Data Assurance Changes How We Network

The EU fined Meta €1.2 billion (approximately $1.28 billion) for violating GDPR rules on data sovereignty. T-Mobile settled a class action lawsuit for $350 million for a data breach that impacted more than 76 million customers. The US government estimates that US businesses lose more than $600M annually due to stolen sensitive intellectual property.

What do these staggering statistics have in common? They are all examples of data assurance failures. Data assurance is defined as managing your data in a way that assures you stay compliant with the following:

Data Assurance covers many technology areas; the text of the GDPR law alone is 261 pages. However, one area is crucially important: The network itself.

The enterprise must be able to control the path data takes when moving from point A to point B and have full visibility into data both during that journey and after it is complete.

Here is a simple example. A German enterprise needs to transfer customer information between its Munich and Dresden offices. A straight line goes directly through the Czech Republic. Chapter V of the GDPR law, which deals specifically with the transfer of personal data across borders, has an issue with this.

If an enterprise makes a mistake here, it will face massive penalties. The enterprise needs to ensure the route from Munich to Dresden stays within Germany’s borders for the entire transit. This means the network must allow the enterprise to:

Where Data Assurance Needs to Happen

Where is the most efficient place to orchestrate data assurance? If you add controls at the application level, you will have to add controls in hundreds or even thousands of applications and sites worldwide. This is unworkable.

Adding controls to edge routers won’t work because of how routing works. Edge routers provide the destination but not the path to follow. Once your data hits the network, the router has no ability to control where it goes.

The most efficient and effective place to orchestrate data assurance is, therefore, in the network itself. But how?

Achieving Data Assurance Today

Today, the simplest way to control the path data takes between two points is to use a private network (leased lines, for example). But today’s private networks are extremely expensive and don’t offer much in the way of visibility. They also take months to provision, which slows business agility. Even with MPLS, IGP shortest path routing will always follow the shortest IGP path. If alternate paths are available, traffic engineering (TE) with segment routing (SR) can utilize non-shortest paths. However, if the decision is made within the Provider Edge (PE) router in the service provider's network, it will necessitate source-based routing, which is not sustainable due to the challenges of implementing source routing on a per-customer basis within the service provider network.

This approach will not scale effectively in an MPLS environment, and moreover, 99% of MPLS private networks do not encrypt traffic, leading to significant performance and scalability issues.

Another option is to move your operations to a public cloud that can guarantee you meet data assurance goals. This, too, can be prohibitively expensive and also lacks visibility. Even within cloud providers, while the server may be in the correct location, the path to the cloud provider over the public internet will always follow the shortest route. This does not guarantee path assurance and may result in traffic leaving the national boundary. Although the server is physically within the country's borders, the path taken over the public internet via SD-WAN cannot be controlled.

If the middle mile is utilized with SD-WAN VNF, you will again face the limitations of source-based routing, along with decryption in the middle mile, as outlined in the previous paragraph.

Another issue with both approaches is the need to overlay encryption so data is safely encrypted 100% of the time it is in motion. This is time-consuming for your IT staff and slows performance.

One final concern is that the enterprise must deal with a myriad of different laws, industry regulations, and internal rules. While it may be possible to use leased lines or a cloud provider to stay compliant with a single law (such as GDPR), it is nearly impossible to stay compliant with every law, regulation, and rule.

Time for a Private Network with Data Assurance Built-in

The reality is that yesterday's network solutions don't provide a workable solution for achieving data assurance. The ultimate solution is to deploy a next-generation private network with built-in data assurance controls. What would this look like? 

Data Assurance isn’t an Option

Achieving full data assurance isn't a luxury or nice to have. Just ask Meta about their €1.2B fine! Yet yesterday's network solutions fall short. SD-WAN uses the public internet, which we have seen lacks the control needed to comply with laws and regulations. Also, available private networks (such as MPLS) are expensive, slow to provision, and utterly lacking in visibility.

The only reasonable answer is to deploy a next-gen private network with built-in data assurance controls.