"Network Data Protection Playbook: Network Security Best Practice for Protecting Your Organization"

If you receive errors when attempting to view this white paper, please install the latest version of Adobe Reader.

" CipherOptics makes data protection simple. Whether you need to secure data flows over your application environment or encrypt data in motion across the network, CipherOptics makes it easy. Our unique approach to policy definition, key distribution and global encryption management provides unprecedented data protection across your existing infrastructure. "
Source :CipherOptics

Resources Related to Data Architecture:

Data Architecture (Wikipedia)

Network Data Protection Playbook: Network Security Best Practice for Protecting Your Organization

Data Architecture is also known as : Network Encryption, Regulatory Data Protection, Data Protection Breach, Regulatory Data, Data Security Management, Data Encryption, Data Structures, Data Stores, Data Groups , Data Items, Enterprise Architecture Framework, Data Models, Data Storage Systems, Data Protection Solutions, Data Network Security.

Table of Contents
Introduction
The Foundation of a Data Defensible Architecture
The Nature and Source of Data Breaches
Compliance and Possible Safe Harbors
Breaches and Data Loss
The Vulnerabilities Expected to be Exploited in the Coming Years
The Unending Proliferation of Security Patches
The Evolution of Data Protection
Beyond Treating the Symptoms
Five Steps to Enterprise-Wide Data Protection
Protecting the Network: More Than Just Encryption
Real-World Data Protection Scenarios
1. Protecting Data Storage
2. Protecting Data Over Third-Party Networks
3. Securing Sensitive Virtual Networks
4. Protecting Wireless End-to-End
Three-Step Deployment Roadmap
- Step 1: Address Primary Network Security Threats
- Step 2: Expand and Extend Data Protection
- Step 3: Scale to Enterprise-Wide Data Protection
Compliance-Grade™ Data Protection Solutions
About CipherOptics

Introduction

The enterprise network is growing more complex and its boundaries are starting to disappear. Businesses are opening up their network infrastructures and expanding business critical communications with partners, suppliers, customers, network services providers and telecommuting employees. As this trend continues to grow, the number of security breaches and the damage they cause grows as well.

With breaches rising and network boundaries disappearing, it is apparent that relying exclusively on perimeter defense is no longer sufficient. Instead, companies need to develop a defense-in-depth strategy that includes infrastructure defense, access control and data protection. The foundation must be a data defensible architecture, one that provides robust data protection that scales and secures data as it travels the network.

To that end, this paper describes:

The nature and source of data breaches
Where do we deploy data protection first?
The vulnerabilities expected to be exploited in the coming years
How will the bad guys get in and what will they be targeting?
A five-step plan to deploy an enterprise-wide data protection solution
What should my strategy be to protect my corporate data, my customer data and my business?
Twelve real-world data protection scenarios
Where is data protection currently being deployed as a best practice?
A three-phase deployment roadmap
Where should we start; how do we secure data where it needs to be secured first and how can it evolve into an enterprise-wide data protection architecture?

The Foundation of a Data Defensible Architecture

The network's boundaries are disappearing and vulnerabilities are rising. At the same time, the network's complexity is increasing as more demands are placed on it. Today's corporate networks include storage networks, virtual networks, third-party networks, and wireless networks. These networks are no longer only transmitting data, but also voice and video. How does the enterprise build a data defensible architecture that will protect its valuable data on the ever-evolving network? Forward-looking organizations are recognizing that end-to-end encryption must be the foundation of protecting the company's valuable data. Indeed, at some point everything will be encrypted-the question is not if but when.

This white paper describes how data can be secured even on unprotected networks and what specific steps should be taken to build a data defensible architecture. Its goal is to provide information, tools and high-level reference architectures on how to protect data as well as to share CipherOptics' experience in providing data protection solutions around the world.

The Nature and Source of Data Breaches

We are in an era where IT departments are making headlines-unfortunately for all the wrong reasons. Data security breaches are growing, now affecting 90 percent of corporations and causing $17 billion in damage every year (Harvard Business Review). Vulnerabilities are increasingly being discovered in cross platform applications, backup software, antivirus software, and even in core networking elements such as Cisco IOS and Juniper's networking products. There are also vulnerabilities appearing in seemingly secure Unix platforms. All of these are in addition to the numerous vulnerabilities already found and continually being discovered in the Windows operating platform. As more and more applications and systems have been successfully breached, a growing list of data privacy regulations are forcing companies who do business in the United States to publicly disclose any loss of customer information. These disclosure rules have already impacted many large corporations like Bank of America, Time Warner, Marriott, Boeing, and others who were required to inform customers of the loss of hundreds of thousands of records. Unfortunately, they won't be the last. These same challenges are affecting businesses worldwide.

Compliance and Possible Safe Harbors

In the U.S. alone, there are now over 10,000 regulations dictating how a business should be run (Enterprise Security Group Report). A growing number of these regulations mandate the protection of data by encryption as a safe harbor. Companies are struggling to keep up with all of the regulations. While 90 percent of companies claim that information security is of high importance to achieving their overall objectives, only 34 percent say they are compliant with applicable security-driven regulations (Ernst & Young, Global Information Security Survey). A few of the major data security regulations enterprises may face if they do business in the United States include:

The California Database Breach Act (CA SB1386) requires an agency, person or company that conducts business in California and owns or licenses "personal information" to disclose any breach of security to any resident whose unencrypted data is believed to have been disclosed. At publication of this white paper, some 26 states have followed suit with similar regulations and there is pending federal legislations that covers this same area as well.
The Graham-Leach-Bliley Act (GLBA) requires financial institutions to protect the security and confidentiality of consumers' personal financial information.
The Health Insurance Portability and Accountability Act (HIPAA) requires health care providers and other organizations to encrypt health records and personal information.
The Sarbanes-Oxley Act (SOX) mandates that CEOs and CFOs attest to having the proper "internal controls" at their companies to protect against data tampering.

We could also add the DoD 8100.2 directive that mandates all data on wireless networks be encrypted, or Basel II which requires large financial institutions worldwide to measure their risks, including the security of customers' private information. The list gets longer every day, and regulations are moving beyond disclosure requirements to penalties and fines for companies whose sensitive data is breached.

Breaches and Data Loss

Companies need to understand the nature of past breaches and data loss in order to know: where to start protecting data, how to prioritize investments in data protection technologies and how to know which threats are just a nuisance and which are truly dangerous. Some recent examples that have resulted in monetary penalties include beaches at Bank of America (over 1.2 million records lost) with penalties of $50 million and breaches at` ChoicePoint (over 172,000 records lost) for $15 million. Customer data losses at other large companies that have made the national news: Time Warner (600,000 records lost), LaSalle Bank (2 million), Ford (90,000), Marriott (206,000), Ameriprise Financial (230,000), Boeing (161,000), JPMorgan (under investigation), WalMart (under investigation) and more.

Beyond any obvious penalties, these public admissions impact the brand image and can potential cause the loss of customers and business. In some cases, companies may be forced to fight for their survival due to a loss of confidence by their customer base.

Even more alarming is the finding that an estimated one-half of the breaches that occur are not publicly reported (FBI/CSI Computer Crime Survey). This is troubling to network security administrators because a lack of information on current breaches makes it difficult to develop proactive measures to combat a similar attack at their own organizations.

During the 14-month period from January 2005 to March 2006, from an analysis of breaches documented on www.privacyrights.org, nearly 62 million records containing personal information were reported exposed due to breaches (Figure 1). Malicious hacking, illegal access and general breaches accounted for 71 percent of that data loss. Unauthorized employees, partners and contractors accounted for another 12 percent. Less than four percent was from tape or CD loss, and these were accidental rather than malicious losses or thefts.

It is imperative for an organization to identify where the biggest vulnerabilities in the business are and develop strategies to close those holes. With the de-perimeterization of the enterprise, the number one reason for data loss is hacking and illegal access. This leads to the conclusion that data theft from network access is emerging as the top vulnerability; and it is all too often unaddressed. By comparison, theft of physical tapes is much less risky; the last reported malicious tape theft was more than 20 years ago. Sure, tapes are sometimes lost inadvertently in shipping, but this poses a low risk for data misuse. The fact is that only four percent of data records are lost due to loss of tapes and 50 percent of lost tapes have been recovered without any data being compromised.

The Vulnerabilities Expected to be Exploited in the Coming Years

Every major company has significant vulnerabilities in their networks. The SANS Institute, through a lot of good work from top security experts, assembles a list of key vulnerabilities that companies should be concerned about and focused on mitigating. This report brings to light some key issues that companies are struggling with today:

Compromising Positions: One of the report's more distressing findings is that software programs designed to protect data have themselves become the targets.
New Risks: It's risky to assume you are safe simply because you always install the latest operating system patches. You have to make sure that programs from multiple vendors are up to date. Because these applications run on different hardware systems, you cannot assume you have little or no risk simply because you use Apple's Mac OS X or the Linux operating system rather than Windows.
Security Products are Part of the Problem: Beyond Web servers there has been an increase in attacks on the infrastructure of the Internet itself. Three of the top 20 vulnerabilities involved networking products designed to help secure networks, including products from Cisco, Symantec, Juniper Networks, and Check Point Software Technologies.

Top Vulnerabilities in Windows Systems

W1. Windows Services
W2. Internet Explorer
W3. Windows Libraries
W4. Microsoft Office and Outlook Express
W5. Windows Configuration Weaknesses

Top Vulnerabilities in Cross-Platform Applications

C1. Backup Software
C2. Anti-virus Software
C3. PHP-based Applications
C4. Database Software
C5. File Sharing Applications
C6. DNS Software
C7. Media Players
C8. Instant Messaging Applications
C9. Mozilla and Firefox Browsers
C10. Other Cross-platform Applications

Top Vulnerabilities in UNIX Systems

U1. UNIX Configuration Weaknesses
U2. Mac OS X

Top Vulnerabilities in Networking Products

N1. Cisco IOS and non-IOS Products
N2. Juniper, Check Point, and Symantec Products
N3. Cisco Devices Configuration Weaknesses

In working with customers and security experts, CipherOptics has identified these additional vulnerabilities found in most organizations' infrastructure:

VLANs can leak or be hopped. They provide separation of data streams, not the actual securing of data.
Leased Lines can be tapped and the data they transmit stolen. They are also susceptible to accidental misconfiguration.
Carrier Circuits are vulnerable to data theft and susceptible to accidental misconfiguration.
Wireless Links are vulnerable to theft of data as it's decrypted at the access point. Where encryption is not used, they are entirely vulnerable to attack and data theft.
MPLS VPNs provide separation only, but offer no other data protection. MPLS networks can be tapped and once they are, the intrusion is undetectable- giving a hacker access to critical information over long periods of time. They are also susceptible to accidental misconfiguration.
Data Replication can be compromised as storage traffic is most vulnerable when it travels over IP-based networks.
Active Directory replication can also be compromised; network services are the next area of attack.
Enterprise networks are vulnerable to attacks by insiders, which account for 12 percent of all data loss.

By and large, network-based attacks are targeting a larger set of systems, applications, and products. Vulnerabilities go well beyond Microsoft security holes and now include cross-platform applications, UNIX systems, security products defending the perimeter and core networking products such as Cisco IOS-based products and Juniper networking products. Day zero attacks and application/network infrastructure attacks typically are not caught by firewalls, so an improved defense-in-depth solution is required.

The Unending Proliferation of Security Patches

It is no longer safe to assume one is protected simply because the latest operating system patches are installed. There were 2000 vulnerability patches in 2005. In the first three months of 2006, 108 security patches were issued for the well-written Oracle application alone. Keeping up with all these vulnerabilities is a daunting task-and it still does not provide full protection. Since only half the breaches are reported, patches may not cover unreported vulnerabilities.

The Evolution of Data Protection

The data security market is evolving, driven by changes in how people use the network. When companies first started to connect their networks to the Internet, it was to access the large amount of data that was on the World Wide Web. Network segmentation (separating the outside network from the inside network) was the top priority and many different products emerged to accomplish that separation. Firewalls, IDS/IPS, anti-virus and other tools kept the bad guys out and let employees do their jobs.

Then the Internet was leveraged for remote employee access, business-to-business applications, eCommerce and many other emerging trends. These new uses of the Internet have improved the ability to support consumers and facilitated the need for new types of companies. Online bank accounts, remote access from anywhere in the world and other business enablers have made business operations fluid. Companies can sell anywhere; consumers can interact with them from anywhere; and transactions can be completed quicker than ever before.

So far, this has been both good and bad. As an industry we have focused on making connectivity ubiquitous and enabling consumers to interact with businesses however they want. But we may have been too effective in that effort. Since everyone is now connected, we have enabled the bad guys to connect as well. Businesses have large stores of personal information that can be misused with malicious intentions. Therefore, enterprises must now focus on protecting corporate data, private consumer information and essentially their businesses.

It is important to note that data protection should not be the single line of defense. Data protection must be deployed along with access controls as well as perimeter and infrastructure defense layers. Companies still need all of the other layers for a defense-in-depth architecture to optimally defend against the threats and vulnerabilities that exist today.

In summary, the best practice for a threat-focused security approach deploys a triple-layered defense solution that (1) controls access, (2) defends the infrastructure, and (3) protects data. Access control mechanisms (e.g. Federated identity, LDAP, SSO) and infrastructure defense mechanisms (e.g. firewall, IDS/IPS, anti-virus, content filtering). But the foundation must be a robust data protection solution that secures data at all times as it travels the network. Effective data protection must also work regardless of the success or failure of other security technologies.

Beyond Treating the Symptoms

A robust data protection strategy must go beyond applying solutions to the symptoms. It must solve the real vulnerabilities. This begs the consideration of a few questions. Should a company try to keep up with the seemingly unending proliferation of patches that may cover dozens of applications, or should it think about a different type of data protection solution? Can this approach also be used for application protection? What does a robust data protection strategy look like? Where is data protection applied most effectively? Where should it be deployed first? Where is the best place to defend the enterprise infrastructure?

In short, the network is the common denominator. It's also the most likely avenue of attack, as most data loss occurs via the network. So the network is where an end-to-end security infrastructure should best be established. In addition to a strong perimeter defense and effective access control, a comprehensive data protection strategy should be a primary focus. After all, the key attribute of a defense-in-depth architecture is that if one layer of security is bypassed or doesn't defend against an attack, the next one will. A comprehensive data protection strategy will still keep customer, employee, and private information secure, even if the other layers of protection have failed.

Five Steps to Enterprise-Wide Data Protection

What the preceding discussion indicates is that if a company wants to know what it can do to: 1) make the biggest impact or yield the biggest return on its security investment; 2) protect its data, its customers and its business; and 3) prioritize its efforts to improve its overall security risk posture; then the following five steps should be followed:

Look beyond the perimeter to build a defense-in-depth data protection architecture. With the de-perimeterization of the enterprise, insiders cause 12 percent of data records lost and 70 percent of the financial damages. Most new attacks on Cisco IOS or other infrastructure products are not defendable from Cisco IOS-based perimeter products since they are the vulnerability. Vulnerabilities in applications such as Symantec AntiVirus and backup software are forcing enterprises to focus on data protection as the essential layer of security to protect their business. Essentially, it's forcing them to address the problem.
Invest in defending data and applications from network-based attacks. The data is telling; 71 percent of all data records are lost through breaches or network-based attacks. Network-based attacks are the easiest and safest for hackers because the thief can hide behind a fake IP address, service providers or other masks. Not only can he hide his tracks, but he can also continue to steal data over time. These types of attacks have proven to be the most lucrative for hackers and the most dangerous for security-conscious organizations. Fix the biggest threat from networkbased attacks first. The use cases discussed later in this whitepaper identify four key areas of data protection in which our customers are building and deploying best practices today:
1. Protecting Data Storage
2. Protecting Data Over 3rd Party Networks
3. Securing Sensitive Networks
4. Protecting Wireless End-to-End
Don't store sensitive information on laptops or mobile devices. Since most work is done via applications and data can easily be stored in the central depository, there is very little need to store sensitive information on laptops or other mobile devices. Use the network to access sensitive data via secure client access. This allows the location and use of information to be monitored and controlled. It also allows protection of the data from internal threats, accidental loss of laptops, and other risks to the business. This is essential given that the fact that Gartner has shown how easy it is to hack into an encrypted laptop. At the Gartner 2006 Security Conference, they demonstrated how a laptop could be hacked in less than 2 hours.
Protect data on removable media-after the high-priority threats have been addressed. There has been a lot of news about lost tapes in the last year or so. But studies on data loss and financial impact due to security events indicate that the loss of tapes is only a four-percent problem. Most organizations have bigger concerns to fix first. With 96 percent of data lost by other means, mostly through network and insider attacks, the recent emphasis on encrypting tapes has been far too high. In fact, there is a strong market trend toward Continuous Data Protection solutions (IDC) that use the network for business-continuity and data-recovery operations and protect data in flight when it is copied from one data store to another. This method allows for the immediate protection of data, whereas backup via tape is not complete until it has been received at the backup data facility.
Improve policy and key management for encryption. There is a strong movement to embed encryption in servers, storage, VoIP devices and other technologies. As the use of encryption grows, the challenge is to: 1) lower the cost of management; 2) ensure the right processes and controls are used to properly deploy and maintain security; 3) minimize the impact of changes, adds, and deletes that are normal in day-to-day operations; and 4) have the right key archival solution in place.

These five steps are essential in defending data and applications from new types of threats and vulnerabilities that will impact business.

Protecting the Network: More Than Just Encryption

An excellent foundation for a secure network is established by protecting data packets from their source to their destination. When the majority of security attacks are initiated from within the network perimeter, the encryption of data as it travels on the core network or to remote sites becomes the only effective defense against unauthorized access.

IP Security (IPSec) is defined by the Internet Engineering Task Force (IETF) as the accepted standard for protecting data in transit over an untrusted network for Layer 3 protocols. IPSec is the mandated best practice for securing block-based storage protocols iSCSI, iFCP and FCIP. It is also quickly becoming the standard for protecting applications and data inside the enterprise network. IPSec provides three levels of data security: confidentiality, authentication and integrity.

Confidentiality: Keeping the data secret. IPSec uses powerful standard encryption algorithms (AES or 3DES) to protect data from being accessed by unauthorized parties.
Authentication: Trusting the source. IPSec uses packet authentication to verify who's on the other end of a channel and can be used to keep the bad guys out. Authentication can be used without having to deploy the confidentiality capability for network protection as well. This also defends the network against Denial of Service (DoS) attacks.
Integrity: Trusting the data. IPSec uses industry standard hashing algorithms (SHA1 and MD5) to create digital signatures that ensure the data has not been altered in transit. This defends the network against attacks where encrypted data is intercepted and the payload is switched between packets. In these attacks data is never exposed, but the data stream is corrupted with other proprietary security protocols.

These three key security features of IPSec offer the best security available. When data on network protocols other than IP needs to be protected, customers want the same security capabilities. CipherOptics has developed security products capable of either Layer 2 Ethernet encryption or Layer 3 IPSec encryption. Thus, no matter which network layer needs to be used for data protection, these three features-confidentiality, authentication and integrity-can be used to protect your data and applications. The following solution overviews describe how these data protection technologies can be leveraged.

Real-World Data Protection Scenarios

In helping hundreds of the most security-conscious organizations, CipherOptics has learned that there are four key areas where deploying encryption makes sense today. As one of CipherOptics' customers stated, "If encryption were free, we would deploy it everywhere. But since it isn't, these are key areas to focus on first."

Here are the four major areas that customers engage with CipherOptics to provide data and application protection solutions.

The following use case scenarios briefly cover solutions that CipherOptics has already delivered for other customers. These solutions can be leveraged to improve the security posture of your network and protect data in motion. They also can be used within the five-step framework outlined above.

1. Protecting Data Storage

Data storage is a fundamental piece of the business. It contains proprietary company information and personal consumer information. This information is essential for companies to do business. If you were to hire a consulting company to do an audit, you would find that the primary risk to be identified is when storage systems and data traverse an IP network; at that point it can be the target of IP-based attacks. A second finding would be that the physical transportation of data is unreliable and dangerous.

Deploy Secure Data Replication

Data Security Concern: Today, 25 percent of data replication is done over IP connections, and that number is growing significantly. Data is exposed over the unsecured network.

Solution: Install Security Gateways at either end of the connection to secure the data replication channel by encrypting the data. This solution provides hot onsite failover and defends against a hack attempt by protecting at the network layer.

Deploy Secure Backup

Data Security Concern: Electronic archival to a remote tape storage site offers advantages over physically moving data ranging from guarantee of data delivery and faster data recovery to the ability to eliminate tape loss. But it also exposes the data as it travels over the network.

Solution: Security Gateways are high-speed encryption appliances that can protect the backup data as it travels between storage sites. A protected continuous backup scheme offers cost savings over secure nightly tape backups and guarantees data is there when you need it.

Protect Storage Management Ports

Data Security Concern: If the storage management port is hacked or breached, the hacker gains full control over the storage system and can move data off disk.

Solution: Security management application can secure the management system by isolating the storage management network and creating a protected virtual network over the network (a secure management zone).

2. Protecting Data Over Third-Party Networks

Shared network services are being introduced around the world because of the cost savings that can be delivered versus private line services. However, these network services are using a shared infrastructure. Your data and applications are running over the same wire as that of many others, potentially including a competitor or a bad guy who is interested in compromising your network and stealing your data. Since network devices such as Cisco IOS are now the targets, someone could pirate a copy of a data stream and copy your data without you ever knowing that a compromise took place. A customer of ours reported that their network service provider, a good partner, informed them that a copy of their data was sent somewhere else. It was probably an accidental misconfiguration during maintenance or other operations, but regardless, they didn't know where the data ultimately went. In the end, it may have been an undetected breach.

Protect Data Over Private Line Services

Data Security Concern: Companies are using third-party private line services to link remote locations. Not only are the lines unprotected and out of one's control, but accidental misconfiguration or compromise of network devices at the service provider could lead to inadvertent data loss.

Solution: Security Gateways and Ethernet Security Gateways can secure IP and Ethernet services over thirdparty networks.

Protect Data Over Mesh Network Services

Data Security Concern: Companies are using mesh network services, but these suffer from the same security concerns as private line services.

Solution: High-speed low-latency encryption at each customer edge secures the data as it travels over the mesh network. Plus, centralized and automated policy and key management will lower the TCO of the encrypted solution.

Secure the LAN From Any MAN/WAN Threat

Data Security Concern: MANs or WANs that connect remote locations are potential entryways for hackers to access a corporate network and steal data.

Solution: A deterministic firewall that rejects unauthorized packets from the MAN/WAN can secure it from unwanted access. A stateless firewall can isolate traffic between LANs.

3. Securing Sensitive Virtual Networks

An enterprise network is essentially a network of networks. Most of these networks are now impacted by either privacy rules or compliance regulations. A virtual network is one that connects a group of employees and applications. In order to use the LAN or WAN for connectivity, we are seeing companies use cryptographic segmentation to enforce security between groups of users. This way sensitive information can be sent securely over corporate networks, and even individual users can be tied into the network segmentation via secure client access.

Secure Network Inside the Network

Data Security Concern: Virtual network technology provides data separation, but it doesn't secure the data as it travels over the network. Unauthorized insiders or outsiders may exploit OS or application vulnerabilities to compromise a system and steal sensitive information until detected.

Solution: Use encryption technology to both separate and secure data on the network, providing secure virtual network between LANs.

Secure Network of Individual Users

Data Security Concern: Likewise, if virtual network technology provides data separation only, a sensitive virtual network that connects roaming individual users can be compromised and data can be stolen.

Solution: Extend the encryption-based LAN zoning architecture via client access to provide secure virtual network communication between individual users.

Secure Sensitive Networks From LAN Threats

Data Security Concern: An unauthorized insider may gain access from inside the network to a sensitive private network, leading to violation of privacy regulations or identity theft.

Solution: Secure the sensitive virtual network with a deterministic firewall feature that rejects unauthorized packets from within the LAN. The secure LAN zone thus created is not discoverable.

4. Protecting Wireless End-to-End

Wireless networks are becoming mission critical. We hear three key issues from our customers:

Where do we decrypt the data flow? We usually have one access point in a less secure location.
How do we establish and elevate all of our networks to a common, best in class, security standard?
How do we make our wireless security transparent to up-and-coming wireless solutions such as metro WLANs and WiMAX?

Protect Point-to-Point Wireless

Data Security Concern: Point-to-point wireless connections offer lower costs as a result of carrier toll bypass, but data sent over the air is exposed and can be stolen by a sniffing attack.

Solution: The point-to-point wireless channel can be secured with high-speed IPSec or Ethernet encryption.

Protect End-to-End WLAN Traffic

Data Security Concern: While 802.11x wireless network traffic is encrypted over the air, it is decrypted at the access point and travels unprotected from there. Even one exposed access point can give a hacker an unsecured link for an intrusion.

Solution: Using client access and security gateways, IPSec protection can provide protection end-to-end, from the client to a secure location or application.

Secure the LAN From Any WLAN Threats

Data Security Concern: Anyone with access to the WLAN could exploit vulnerabilities to gain unauthorized access to other sensitive locations.

Solution: A deterministic firewall can keep out unauthorized traffic from the WLAN. A stateless firewall isolates traffic from LAN to LAN.

Three-Step Deployment Roadmap

At this point we've described what to protect and where to protect. Now let's look at what makes sense from an implementation point of view. It is important to focus on what can be done easily while providing the greatest return on the time and resource investment. Here is a three-step methodology that many enterprises are using to deploy an enterprise-wide data protection solution:

Address primary network security threats by deploying IPSec encryption. IPSec is the most flexible and secure data protection technology and the best place to start.
Expand and extend data protection to Ethernet encryption and client access. IPSec appliances can protect vast amounts of data, but they may not work in all situations. Ethernet encryption and client access are the next natural steps in data protection. It can be used for data transported over non-IP protocols, single users needing access to a cryptographically segmented LAN and protecting wireless.
Scale to enterprise-wide data protection by solving the manageability problem. As data protection solutions are deployed in the four areas discussed above, and as the number of keys and devices start to grow, key and policy management needs to be automated through specialized software tools.

These important steps can be taken today to secure the most critical vulnerabilities and lay the foundation for a data protection architecture. Specifically, the following are implementation items for each step.

Step 1: Address Primary Network Security Threats

The goal with the first step is to deploy an architecture that is scalable and flexible enough to address the four key areas that need data protection:

Protecting Data Storage: In order to protect storage data, deploy IPSec protection for SAN extension and data replication over IP channels. IPSec is the standard for block-based storage protocols that are used in SAN extension and data replication solutions. IPSec-based appliances have no impact on these operations.
Protecting Data Over Third-Party Networks: Companies need to take advantage of new lower-cost metro services. These services are essentially shared infrastructures and the data traveling over the shared network needs to be protected. Deploying an IPSec solution provides cryptographic segmentation that keeps the good guys in and the bad guys out.
Securing Sensitive Networks: There are many areas in the business where sensitive data crosses the internal, but relatively accessible, LAN. Deploy IP Zones to protect group-togroup network communication through cryptographic segmentation.
Protecting Wireless End-to-End: Point-to-point wireless for LAN extension is great for toll bypass or as backup network connections. Using IPSec to protect point-to-point wireless is an essential tool.

Step 2: Expand and Extend Data Protection

Once the low-hanging fruit has been harvested, with data protection deployed in the right places, the next step is to add different types of data protection solutions to extend what has already been done.

Protecting Data Over Third-Party Networks: Many enterprise networks also carry non-IP protocols such as SNA, AppleTalk and others. For these networks, using Layer 2 protection may be a better solution to secure 100 percent of the data. Deploying Ethernet encryption in these scenarios provides flexibility and enables the network to support all business needs.
Securing Sensitive Virtual Networks: Securing LAN segments is a great first step to protect data as it transverses the enterprise environment, but there are many instances where a member of the group is located offsite. Secure client access, which is different from remote access, provides companies with the ability to connect roaming or mobile users and also protect their data as if they were within the cryptographically segmented LAN. Client access is optimized for applications that require high bandwidth and no latency impact for application access.
Protecting Wireless End-to-End: As companies expand their wireless network, they have two issues to consider. First, where should the data be decrypted? Second, how can a single security policy be applied across all of the various wireless connections, such as the different versions of 802.11, 802.16, metro wireless Ethernet, or even cell-phone data access? The best practice for protecting additional wireless networks end-to-end involves overlaying a security solution over the wireless network that terminates encryption at the right place.

Step 3: Scale to Enterprise-Wide Data Protection

As security teams deploy data protection solutions, two key trends impact how these solutions will be rolled out in the next few years. First, as the number of installations for encryption solutions increase, key management becomes an issue. Many industry experts calculate the cost of managing security solutions at five to ten times the acquisition cost. Lowering the complexity, automating key management and using policy tools to distribute and configure settings becomes essential. Second, as encryption becomes a part of everyone's devices, how will a company centrally manage the keys for all points where encryption and security policies are enforced? As enterprise customers look to leverage embedded encryption, the key and policy management issue becomes the barrier to scaling the solution to where it needs to be.

Thus, the third step is to plan for and deploy an enterprise-wide data protection architecture. Scaling of encryption solutions throughout the enterprise will make the proactive management of policies and keys the true enterprise requirement, especially as encryption increasingly becomes embedded in most devices. This means that the solution must be a tool that can assist with change-management operations, configuration and deployment of data protection solutions, plus monitoring and break-fix management. It must also possess the ability to meet availability requirements.

The diagram below (Figure 4) describes the CipherOptics' Policy & Key Management Architecture (PKMA) which makes enterprise wide security and encryption both scalable and manageable. At the top of the model lies the Management and Authentication Point, a policy-based tool for managing access correlation and encryption policies. This tool can be used to manage large numbers of encryption points, provide policies and fulfill the other requirements for management of data protection solutions.

As shown below, a key and policy distribution system (Key Authority Point) is required to enable IPSec, Ethernet encryption and client access to scale across the enterprise, integrate into embedded encryption solutions, and not break the network. The combination of the Management and Authentication Point and the Key Authority Point eliminates all of the barriers to deploying an enterprise-wide data protection solution.

Compliance-Grade^TM Data Protection Solutions

Compliance and privacy regulations are driving data protection requirements, which will soon be mandatory everywhere. In order to start protecting data across the enterprise, the first step is to identify what types of breaches and data theft you are trying to defend against. Since most data theft occurs via the network, where hackers can hide and steal data over time, the best place to start is to protect data at the network level. The second step is to identify the types of vulnerabilities that are being exploited and outline defenses against them. Since today's network perimeter is difficult to define a defense-in-depth architecture is warranted, especially to protect the business against intrusions that firewalls and other products cannot prevent.

Once the threats and vulnerabilities to your business are understood, it is time to plan for a world in which encryption is ubiquitous. Since complete encryption coverage cannot be rolled out overnight, start today by deploying encryption where it makes sense and has the greatest impact on the business. Specifically, protecting data storage, protecting data over 3rd party networks, securing sensitive virtual networks and protecting wireless end-to-end are key project areas that many security teams are deploying today.

Of course, the very first place to start is to deploy IPSec wherever it can be used. Once IPSec has been implemented, then extend protection with Ethernet encryption for non-IP protocols and client access for single-user access.

Overall, it is essential that every organization work through a strategy, security standard and execution plan to protect its data. To that end, this white paper has described twelve different proven solutions to real security problems and has provided a roadmap to grow to enterprise-wide data protection over time that you can use to defend your business.

About CipherOptics

CipherOptics is the leading innovator of Compliance-Grade^TM network security solutions, providing transparent security overlays that solve the fundamental problems of scalable data protection. Trusted by the most security conscious enterprises and government agencies in the world, CipherOptics provides a Safe Passage^TMfor data in motion with the lowest installation, management and operational costs.

Messageiented Middleware Features Functions	Multisite Management Features Functions	Encryption Features Functions	Security Functions Features Functions	Web Enablement Features Functions	Database Features Functions	Saas Hosting Options Features Functions
Messaging Protocols Features Functions	Organizational Structure Features Functions	Functionality Features Functions	Security Levels Features Functions	Web Forms Features Functions	Platforms Features Functions	User Configurability Features Functions
Rpc Options Features Functions	Degree Of Web Enablement Features Functions	Internet Commerce Protocols Features Functions	Security Management Features Functions	Web Interface Features Functions	Reporting Features Functions

Analyst Reports

Interactive Case Studies

Downloadable Reports and Templates

Custom Reports

Selection Services Overview

Complete Selection Projects

Software Selection Reports

Supplementary Services

Case Studies and Brochures

Consultants

TEC Advisor

ERGO

RFI / RFP Templates

Software Evaluation Reports

Company Overview

Careers

Press Room

Analysts / Selection Services