the encryption is carried out:
What is the type of encryption that suits me best?
What is the network layer in which we must handle the security of data in transit? Some argue that the application layer is the most appropriate because it is where sensitive data resides. Others argue that security must begin at the physical layer or more basic levels of connection, protecting even the protocol information involved in the movement of data. Depending on the security and environmental requirements, both are correct.
At Transtelco we specialize in finding the most suitable encryption solution for your company, supported by a track record and experience developed over more than 20 years providing solutions and services using all the encryption mechanisms mentioned above. We have an unparalleled optical infrastructure (OTN) in the region that allows the deployment of encrypted solutions in different service layers, also we have the technological alliances, processes and resources trained to operate encryption services that comply with the standards imposed by Federal Information Processing Standards (FIPS – Level 2).