Optical Encryption: First Line of

Defense for Network Services

An IHS Markit Technology Webinar

#NetworkSecurity
Todays Speakers #NetworkSecurity

Optical Encryption: First Line of Defense for Network Services

Heidi Adams Hector Menendez Sylvain Chenard Allen Tatara

Senior Research Director Product Marketing Manager Product Line Manager Manager
Transport Networks IP/Optical Networks IP/Optical Networks Webinar Events (Moderator)
IHS Markit Nokia Nokia IHS Markit

2
 #NetworkSecurity

1 The Need for Secure Transport

2 Securing Data at the Optical Transport Layer

3 Illusion of Security & Key Management

4 Case Studies

5 Nokia Approach

6 Conclusions

7 Audience Q&A
3
The Threat Is Real - And the Stakes Are High
Motivations Behind Attacks
September 2016

Cyber
Hacktivism Espionage
11.3% 4.2%

Cyber Warfare
4.2%

Cyber Crime
80.3%

Source: Breach Level Index

Source: hackmageddon.com
4
Notable Recent Breaches (Impacting Millions of Records)

80m 55m

145m 77m

56m 30+ substations

70m 76m
Source: InformationisBeautiful.net
5
Breaches Pose Substantial Financial Risk and More

FINANCIAL CREDIBILITY

Direct cost of breaches (so far)

Enterprise: Lost revenue, credibility, critical IP assets

$250

$252m
Direct cost ($M)

Government: Interruption of vital services

$161m

Finance: Loss of customer assets

$100+m

$100m
Healthcare: Delivery of patient care, loss of confidence
$39m

0 100
Records lost or stolen (m)

Source: InformationisBeautiful.net
6
Transformations Driving Cybersecurity Tech

Device Rationalizing
proliferation defense

Evolving New
threats architectures

7
The Rise of 100G and Beyond
How to Deliver Network Security in a Multi-petabit World?
Annual Deployed Telecom Bandwidth and YoY Change
125 100%

100
Transmission Capacity

75%
(Petabits/sec)

75
50%
50

25%
25

0 0%
CY14 CY15 CY16 CY17 CY18 CY19 CY20

10G 40G 100G 200G+ Growth rate (%)

Source: IHS Markit Telecom Optics & Components Market Tracker November 2016
8
 #NetworkSecurity

1 The Need for Secure Transport

2 Securing Data at the Optical Transport Layer

3 Illusion of Security & Key Management

4 Case Studies

5 Nokia Approach

6 Conclusions

7 Audience Q&A
9
Implementing a Defense-in-depth Strategy
From Application to Layer 1 Security

Need to strengthen Security Threats L1 encryption, monitoring,

intrusion detection, optical
security beyond perimeter span protection
(e.g., firewalls)
MacSec encryption
Physical
Must protect data integrity IPSec encryption
and confidentiality, Data link
TCP, UDP privacy and
including when data is data integrity protocols
in-flight Network

Transport
SSL/TLS encryption
Layer 1 security is an
integral part of a multi- Application
layered defense strategy

10
Why Secure at Layer 1?

Reduced cost Lowest cost / encrypted bit

Low latency Ultra low latency and bandwidth efficiency

Transparency Better scale and support for any traffic type

Better performance High bandwidth wire speed encryption

High availability Robust network protection with high availability

Management Simpler security and network management

11
Moving Towards a 100G Connected World

100G 100G
Fixed/mobile New level of Large enterprises
IP video scale required Content providers
Cloud/IT Comms providers
10G 10G
IoT Strategic industries
Better wavelengths
Efficient wavelengths
More wavelengths
Secure wavelengths

Optical networks are rapidly approaching an inflection point

12
Easily Adding Layer 1 Encryption to Existing Networks
IT operations Security operations

Network Key Cyber security

Enterprise IT
Management Management administration

LAN LAN
Ethernet Ethernet

FC
SAN FC
DWDM METRO SAN
AND LONG HAUL
@ 100G
HPC HPC
InfiniBand InfiniBand

Data Center A Data Center X

13
Optical Transport Security Mechanisms
Wavelength monitoring OTDR the fingerprint Key strength & management

Key authority

Plaintext Ciphertext Plaintext

Allows power and fiber Detect and localize Protect your data and
monitoring and reporting precisely any anomalies investment with a strong
for each wavelength on fiber network quality key

Day 3: New fiber route?

Day 1

14
 #NetworkSecurity

1 The Need for Secure Transport

2 Securing Data at the Optical Transport Layer

3 Illusion of Security & Key Management

4 Case Studies

5 Nokia Approach

6 Conclusions

7 Audience Q&A
15
Security and Encryption The Typical House Lock Analogy
Illusion of Security

House Security Transport Encryption

Almost every home has locks Almost all optical transport
on doors. solutions claim they are secure.

90+% house locks can be forced Many solutions do not meet

in less than 15 seconds current recommendations on
without any evidence of minimum key strength.
unauthorized entry.

We need well-balanced cryptographic solutions with a

tamper-resistant lock and quality key
16
Its All about Key Strength

17
Comparative Key Strength
Symmetric vs. Asymmetric Algorithms

SYMMETRIC CRITERIA ASYMMETRIC

Secure private Key type Public and private
Low CPU power needed High
True random key Entropy Integer factorization

Symmetric encryption Comparative key strength Asymmetric encryption

Same private key for Receivers Receivers
Symmetric Asymmetric
encryption/decryption key size key size public key private key
(bits) (bits)
Sender Receiver Sender 112 bits Receiver
256 bits 80 1,024 RSA 2048
112 2,048
128 3,072
Plaintext Ciphertext Plaintext 192 7,680 Plaintext Ciphertext Plaintext
256 15,360

18
Cryptographically Sound Solutions Ensure
Key Quality for the Future
Must Balance Cipher and Key Strength
Comparison of conventional and quantum security
levels of some popular ciphers
Algorithm Key Effective key strength/security level
length
Conventional Quantum
computing computing
RSA-1024 1013 bits 80 bits 0 bits
RSA-2048 2048 bits 112 bits 0 bits
ECC-256 256 bits 128 bits 0 bits
ECC-384 384 bits 256 bits 0 bits
AES-128 128 bits 128 bits 64 bits
AES-256 256 bits 256 bits 128 bits

19
Key Management Comparison
Centralized Distributed

Key Key
manager manager

Key
manager

Key Key
manager manager

CENTRALIZED CRITERIA DISTRIBUTED

Single Points of trust Multiple
Consistent Policy enforcement Inconsistent
Unified Key revocation Uncoordinated
Good Scalability Poor

20
Insist on Independently Certified Solutions

Validated against
open security
Standard standards
criteria

Third-party Independent certification

is proof of due diligence
evaluation

Developed in accordance with a

Secure development rigorous manufacturing process

The assurance pyramid

21
 #NetworkSecurity

1 The Need for Secure Transport

2 Securing Data at the Optical Transport Layer

3 Illusion of Security & Key Management

4 Case Studies

5 Nokia Approach

6 Conclusions

7 Audience Q&A
22
Security Is Essential to All Mission-critical Networks

Enterprise WAN

Government: multi-agency networks IP-centric

apps

Smart city infrastructure: IoT

Cloud

Financial: advanced branch and Data Legacy

banking center systems

Security
Healthcare: telemedicine, telehealth
Confidentiality
Utilities: smart grid, teleprotection integrity
and SCADA availability

Transportation: railway signaling, ITS

23
Case Study 1: Private Mission-critical Network
Profile Key requirements: Solution:
National grid operator in Highly reliable grid Provides the highest level of
Europe connecting over communications reliability, safety, and security
1,200 nodes for sub- Full support of SCADA and across the entire grid
station communications teleprotection
Secure transport

Nationwide Grid Control Network (GCN)

Solution details

Cyber security admin

Converged IP and Optical network
Generation

Optical IP-MPLS for SCADA and teleprotection

Transmission

Distribution
Secure optical transport with low latency L1
encryption and optical intrusion detection

24
Case Study 2: National Bank Mission-critical Network
Profile Key requirements: Solution:
National bank connected Low latency for synchronous Provides a highly reliable,
to private banks and replication scalable and secure network
Eurosystem (European High security (encryption) supporting all mission-critical
banking network) applications
Service migration to a new
data center

Private network connecting data centers and HQ

Data center
Solution details

NOC Optical transport network combining FOADM,

CWDM and DWDM

Data center Data center Scalable network with high SLA supporting
mission-critical applications

Cyber security admin

Low latency Layer 1 encryption for all services

25
 #NetworkSecurity

1 The Need for Secure Transport

2 Securing Data at the Optical Transport Layer

3 Illusion of Security & Key Management

4 Case Studies

5 Nokia Approach

6 Conclusions

7 Audience Q&A
26
Nokia Secure Optical Transport Solution
Certified Layer 1 Encryption with Trusted Centralized Key Management
Nokia 1830 Security Management Server
Effective Layer 1 encryption
Optical intrusion detection Microwave
Centralized, unified key mgmt. Network
Fully independently certified 9500 MPR
(Common Criteria, ANSSI, NIST)

1830 PSS 1830 PSS

encryption card

End-to-end Managed Layer 1 Encrypted Service

27
 #NetworkSecurity

1 The Need for Secure Transport

2 Securing Data at the Optical Transport Layer

3 Illusion of Security & Key Management

4 Case Studies

5 Nokia Approach

6 Conclusions

7 Audience Q&A
28
Summary

Data breaches pose high risk to corporate revenues and

impact credibility and customer trust

Optical transport layer security including L1 encryption

provides a first line of defense complimenting security
strategies at other layers of the network

Simple, unified key management required: ensure

solutions are certified and independently validated

Solutions are available today and are actively being

deployed in mission-critical networks

29
 #NetworkSecurity

1 The Need for Secure Transport

2 Securing Data at the Optical Transport Layer

3 Illusion of Security & Key Management

4 Case Studies

5 Nokia Approach

6 Conclusions

7 Audience Q&A
30
Audience Q&A #NetworkSecurity

Optical Encryption: First Line of Defense for Network Services

Heidi Adams Hector Menendez Sylvain Chenard Allen Tatara

Senior Research Director Product Marketing Manager Product Line Manager Manager
Transport Networks IP/Optical Networks IP/Optical Networks Webinar Events (Moderator)
Heidi.Adams@ihsmarkit.com Hector.Menendez@nokia.com Sylvain.Chenard@nokia.com Allen.Tatara@ihsmarkit.com
IHS Markit Nokia Nokia IHS Markit

31
Thank You
This webcast will be available on-demand for 90 days.

For additional IHS Markit events, visit:

https://technology.ihs.com/events

Follow us on Twitter:
@IHS | @IHS4Tech | @IHS4TechEvents