It would be both glib and wrong to say that network perimeter protection is ineffective, and therefore, companies and organisations need to do more to protect their data. Firewalls, hardened internet connections, intrusion detection systems and tightly screwed down defences are, and will remain, crucial parts of cyber security.

However, defences are just that, parts of cybersecurity. The most serious problems arise when those defences are compromised or breached. Cyber-criminals, cyber-terrorists, hackers and rogue states have one thing in common: expertise in finding ways through any defences. Breached data leads to loss of privacy, stolen identities, and intellectual property theft, with all outcomes being some degree of catastrophic. There is only one solution that prevents unauthorised access to breached data – encryption. But, with encryption, the devil’s in the detail, and not all encryption solutions are the same.

There’s a difference between preventative and protective security technologies. Any form of protection isn’t infallible; that’s one of the reasons why bad actors, hackers, malware authors and other low-lifes are targeting the people in the organisation more than trying to penetrate its defences. Human fallibility ensures that some shots at goal will score, whether that shot is aimed at the marketing department intern who’s opening a bogus email, or a CTO whose team has left a copy of a customer database on a standard port with not even a password to hide its modesty.

Keeping a business’s data secure isn’t just a compliance issue; it affects every tier of the organisation, from the VP of PR with egg on their face, to the finance department that has just inadvertently published thousands of customer credit card details, to the marketing intern who suddenly has fewer career prospects. It also affects every stakeholder – from staff to suppliers to customers to shareholders.

If anyone doubts just how big a problem successful data breaches are, consider the fact that since 2013, 14 billion records have been lost after “successful” incidents!

If hackers will always find a way in, what can enterprises do to try and limit any damage? The answer is simple – ensure that the breached data is useless, garbled junk. That’s done by encrypting all data right across the organisation, from the most remote edge installation to the in-house backup archives. Encryption should also ideally be applied to data in motion across all networks as well as data at rest, wherever it may be stored.

And like many aspects of good cyber security policy, there’s a good degree of educating staff and other stakeholders too that needs to be considered: when sharing data, for example, unsafe practices like emailing files as attachments must be avoided, as should use of unsecure sharing and storage services.

But the complexities, network overheads and costs involved in encryption are astronomically high, right? In short, no; that’s a myth. There’s an Australian company that specialises in data encryption, and its high-assurance hardware devices (dedicated to encryption alone) simply work away in the background, with little or no need for management — that’s while protecting up to 100Gbits/sec on any network. And for the remote edge deployment, there’s a virtual software instance that can be hosted on a capable machine.

Senetas hardware encrypts data using standards-based AES256 encryption algorithms which ensures maximum effectiveness, but any new methods (4096-bit encryption, anyone?) can be dropped into the hardware, should the need arise. In standard cyber security settings, it’s common to have to take entire networks offline to patch security devices, and that’s become a big issue where patches get “queued up”, waiting for appropriate downtime.

Unlike that “standard” scenario, however, Senetas uses FPGA technology. In plain English, FPGA tech means greater security, maximum performance and the flexibility to make changes without necessarily shutting down networks.

Senetas terms its devices’ capability as possessing crypto-agility, which makes them ready for any future need for quantum-safe encryption, for example. Senetas customers don’t need to invest in new encryption products, just undertake in-filed updates on the fly.

Source: Senetas

There’s virtually no network data overhead at all with the Senetas CN Series of hardware encryptors, and the devices are physically secure with tamper-proof/tamper-evident mechanisms built-in. The state-of-the-art key management tech means encryption keys are only held “client-side”, so the end-to-end encryption the range offers isn’t susceptible to outside snooping. That’s maximum encryption security, and why Senetas customers include governments and defence organisations.

Remote and distributed

In the past, organisations faced three choices when it came to edge installations (branch offices, retail store chains, outposts, remote installations and the like). Firstly, they could invest big dollars in a dedicated MPLS leased line to keep data traffic private, or could risk the public internet. The third option was to operate in (at least partial) isolation from the rest of the enterprise WAN, but that usually involved sending expensive staff out to the installation fairly regularly.

There’s now another option, which is to use Senetas hardware or software to connect the edge installation safely and securely via whatever connection is available — Ethernet, ADSL or similar, usually. In situations where installing hardware isn’t viable or is inconvenient, there’s a software virtualised encryption option. The speed of the connection and any potential bottleneck may vary, depending on the host’s power and the connection bandwidth (obviously), but its security and compatibility is a mirror of even the most capable Senetas CN 9000 Series 100Gbps encryptors. With devices on the network edge typically running on links of up to 1Gbps, this virtualised option provides ample headroom, operating at up to 5Gbps.

Unlike baked-in encryption that appears on many dual- or multi-purpose devices (router-plus-firewall-plus-encryptor), the Senetas range does one thing, and only one thing, but does it exceedingly well: the old UNIX adage. The platform works on OSI Layers 2, 3, and 4, and with both the control and data planes encrypted, the security levels are (literally) suitable for the FBI and government agencies (read into that what you will) all over the world.

To learn more about Senetas and arrange for a chat with a security expert who speaks your language, click here.

Oh, and be careful out there.