A global bank was seeking to address its commitment to customer confidentiality, regulatory compliance and an increasing dependence upon real-time, big data applications.
Overview
A global bank was seeking to address its commitment to customer confidentiality, regulatory compliance and an increasing dependence upon real-time, big data applications.
The bank serviced an international clientele from a network of 30+ offices across 3 continents, all connected via an Ethernet WAN.
To meet its stated objectives, the bank needed to upgrade its network data encryption solution. Above all, it was looking for a high-performance solution that was easy to deploy and manage without “breaking the bank”.
Out with the old
The bank’s existing solution was a Layer 2 E1/ T1 link. As the bank grew, the old system was no longer able to cope with the increased volume of data and was beginning to impact on network performance.
While assessing alternative solutions, the bank investigated a Layer 3 IPSec solution. This was rejected due to the relatively high cost, complexity of installation and lower throughput.
IPSec encryption adds significant overhead to the data packets. In addition, because the routers fragment and reassemble the packets, there were technical issues with packet reassembly; resulting in higher latency.
In with the new
Working in partnership with its multinational telecommunications service provider, the bank evaluated several solutions before choosing Senetas certified high-assurance encryptors.
Senetas provides a range of Layer 2 Ethernet encryptors, operating at line speeds from 10Mbps to 10Gbps.
Given the high-performance and security credentials demanded by the financial services industry, it was determined that the CN8000 would be the best solution.
Senetas CN8000 multi-link encryptor
The CN8000 was designed and developed in partnership with Swiss Quantum-Cryptography experts, ID Quantique.
IDQ is the world leader in quantum-safe cryptography solutions, designed to provide long-term data protection in a post-quantum world.
IDQ provides a variety of quantum random number generators, quantum key generators and quantum key distribution solutions. Its clients include financial services, government and defence agencies worldwide.
Key benefits
Senetas CN8000 certified high-assurance encryptors were the solution of choice as they provide:
- Reliable, field-proven hardware
- Support for AES 256bit encryption keys
- Support for all Layer 2 Ethernet network topologies
- Full duplex wire speed encryption up to 10Gbps
- Ultra-low latency (< 7.5 microseconds per appliance)
- A single GUI and management platform for multiple protocols
- Secure remote management and upgrade
- Secure remote management & upgrade
In addition, the CN8000 series is certified as suitable for government and defence use by both FIPS and Common Criteria.
Deployment
Following a successful pilot project, the bank rolled out the encryption platform to their global WAN, incorporating over thirty branches on three continents.
Redundant multilink CN8000 devices were used for the hub at the bank’s head office; securing 10Gbps links.
Other high-assurance CN series encryptors were used to secure the end points in the WAN, depending on the bandwidth requirements and space available in the branch offices.
Initially, the branch locations opted for rate- limited encryptors, with bandwidths from 100Mbps to 1Gbps.
This enabled the bank to just pay for the bandwidth used, helping them to meet their Capex budget requirements.
However, it also provided the bank with the flexibility to upgrade the branches as bandwidth demands increase, without changing the hardware.
All Senetas CN Series encryptors are fully interoperable and share a common management platform.
Key benefits
High performance - Senetas CN8000 encryptors provide high-throughput encryption on the telco’s MPLS network, using 100% of the bandwidth with no packet loss in transport mode.
Low latency - The CN8000 provides the ultra-low latency necessary for real-time communication (under 7.5 microseconds per encryptor)
Multicast support - For VLAN-based multicast traffic, Senetas’ intelligent group key system utilizes one encryption key per secured connection. This means, for example, that the head office could securely video conference with branch A and branch C, without branch B being able to access the communication.
Certified secure - Senetas CN8000 encryptors are based on the leading 256-bit AES cipher in CTR/CFB mode and are certified by both FIPS and CC.
Scalable architecture - The CN8000 encryption platform provides both security and versatility in a point-to-multipoint architecture.
Senetas encryptors support different types of traffic across a range of applications, including unicast, multicast (finance information to traders, secure video conferencing) and broadcast (automated equipment info exchange).
Intelligent key management - The Intelligent Group Key system provides a higher level of security in case of partial network failure – essential for global banking operations in countries with variable SLAs.
Here, the keys are generated per secured connection and are renewed up to every 60 seconds, providing much greater resilience to common network problems.
In the event of a partial network outage or loss of connectivity between two network areas, the keys are still renewed and continue to
function as required in each separate part of the remaining network
Management - The CM7 graphic management platform user interface facilitates the everyday remote management of the network, the keys and the encryptors through a secure SNMPv3 connection.
The bank can monitor real-time status and configuration changes easily. Different levels of user rights within CM7 allow for separation of duty between the network and security teams, with mission critical functions reserved for the administrator role.
In addition, the topology of the network and the addition or deletion of encryptors can be managed while the encryptors are still functioning, either in manual or in auto discovery mode.