What is network encryption?
Data can be at risk even when it is stored and shared internally within a single organization. Network encryption is the security applied to an organization’s network to protect and control this data internally.
Network layer encryption involves encrypting data as it is sent from one node, and decrypting it on arrival at another. When done correctly this approach plays a valuable role in the “defense in-depth” approach to security by adding a vital layer of encryption on data at the network layer.
How does network encryption work?
Network encryption operates at the network layer of the open systems interface (OSI) model. When a data packet is sent at the network layer from one node, one or more encryption algorithms is applied to it. When it arrives at its destination node it is then decrypted.
If Alice in Company A wants to move data from the product database to a marketing solution, she will send this over the local area network (LAN). The data is broken into packets and encrypted at source, then sent from its current node. It is then decrypted on arrival at the node hosting the marketing solution. This protects against attacks that are possible at the network layer.
If Alice is sending the same data from her network to Brian at Company B over email, network layer encryption will also play a role. Alice will open an email and add the data she wishes to share as an attachment. The data is encrypted at source in the product database of Company A and sent to the mail server, where it is decrypted and added as an attachment. From here it may be encrypted again using message-level encryption or when sent using Transport Layer Security (TLS), and decrypted by Brian upon arrival at Company B. (It’s important to ensure the right level of encryption and control applied to shared data as it leaves your company’s network.)
Consequently, network layer encryption plays a valuable role in ensuring security.
Why is network encryption important?
There are countless reasons why it is important to keep data secure. Valuable intellectual property needs to be protected from competitors and hostile governments; customers’ financial information must be kept safe; and sensitive personal data needs to be private to comply with regulation and ensure customers’ privacy is respected. Preventing breaches ensures a company does not create legal liability that opens them up to litigation that can be financially costly and harmful to their reputation. Data is a source of considerable value for companies but also a source of risk and needs to be treated as such.
A company’s sensitive data is moved around most frequently within its internal network. Even security-conscious users typically do not apply caution and discretion when moving data internally on a network, as most assume that if data can be safely stored on a network then it can be safely moved within it.
Protecting data effectively means implementing controls at every layer of the OSI model. Just as companies need to ensure that data they send over the internet is secured at the transport and session layers, they need to give similar protection to data moving within their networks. Cybercriminals obtaining limited access to network traffic should not be equivalent to handing over complete access to all of a company’s data.
To bolster this defense, network layer encryption protects against malicious activity that is possible within a network, such as snooping and man-in-the-middle attacks. Securing this data offers a layered approach to security that does not rely on perimeters or single points of failure. Encryption is the fundamental building block of data security, and when done correctly can offer a foundation for network level security that bolsters a company’s overall security posture.
Features of network encryption
Network layer security requires encryption and decryption to be constantly used throughout a network, which can cause delays in routine procedures. For this reason, most security teams will only apply it to certain categories of sensitive data, but even when applied in limited cases it can cause excessive delays. Delays associated with encryption and decryption processes need to be kept to an acceptable level. Hardware-based encryption capable of carrying out these processes on devices are more common, but in all cases, security must be balanced with functionality.
There are also other drawbacks to encrypting network traffic. Higher volumes of encrypted traffic on networks can sometimes mask the behavior of malicious actors who have gained access to a network and are using this access to exfiltrate data. As a result, best practice network encryption will also involve decrypting and inspecting portions of SSL/TLS traffic within the network. This is another scalable process that needs to be done in consideration of overall traffic, but as an additional control it supports network layer security and adds an obstacle to data exfiltration.
Encrypting traffic at the network layer is not a silver bullet when it comes to network security. Advanced attackers can still glean valuable information from analyzing patterns of encrypted data traffic. This can in turn allow them to concentrate their efforts within a network to identify high value assets.
As with any other aspect of security, network layer encryption needs to be considered as part of an integrated whole rather than as a point solution to deal with securing an entire layer. Security is a holistic process and needs to be treated as such. Introducing network layer encryption brings with it a host of additional considerations and processes that need to be balanced and built iteratively.
Is network encryption enough?
Network layer encryption is an iterative process with a high number of variables, so it requires a certain level of investment of time and money consistently to be effective. Security teams seeking to automate a greater share of their security stacks may become frustrated at the ongoing demand created by this.
As well as this, securing the network layer is a moving target that can be altered as attackers’ tactics, techniques and procedures change and evolve. Early iterations of network layer encryption did not account for the fact that attackers can find utility in monitoring encrypted traffic for example, leading to the need to incorporate SSL/TLS encryption within the network. It is quite possible that more vulnerabilities with the technique will emerge over time, which will call for additional investment and adjustment of resources.
Network layer encryption is just one part of a holistic security strategy and as mentioned above, it’s important that when sensitive data is shared externally, it is also protected.
Egress Protect offers end to end encryption on data sent by email. This allows users to encrypt emails and files when transferred from an internal network to an external one. The software provides great security and control for shared data than, for example, TLS. This is because Egress Protect encrypts data both in transit and at rest within a recipient’s inbox (on their network), applies advanced controls (such as preventing forwarding and printing), and provides a full audit of actions taken with sensitive data.
Network layer encryption is an important part of the security stack that many teams implement as part of a defense in depth strategy. But with Egress Protect, they know that data transferred over email is also secure to ensure privacy and compliance.