Are you sure your data centre is really as secure as you think it is?

Data centres are only as secure as the connectivity that links them up to a network. They can otherwise be prone to cyber-attacks or information security breaches, which can have catastrophic consequences for any organisations that wish to transmit data and backup data between their own data centres. With network latency being an issue that needs to be addressed, the transmission to and from data centres or to the outside world could increase the risks associated with these threats.

According to Clive Longbottom – renowned analyst and Client Services Director at Quocirca, latency can lead to lost transactions whenever there is a failure in the connectivity, application or platform. High latency levels also make it impossible to make real-time IT use such as voice or video transmissions, but he thinks that latency is only one part of the equation. There are also complex network, application and hardware mix considerations to bear in mind.

“Latency has two effects on security in data centres: the first issue is about how closely you can keep your data centres in synchronicity with each other, and when you are transmitting data you have got to have security keys”, explains David Trossell – CEO of Bridgeworks. So whether you are putting data into the cloud or into a multi-tenanted data centre, it’s crucial to be secure. In other words no unauthorised person should have the ability to pry into the data itself.

Encrypt data

So underlying the protection of the data centre from an information security perspective is the need for enterprises to encrypt data whenever it is uploaded to the cloud or transmitted between data centres for the purposes of back-up and retrieval. The encryption needs to occur while the data is at rest, when it isn’t being sent across a network. It’s also worth noting that the most secure encrypted data only has one person who holds the keys to it.

“An AS 256 key offers the strongest encryption, but the problem is that a strong security key takes up more computing power and yet with encrypted data you shouldn’t be able to perform any de-duplication which looks for repeated patterns in the data”, says Trossell. To improve the ability to quickly transmit data most organisations would traditionally opt for a wide area network (WAN) optimisation tool, where the encryption process occurs while the data is in transit using IPSEC.

Encrypting the data at rest means that it’s more secure. For traditional WAN optimisation,the keys would have to be offered to the WAN optimisation engine in order to decrypt it, de-duplicate it and before using internet security protocol IPsec across the wide area network. The traditional WAN optimisation engine would then need to strip off IPsec, and this would then permit the re-encryption of the data. This means that you now have two security keys in a couple of places – this can be the biggest security risk.

“For the highest levels of security, data should be encrypted before it hits storage”, says Longbottom. He adds: “This requires full stream, speed capable encryption and yet this is often not feasible.” He says the next level there is about storing and then encrypting, and it requires deleting the unencrypted version afterwards: “This is encryption at rest and on the move, but too many organisations just go for encryption on the move, and so if someone can get to the storage media, then all of the information is there for them to access it and what is typically overlooked is key management.”

Mind your keys

“If you lose the keys completely, no-one should be able to get at the information – even yourself; and if they are compromised, you at least have control over them as long as you are aware that you can do something about it”, he explains. However, if the keys are held by a third party, then he says it becomes a richer target for hackers, “as it will likely hold the keys for a group of companies rather than just one, and the speed of response from noticing the breach to notification to the customer to action begin taken could be a lot longer.”

The trouble is that the data is traditionally often not secure when it is encrypted while in transit across the network. “The issue here is that if you have a high speed WAN link, then this will inhibit the movement of data and then you are not fulfilling your WAN optimisation”, comments Trossell. His colleague Claire Buchanan, CCO at Bridgeworks adds: “You are impacting on your recovery time objective (RTO) and on your recovery point objective (RPO).” The RPO is the last point of when the data was backed up, and the RTO is how quickly the data can be retrieved and put back to work.

Gain control

“With encryption at rest the corporate is in full control and it is the sole owner of the key, but normally WAN optimisation tools simply pass the data through with no acceleration and in order to provide some level of security, traditional WAN optimisation tools provide an IPsec layer – but this is not anywhere close to the levels of security that many corporations require”, she explains.

To gain control she thinks that organisations need a new solution. In her view that solution is self-configuring and optimised networks (SCIONs), which provide a high level of security and enable organisations to significantly reduce latency. They use machine intelligence to become not only self-configuring, but to also self-manage and self-monitor any kind of network – particularly WANs. This enables any kind of transition to cloud-based infrastructures easier to achieve while providing a secure way for organisations to maximise the utilisation of their infrastructure by up to 98%. SCIONs reduce the effects of latency too, going well beyond transactional flow processing and steady state infrastructures.

Security used to be quite light in terms of security compliance, but a number of new threats have arisen and they weren’t as high as they are now. “You have the internal problems, such as the one represented by Snowden, and with more powerful machines the lower encryption of 128 bit is far easier to crack than something with 256 bit encryption which adds layers of complexity.” Trossell claims that nowadays there are more disgruntled employees than ever – and Wikileaks is an example of it, but the employees have to have the keys before they can access the encryption.

Longbottom adds that it wasn’t long ago that 40 bit encryption was seen as being sufficient. It required a low level of computing resources and in most cases it was adequately hard to break. Increased resource availability made it easier to break within a matter of minutes. “Therefore the move has been to 256 bit – AES, 3DES, BloFISH and so on”, he says before adding that cloud computing provides a means for hackers to apply brute strength to try and break the keys.

The solution is to keep the keys on site, and to limit the number of people who have access to them.  By doing this the data and therefore the data centres remain secure.  “Previously organisations have had no choice, but to simply move the encrypted data at a slow speed, and with traditional WAN optimisation it simply passes the data along the pipe without any acceleration”, says Buchanan. Corporations still think it’s the only way to go, but not anymore. Encryption is often needed to ensure that the data is secure whenever there is a need to transmit data between data centres or to the cloud without compromising on speed or security.

Speed with security

Buchanan adds that WANrockIT – the market leader in SCION solutions – can help organisations to improve the speed and security of this process: “With WANrockIT your encryption is just another block of data to us, accelerated just like any other data without it being touched – plus, if you are using encrypted data, the software has the ability to put IPsec on top so that you effectively get double encryption.”

One anonymous Bridgeworks’ customer, for example, tried to transfer a 32GB video file over a 500MB satellite link with 600ms of latency, and it took 20 hours to complete. With WANrockIT installed in just 11 minutes, the process only took 10 minutes to complete. Another customer could only do incremental back-ups of 50GBs rather than being able to do nightly back-ups of 430GBs – again the issue was latency at 86ms. It took 12 hours on their OC12 pipes, but when WANrockIT was installed the 50GBs back-ups were securely completed within 45 minutes. This allowed the full nightly back-ups to complete, and so the organisation could rest in the knowledge that its data was secure.

The security of an organisation’s data centre is therefore as much about its data as it is about how it prevents hacking and unplanned incidents that could prevent it from operating. Leaving a data centre without the ability to quickly and securely back-up inherently means that it’s insecure by nature as it won’t be able to respond whenever a disaster occurs.

So if your data centre is over reliant on sending sensitive data across a network without securing it at rest – before it is transmitted to another data centre or to the cloud, then it is potentially putting itself at risk. With data loss and downtime costing the UK £10.5bn a year, according to the EMC Global Data Protection Index, is it worth the risk? To protect your data centre and to speed up data transfers, use a SCION solution such as WANrockIT that does it quickly and securely.