Privacy Advisor

Curing the Chronic Pain of Encryption: Five Common Fallacies

April 1, 2008

By Brian Irish

Have you ever known anyone who suffers from chronic back pain? They start by visiting doctor after doctor, trying to find a cure or even just some relief from the pain they live with on a daily basis. After trying multiple "solutions" and realizing that nothing seems to help, they eventually give up and just learn to deal with the pain and discomfort.

Organizations looking to encrypt their data on a network-wide basis are in much the same situation. Most tried encryption years ago and found it to be slow, complex and just not worth the pain and frustration. But times have changed. Encryption and key management have evolved; those old issues are no longer relevant.

Encryption then and now
Most security experts agree: encryption itself is great—it's data protection at its finest. However, traditional methods of encrypting data on the network create that "chronic back pain" for security professionals across the globe. These methods typically involve adding encryption to the router (an already heavily burdened device) and slowing performance to a point where it disrupts latency-sensitive applications running across the network.

Organizations may have solved one problem by adding encryption, but they created others within the network, including additional complexity and slowed network performance. After years of trying to solve the network-wide encryption dilemma, most organizations did one of two things: 1) if they absolutely had to encrypt, they simply learned to live with the pain and frustration that typically came with encryption, or 2) they did nothing. Neither option is ideal.

Fortunately, today's encryption technologies fix these issues. Correcting the following incorrect notions about network-wide data encryption can help those who suffer from the chronic pain of encryption.

Incorrect notion # 1: "It breaks MPLS."
Most organizations have either transitioned to a Multi-Protocol Label Switching (MPLS) network or are in some stage of migration. Dynamic networking and traditional encryption don't mix. You see, encryption usually establishes a set path for data to travel to and from two endpoints. The same static path is used every time. In essence, the two endpoints create a "tunnel" for the encrypted data.

This works fine if you are only encrypting two endpoints. But as you add encrypted endpoints, more and more tunnels are set-up across your network. You aren't adding just one tunnel per endpoint either; a tunnel has to be created to connect to every other endpoint. For a network with only 10 encrypted endpoints, there would be 90 "tunnels." Can you imagine 100 or even 1,000 encrypted endpoints? So much for dynamic networking!

Recent advances have introduced a concept referred to as "tunnel-less" encryption. Picture those endpoints again. This time, the little magic encryption box is going to replicate the data's source and destination information. The encrypted packet can now be sent on its merry way down the most efficient path decided not by a pre-determined path, but by the network itself. No more need for tunnels. Encryption no longer breaks MPLS or any other dynamic networking protocol.

Incorrect notion # 2: "It's way too complex."
"Key management" has been the Achilles' Heel of encryption for years. Returning to the back pain analogy, key management may very well be the bone spur that causes most of the pain to begin with.

The typical method of managing encryption keys is a very complex, decentralized and resource-intensive proposition and a major reason why most organizations have decided to forego encryption all together. In a decentralized model, the device itself maintains a list of "rules" or "policies" that govern the encryption and decryption between it and all other encryption devices on the network. Again, not necessarily a bad thing when you want to only encrypt between two sites.

But no matter how many sites you have, the devices themselves still manage the encryption. So any time there is a change, for example, when a new site is added, then the list of policies on every single device has to be updated. This is typically a manual process that requires time and resources.

Centralized policy and key management removes the management of policies and keys from the device and places them on a transparent plane where the administrator can centrally manage policies and keys for the entire network with a click of the mouse. Complexity removed.

Incorrect notion # 3: "It's not compatible with VoIP, Video over IP or other latency-sensitive applications like Multicast and Broadcast."
This simply is not true. However, trying to stuff more functions into a router does slow its performance. Encryption is best performed in a purpose-built appliance, not the router. Let the routers route; that's what they were designed to do.

Today's encryption appliances are wire-speed throughput "bump in the wire" implementations. Most companies offer products that range from 10Mbps up to 10Gbps. But speed is not really the issue, latency is. Microsecond latency is acceptable for Voice and Video over IP and any other latency-sensitive application.

Incorrect notion # 4: "It simply doesn't scale."
The tunnels and the key management issues discussed earlier can be blamed for this false notion. While it may be complex, burdensome and difficult to manage, traditional encryption actually does scale—just not simply. In the past, the difficulty associated with a network-wide deployment has not been worth it to security professionals or network administrators.

However, by combining tunnel-less encryption technologies with centralized policy and key management capabilities and utilizing another new concept, called "grouping," which places similar devices performing similar functions in a theoretical "group" based on security policies, encryption does scale; and it scales like never before.

As an example, one global manufacturer currently has 35 encrypted sites in a full mesh topology. They are expanding that to 350 sites in the near future. Try that with traditional methods. The reality is that encryption does scale—and it scales simply.

Incorrect notion # 5: "It's just too expensive."
There are two types of expenses with encryption: the cost of the actual deployment and the cost of living with it. The cost of deploying a network-wide encryption solution today is about the same as trying to add encryption directly to the router. Sometimes, it even costs much less to deploy network-wide encryption, depending on router upgrades and other factors.

The real cost savings comes from the simplicity, centralized management, reduced complexity and general reduction in resources required to actually manage and maintain the solution.

But, let's look at it another way. According to research performed by the Ponemon Institute, the total cost of a data breach is almost $200 per record. The cost of protecting those records can be as little as pennies per record. That's easy math. And Ponemon reports that most companies that experience a data breach end up investing in new technology, including encryption, anyway.

Conclusion
Why is it then, when most experts agree that encryption is the simplest, most effective step any organization can take to protect its sensitive information, that, according to the same Ponemon Institute study, as many as 65 percent of companies are still sending their information over the network in the clear?

It goes back to the chronic back pain analogy. Most companies have either lived with the pain of legacy encryption solutions for too long or simply decided some time ago that deploying network-wide data encryption can't be done. As such, they aren't looking for a workable solution any longer. And that's the tragedy of it all.

While some may still be waiting for the "miracle cure" for chronic back pain to arrive, the cure for chronic encryption pain is here. There are off-the-shelf solutions available today that provide an effective encryption solution to organizations world- wide. There is no need to suffer any longer.


Brian Irish is the Director of Marketing for CipherOptics, a Raleigh, N.C.-based network-wide encryption solution provider. Offering an innovative policy and key management solution, coupled with high-speed, low-latency encryption technology, CipherOptics helps customers mitigate the risk of data leakage, loss and theft over any network.