Increasingly, companies large and small are leveraging the advantages of sharing resources across data centers, partially the result of an explosion in use of virtualization technology. This makes data center connect (DCC) security an even more important business consideration as traffic grows and more enterprise-critical data is passed between data centers.
Until recently, the gold standard for DCC security was encrypting data at rest, then sending it across a fiber optic cable and decrypting on the receiving end. This presented several challenges, however, from encryption key management to processing power, data latency and complexity.
Optical fiber isn’t the armored car it once was believed to be, either, Alcatel-Lucent (News - Alert) said in a recent white paper, Alcatel Lucent Delivering Comprehensive Enterprise DCC Security. It notes that a knowledgeable intruder who has access to the optical fiber can now purchase a device to eavesdrop for less than $1,000. Detection is hard to spot because the eavesdropping technology relies on bending the optical fiber until just enough light is leaked to capture the data without drawing attention from the sending or receiving data centers.
The suggests a better approach to DCC security: encrypting all data during transit, also known as in-flight encryption, using so-called secure Layer 1 traffic encryption. This amounts to passing all data through a physical layer encryption-decryption on each side of the data transfer.
The benefit of such a solution is that it “provides encryption with transparent connectivity to support all upper-layer Open Systems (News - Alert) Interconnection (OSI) protocols and applications, including data mirroring, Virtual Machine (VM) mobility and storage virtualization — all with ultra-low latency and high bandwidth to meet today’s enterprise requirements,” Alcatel-Lucent explained.
This method of DCC security also lowers the total cost of ownership by allowing the convergence of LAN, SAN and HPC traffic onto a single data transfer medium, is less complex, and data can be sent over any fiber connection without the security issues, among other benefits.
Alcatel-Lucent offers a Data Center Connect Solution that incorporates its 1830 Photonic Service Switch (PSS) and its 1830 Key Management Tool (KMT) in a secure, scalable solution that provides best-of-breed DCC security, the company said in its white paper.
The 1830 Photonic Service Switch, a wavelength division multiplexing platform that sits on each end of a DCC, addresses all three major components of a modern DCC security strategy, including prevention, detection and mitigation, Alcatel-Lucent added.
It enables prevention by being able to work in secure mode, which closes down all but essential physical and logical ports, disables software debug functions, disables embedded OS services and interactive OS access, and supports only secure network element management protocols such as SSL and SNMPv3.
Detection is addressed in the system by providing several security mechanisms to ensure integrity of data communications, most notably optical intrusion detection that constantly detect the changes in optical loss to identify if an eavesdropping device has been added to the optical fiber connecting the data centers.
The 1830 Photonic Service Switch also reduces the risk of stolen data by encrypting data in-flight with NIST AES7 block encryption and decryption. It “uses integrated hardware and large, robust 256-bit AES keys to encrypt data flows and transport information securely,” Alcatel-Lucent highlighted in the white paper. “Working at a 10-Gb/s line rate, its L1 encryption hardware introduces less than 1μsec latency (equivalent to approximately 200 meters of fiber) into the end-to-end data stream.”
The Alcatel-Lucent DCC security solution also manages DWDM encryption with its 1830 KMT, which “helps manage the cryptographic life cycle of each encrypted wavelength service — the keys generated to perform the encryption — as well as encryption key expiration, rotation and destruction.”
As companies continue to expand data sharing among data centers, in-flight L1 encryption and a strong security strategy are becoming increasingly essential.
Edited by Peter Bernstein