SDWAN and SASE Solutions’ OMNIA product includes Data Assurance – A layer 4 encryption module that can be run in parallel with both Atomius SD-WAN and Check Point Edge security on our powerful Vena and Vecta uCPE devices.
Why do I need Layer 4 encryption?
You might not initially grasp the importance of Layer 4 encryption and might think that you have Layer 3 encryption, so why do you need Layer 4 encryption? To put the need for Layer 4 encryption in perspective – None of the recently attacked companies that suffered data theft, exposure or a ransomware attack were using Layer 4 encryption.
Don’t feel overwhelmed – the security experts from one of Gartner’s security quadrant leaders don’t understand the difference between L3 and L4 encryption, or the need for it either. But spending 3 minutes reading this blog, will make the importance of Layer 4 encryption crystal clear – for your data integrity, your business, and your reputation and to prevent criminal charges against your C-level
Firstly – a very simple and non-technical analogy:
Layer 3 Encryption (Bumper Car): Imagine you’re driving a bumper car at an amusement park. The bumper car itself is like your data, and the fact that it has those big, rubber bumpers all around it is like Layer 3 encryption. When you bump into other cars, your data (the bumper car) is protected because those soft bumpers absorb the impact. So, even if there’s a collision (like someone trying to intercept your data), your data is still safe because of the protection provided by the bumpers.
Layer 4 Encryption (Crash Helmet): is like wearing a crash helmet while driving a bumper car. In addition to the soft bumpers (Layer 3), you’re wearing a safety helmet (Layer 4) on your head. This helmet adds an extra layer of protection. If you accidentally crash into something or someone tries to hit you, the helmet keeps your head safe. Similarly, in the context of data transmission, Layer 4 encryption adds an extra layer of security to your data. It’s like putting a protective barrier around your data, making it even more difficult for anyone to access or understand it without the right “helmet” (encryption key). Wearing the helmet, you are still visible to everyone around you (Layer 4 is transport-independent and footers and headers are readable) but your data is protected (encrypted) Additionally, when you get out of the car, (when your data is in your own network, and not on the move) there’s no Layer 3 encryption to protect your data, but you are still wearing your helmet (Layer 4 encryption) so your data remains protected. True Zero Trust!
In summary, both Layer 3 and Layer 4 encryption provide protection, with Layer 3 being like the soft bumpers on a bumper car and Layer 4 being like a sturdy crash helmet. Layer 4 adds an extra layer of security, just as the helmet adds an extra layer of safety beyond the bumper car’s built-in protection.
As a slightly more technical explanation: Layer 3 and Layer 4 encryption refer to different levels of network encryption
Layer 3 encryption operates at the network layer (IP layer) and encrypts IP packets, providing security for data transmitted between different networks. Layer 3 encryption focuses on protecting data in transit across networks, such as when using VPNs. It involves encrypting the entire IP packet to prevent unauthorized access outside of your network
Layer 4 encryption, on the other hand, works at the transport layer and encrypts data at the transport protocol level, ensuring the confidentiality and integrity of data during communication between devices within the same network. Layer 4 encryption encrypts data within the transport protocol, often securing specific connections or sessions.
Layer 2 encryption involves the data link layer. It provides encryption for specific Layer 2 protocols and is generally used for point-to-point connections.
In summary, L3 encrypts the entire IP packet between network devices on the same or different networks. L4 encrypts the application-specific data payload (as defined by policy) across the same or different networks, and Layer 2 encryption targets specific Layer 2 protocols. Each approach addresses different security requirements based on the network’s architecture and communication needs. If you are only using Layer 2 and Layer 3 encryption, your data is still at risk of being exposed, stolen or held for ransom.
Why is L4 encryption (Data Assurance) part of our OMNIA solution?
Here’s what SD-WAN doesn’t provide:
- SD-WAN does not understand the business value of the data it is transporting
- SD-WAN cannot protect data if it is sent to the incorrect destination due to misconfiguration or incorrect Local breakout settings
- SD-WAN cannot protect against data loss
- SD-WAN cannot protect against Ransomware attacks.
- SD-WAN does not meet compliance needs in Regulated Industries
This is why we include Data Assurance as a component of OMNIA:
- OMNIA Data Assurance adds 100% focus on protecting valuable data
- OMNIA Data Assurance can further protect data in the supply chain / 3rd party network outside of your company SD-WAN network
- OMNIA Data Assurance can protect data in Cloud / Multi-cloud environments
- OMNIA Data Assurance is placed as close to the User / Application as possible and protects data no matter where the data travels – including the LAN side.
- OMNIA Data Assurance separates each valuable data flow into its own separate encrypted flow – making the data useless to anyone other than the intended recipient
- OMNIA Data Assurance separates the key owner from the key admin for the encryption – delivering true separation and true Zero Trust
- OMNIA Data Assurance compliments your SD-WAN network by adding LAN side and whole journey protection for the data irrespective of where it travels.
- OMNIA Data Assurance assures customer regulatory compliance
Certes Networks provides the patented Layer 4 encryption product for OMNIA Data Assurance. We asked Certes CTO Simon Pamplin three key questions to explain the real protection that OMNIA Data Assurance provides
How does OMNIA Data Assurance protect against Ransomware Data Extraction?
“So – assume we place the enforcement point as close to the data as possible so it will be encrypted before it gets to any network (wired or wireless) or any hacker. As the data is encrypted the hacker can no longer decide what data is valuable and worth stealing and what is not. The hacker will also not be able to move laterally across the network to find other systems to look at – such as domain controllers to give themselves an Admin account. That’s the first anti-ransomware protection.”
How does OMNIA Data Assurance protect against Double Extortion Ransomware?
“Certes (OMNIA Data Assurance) also protects against what is called double extortion ransomware – this is where the hacker gains access to the unprotected network, identifies valuable data and copies it to a remote location then deletes the customer’s local copy and ransoms the customer to return the data. The Certes encryption will make the data valueless to the hacker as they will not know what the data is and therefore not know if they are extracting this week’s Facebook updates or valuable payroll data”.
What if the ransomware cyber-criminal encrypted and stole the data and then just deleted the local copy after finding it worthless?
“If they stole it all they would have encrypted data that they cannot de-crypt so useless to them. If they deleted the local copy anyway then the customer should have a backup strategy and that is outside of the Certes solution. The point is that we make it much harder to gain anything from a ransomware attack encouraging the hacker to move to an easier target and at the same time protecting the customer from breaching any data protection or regulatory requirements”
Even if a hacker is already lurking undetected within your network, OMNIA Data Assurance will immediately make it impossible for data to leave your network unencrypted and provide an audit trail for anyone who attempts to extract the data. OMNIA puts innovative yet affordable network, security, data assurance, Multi-cloud, SASE remote access, and SDWAN Connect within easy reach of every type of business
Before highlighting recent data thefts and breaches, let me repeat the statement from the 2nd paragraph of this blog:
None of the recently attacked companies that suffered data theft, exposure, or a ransomware attack were using Layer 4 encryption.
FBI hacker ‘USDoD‘ leaked sensitive data from consumer credit reporting agency TransUnion.
https://securityaffairs.com/150968/data-breach/transunion-data-leak.html?amp=1
Estee Lauder data stolen in cyber-attack – A hacker breached the company’s systems and disrupted its business processes
https://www.cshub.com/attacks/news/iotw-estee-lauder-data-stolen-in-cyber-attack
UK election watchdog, The Electoral Commission (TEC), revealed on August 8 that it had been the victim of a “complex” cyber attack which potentially exposed the data of more than 40 million voters.
The Police Service of Northern Ireland (PSNI) suffered a “critical incident” on August 8, after the personally identifying information of all of its employees was published online – assistant chief constable Chris Todd said that the cyber security incident was “unacceptable” and was ultimately down to “human error”.
https://www.bbc.co.uk/news/uk-northern-ireland-66578582
Norfolk and Suffolk police revealed that the data of 1,230 people, including the sensitive data of those who were victims and witnesses of or suspects in cases including assaults, sexual offences, thefts, hate crimes and domestic abuse incidents was posted on the internet following FOI requests
https://www.bbc.co.uk/news/uk-66510136
Discord.io, a custom invite service for the instant messaging service Discord, suffered a data breach that exposed the personal data of more than 760,000 users. database containing the personal information of Discord.io users was put up for sale on the dark web.
https://www.standard.co.uk/tech/discord-io-shut-down-data-breach-hacking-b1101000.html
Production company, Paramount Pictures, has revealed that it recently suffered a data breach that exposed personally identifying information.
https://www.cshub.com/attacks/news/paramount-pictures-data-breach-exposes-personal-data
The scraped data of more than 2.6 million users of the language learning app Duolingo, was posted to a dark web hacking forum on August 22 – The malicious actor offered US$1,500 for all the data and claimed to have gained access to it by scraping an exposed application interface (API)
https://cybernews.com/security/hackers-exposed-duolingo-users-more-available-scraping/
Shell did not immediately respond to a Reuters request for comment to clarify the exact number of individuals impacted.
More than 12,500 Greater Manchester police (GMP) officers and staff were put on alert on Thursday that their private data had been compromised in a hack that also hit the Metropolitan police last month
Capita expects to take a financial hit of as much as £25m as a result of a cyber-attack that began in March, pushing the outsourcing group to a pre-tax loss of almost £68m for the first half of the year
The gang, also known as BlackCat, says it has stolen 70 terabytes of sensitive data in what it claims is the biggest breach of healthcare data in the United Kingdom.
Cumbria police admit huge breach of data of officers and staff
The University of Manchester has been hit by a cyber-incident that has likely resulted in data being accessed by the attackers
https://www.infosecurity-magazine.com/news/uni-manchester-data-breach-incident/