Data centers are the back-up and recovery point for the critical data of any organization. They are therefore also the most vulnerable point for any wholesale theft of the organisation’s intangible assets.
IDQ encryption products ensure protection of high speed data-in-transit up to 100Gbps to the DRC. Solutions are built to ensure high level security of data into the quantum era, without reducing the availability or redundancy necessary for data center back-up. Multi-tenancy and managed service provider models are also supported.
Additionally, IDQ’s solutions are used to improving the quality of encryption data at rest and secured access to remote desktop applications.
In a world where data assets are often more valuable than physical assets, private enteprises and governments are required to back up their most critical information and to ensure data availability for business continuity purposes. CIOs/CISOs have the charter to protect increasing amounts of data at rest in remote datacenters, as well as the large flows of sensitive information in transit to the data center, while at the same time ensuring high availability and easy access.
In order to protect against data loss, all enterprises’ digital assets are backed up in a remote data center or DRC. From the perspective of the hacker, eager to access valuable financial information or intellectual property, this means that the return on investment for hacking into the data center interconnect (DCI) is very high, as at some point all information will pass along some few back up paths. In the past many organisations relied on the use of dedicated optical fibers in private networks in the false belief that this would protect their data. However, even private links are vulnerable to interception and hacking, and the only effective method of protecting data in transit is through encryption.
A critical element though is to protect this data in transit without reducing the performance of real-time back-ups and without impacting the latency-sensitive fabric of Fibre Channel switches. IDQ’s Centauris encryption solutions allow organisations to encrypt high throughput traffic, up to 100Gbps, to data recovery centers without impacting performance. Easy installation and “set & forget” functioning ensure that the encryption does not place an additional burden on the network team, while the encryptors’ transparency to the network ensures that high availability architectures and network availability are not impacted in any way. State of the art security features meet the most stringent regulatory requirements and uphold best security practices within the data center.
Multi-tenancy capabilities in some of the encryptors (eg. the CN8000 multilink encryptor) enable new revenue streams for managed service providers offering managed encryption to enterprises, while simultaneously reducing the costs for such enterprises. As the encryption keys in such systems are managed and held by the enterprise, the data ownership always remains with the enterprise.
The CN8000 multilink encryptor also allows organisations with multiple links and different protocols to implement wide scale encryption in an extremely cost-effective way, allowing CIOs/CISOs to significantly reduce their data risk within a limited budget.
Ironically, while the value of the data stored inside datacenters is very high, often the methods used to protect such data at rest – or access to such data – are either very weak, or intermittent at best.
Remote user access to information stored in the data center is often secured using OpenSSL to encrypt VPN connections. The encryption provides confidentiality of data, and certificates are generated to authenticate users to ensure that there is no man-in-the-middle attack. All of these crypto functions require a good source of randomness if a high level of security is to be maintained. But the randomness in a data center is notoriously bad – as data centers are isolated from the outside world there is no natural or plentiful source of entropy. Such vulnerabilities are serous, and have been documented extensively in IDQ’s article on weak keys.
To ensure a high quality source of entropy, many data center users install IDQ’s Quantis Appliance. The Quantis Appliance provides distributed entropy-as-a-service to applications in data centers, from VPN connections to encrypted virtual machines. Unlike software based randomness generation, the Quantis Appliance ensures scalable entropy (more devices are added when new randomness is required without reducing the quality of the overall entropy) and it is certified to the highest levels. The Quantis Appliance is available with software which feeds entropy automatically into the Linux entropy kernel without impacting the FIPS certification of the software. The Quantis Appliance can be seamlessly installed into working data center applications without requiring powering down or system re-boots.