Case Study
The Situation
This case study details the deployment of the CipherEngine data protection solution by a U.S.-based Fortune 500 company to protect their
sensitive information as it traversed their global network. The sections below explain the management and deployment requirements and how
CipherOptics enabled this manufacturer to protect their business critical information without disrupting their global network operations.
A U.S.-based Fortune 500 chemical manufacturing company realized their intellectual property, including new product schematics, formulas for new compositions, and other sensitive information was exposed to attack, compromise and theft. The Company was sending this information in clear text as it traversed multiple carrier networks to reach their facilities in China, Germany, Hong Kong, India, Japan, Singapore and the United States.
The Company leases a fully meshed MPLS network from a major U.S.-based service provider. However, given the global scale of the Company’s network, they were forced to utilize various third party carriers in each country to connect to their remote facilities.
Because of the inconsistency in, or complete lack of, regulatory standards governing inter-national data transmissions, these third party service providers introduced additional vulnerabilities to the data flow.
In order to eliminate these vulnerabilities and remove the risk of industrial espionage, the Company decided to encrypt their data across the entire network.
The Requirements
The Company required network-wide data protection without compromising performance. They specifically required a solution that could:
• Encrypt the global network without performance degradation
• Avoid network or router upgrades or re-architecting of any kind
• Scale as the Company’s encryption needs grow
• Be easily managed without being resource-intensive
• Provide the U.S. headquarters with control over encryption policies and key generation and distribution
The Company runs multiple real-time applications on an accelerated WAN, so network performance was a major concern. The Company also sends large volumes of data across their network to redundant sites within their multi-national network. These real-time communication applications are latency sensitive, where even a small amount of delay can disrupt them.
Due to the size of the network itself, upgrading routers was not an option for the Company. They required a solution that would fit within the existing architecture. The solution also needed to be flexible enough to grow in stages, from an initial deployment of approximately 30 sites to an eventual deployment of almost 300 sites.
Additionally, the solution had to address the need for centralized management and simple operation. The Company has several sites in remote locations that operate without technical resources or support. The solution needed to be straight-forward, so that successful installation and start-up could be completed with minimal support at each location.
Lastly, the Company required that the U.S. headquarters have complete control of the generation and distribution of the encryption policies and keys throughout the entire network. This would remove the risk of the keys falling into the wrong hands.
The Bidding Process
The Company researched the available encryption solutions and selected four vendors to evaluate. First, they considered a router-based solution. However, a router-based encryption solution would require network-wide router upgrades. This approach would also add an unacceptable amount of latency into the network, disrupting real-time applications. At this point, the Company realized they needed a stand-alone encryption solution.
The stand alone approach utilized by the three remaining vendors offered similar encryption capabilities. The determining factor proved to be the requirement for ease of operation and management. CipherOptics was the only company that complied with all of the Company’s requirements. CipherOptics CipherEngine, along with CipherOptics Security Gateway encryption appliances, offered the ability manage the Company’s network-wide encryption, as well as the following key benefits:
• Simple encryption policy and key management
• Intuitive GUI interface for centrally managing network-wide policies and keys
• Separation of security and networking functions
• Scalability without complexity
• No other vendor offers the flexibility, manageability and the scalability offered with CipherEngine. The choice was clear and the deployment began.
The Installation
CipherEngine and the CipherOptics IP Security Gateways were selected for the Company’s network. Each appliance was quickly configured at the company’s U.S. facility and then shipped to its final destination. Once there, each appliance was simply placed in a rack, plugged in and turned on. From that point forward, all configurations and management was performed remotely from the U.S. facility, using CipherEngine.
When it came to the policies that would govern the encryption, the security administrator defined and deployed fewer than 10 encryption policies in CipherOptics CipherEngine’s centralized management portal. The policies secured 30 nodes at 20 sites, protecting 50 subnets and nearly 12,000 IP addresses. The entire process took hours, not days.
The Result
The CipherOptics encryption solution is in place and operating as designed. CipherEngine and the IP Security Gateways are protecting the Company’s highly sensitive data throughout the fully meshed MPLS backbone network.
The Company was impressed by how easily the entire CipherOptics solution integrated into their existing network.
The CipherOptics IP Security Gateways integrated transparently, without affecting the network applications, topology or performance. CipherEngine deployed and manages a large, fully meshed encrypted network from a centrally located workstation without introducing complexity into the network.
The end result is one of the largest encrypted full mesh networks in the world. The company no longer worries about the security of its business-critical information when it is sent over their multinational network.
