02 December 2022

Data protection and secure communication in Switzerland

  • Articles
  • Legal
  • Data / Technology / IP

Sensitive business data and personal data requiring special protection must be transmitted securely. Today's Internet is not suitable for secure communication. The Internet was not designed as a high-security network. The sender cannot control the route/path taken by the data packets sent to the destination address. Digital highwaymen lurk on the Internet to hijack data packets (route hijacking).

Sensitive business data and personal data requiring special protection must be transmitted securely. Today's Internet is not suitable for secure communication. The Internet was not designed as a high-security network. The sender cannot control the route/path taken by the data packets sent to the destination address. Digital highwaymen lurk on the Internet to hijack data packets (route hijacking).

In Switzerland, SCiON (Scalability, Control, and Isolation On Next-Generation Networks), a new Internet architecture, has been developed (Next-Generation Internet) that provides route control (path control), failure isolation and explicit trust information for end-to-end communication. SCiON organizes existing ASes into groups of independent routing layers, called isolation domains, which are interconnected to provide global connectivity. Isolation domains provide natural isolation from routing errors and misconfigurations, give endpoints strong control over inbound and outbound traffic, provide meaningful and enforceable trust, and enable scalable routing updates with high path freshness. As a result, the SCiON architecture provides strong resiliency and security properties that are inherent in its design. In addition to high security, SCiON also provides scalable routing infrastructure and high packet forwarding efficiency. As a path-based architecture, SCiON end hosts learn the available network path segments and combine them into end-to-end paths contained in the packet headers. Thanks to embedded cryptographic mechanisms, path construction is limited to the route policies of ISPs and receivers, allowing all parties - senders, receivers and ISPs - to choose between different paths (multi-pathing). This approach enables path-dependent communication, an emerging trend in networking. These features also enable multi-path communication, which is an important approach for high availability, fast failover in the event of network failures, increased end-to-end bandwidth, dynamic traffic optimization and resilience against DDoS attacks.

The SCiON technology is based on an open source concept developed at ETH Zurich. The ETH spin-off Anapaya Systems provides access to SCiON-based network services with a simple switch implementation (Anapaya Edge).

The use cases are obvious: financial industry, healthcare, energy sector, critical infrastructures, etc.

In particular, Switzerland wants to make the financial sector more secure. The project initiated by the Swiss National Bank and SIX is called Secure Swiss Finance Network (SSFN). According to the circular of SIX Interbank Clearing Ltd, all banks affiliated to SIX must migrate to SCiON by the end of 2024. SSFN allows a precisely defined group of users to exchange data in a controlled manner and separated from the Internet. The cooperation of several SSFN communication providers enabled redundant, fail-safe connections and resilient data exchange. Certificates created on the basis of the SSFN regulations ensure controlled access to the network network. Since the beginning of June 2022, the interbanking transactions of the payment systems Swiss Interbank Clearing (SIC) and euroSIC have now also been integrated into the SSFN. Gradually, other services such as the SECOM securities settlement system or ATM monitoring (electronic monitoring of cash dispensers) will also be available via the SSFN in the future. The current "Finance IPNet" network is thus to be gradually replaced.

For data protection reasons, the new SCiON technology should be taken into account in the future when selecting the security architecture (privacy by design; privacy by default).