Protecting networks from today’s security threats

23 November 2015 | Stanley Mesceda

Cover

Stanley Mesceda

Blog Author | Gemalto; High speed encryption expert


Businesses across all sectors are seeing their reputation and bottom line suffer the effects of security breaches. In fact, recent reports show that there were 888 data breaches in the first half of 2015 alone, compromising 246 million data records of customers’ personal and financial information worldwide.

Businesses across all sectors are seeing their reputation and bottom line suffer the effects of security breaches. In fact, recent reports show that there were 888 data breaches in the first half of 2015 alone, compromising 246 million data records of customers’ personal and financial information worldwide. 

Within the technology space, companies such as TalkTalk, Vodafone and Korea Telecom account for almost 20% of all data records stolen.

The new reality is that conventional data protection is outdated. Simply putting up a wall around the data and standing watch is no longer enough. 

This is of special concern now that software-defined networking (SDN) is on the rise. Though it provides flexibility and efficiency for operators, SDN can be attacked at each network component. So what can telecoms companies do to protect their networks and the data that travels through them?

Early versions of the OpenFlow standard required SDN network devices to use TLS encryption and certificate authentication. However as a result of the latest criteria, this has been watered down to be an optional requirement, allowing for grey areas of interpretation and in effect providing no governance around the security of the network. 

In addition, the OpenFlow standard relies on implementation teams knowing about industry best practices for managing authentication certificates, public key infrastructures and encryption keys. However, not all do.

This is why security and network teams need to work closer together to understand how best to create trustworthy routes and enable networks to scale in a secure fashion.  

The first step is for them to accept the fact that at some point a breach will occur. The key is to ensure it’s a secure breach, so that sensitive information is worthless to the attacker when it’s stolen. Operators can achieve this by encrypting sensitive data – thus protecting it throughout its whole lifecycle, no matter where it is.

By default, SDN is meant to be configurable and interoperable with various open standards/vendors. By layering security solutions from various vendors, operators can reduce the risk of one vendor data breach compromising the whole network or system.

Additionally, in order to protect SDN networks, operators require multiple layers of security assurance including increased traffic control, multi-factor authentication, and dedicated appliances. 

Operators will need to make sure the software running on the network devices is validated and the configuration changes are authorised by the operator. That is the only way they can trust those network devices and know that their policies have been digitally signed and not tampered with.

Hackers can easily gain access to data via a network device that is either poorly configured or is left with default credentials. Hardware Security Modules (HSMs) can be used to provide that route of trust to securely generate, store and manage the cryptographic keys used for data encryption so they are only accessible to authorised personnel. 

Investing in a standards-based enterprise key management strategy will enable operators to limit access to keys, define how those keys are issued and distributed, and provide protections for them as they are stored.

Not implementing best practice could have a negative effect on all architectures which have multiple network components, including control and data planes. Only operators that adopt a 'secure breach' approach, consisting of a combination of strong authentication, data encryption and key management, can be confident that data will be useless should it fall into unauthorised hands.