Is securing data centers at Layer 1 the key to digital sovereignty?

The physical layer is a growing point of attack

As federal cloud platforms, e-government services and automated systems grow more connected, so too does the need for secure data flows between data centers, ministries, cloud environments and backup sites. These connections often rely on fiber – a medium that can be tapped without detection. While higher-layer protections like TLS or IPsec are commonly used, they don’t encrypt everything. Critical metadata remain exposed, creating a serious blind spot.

Conventional security mechanisms are no longer sufficient on their own. Without Layer 1 encryption, the physical network remains a prime target for interception and manipulation.

TeleTrusT: Layer 1 encryption as state of the art

The current guide ‘State of the Art in IT Security’ by TeleTrusT e. V. (06/2025) highlights the particular relevance of Layer 1 encryption in section 3.2.34: The physical network layer is especially vulnerable due to easily accessible transmission media and the large volumes of data transmitted. Access to optical signals cannot be reliably prevented, meaning there’s a risk of sensitive content being intercepted.

Importantly, encryption methods already in use at higher levels – such as at the application level (e.g., TLS) or at the network level (e.g., IPsec) – cannot eliminate the risks at the line level. They only protect parts of the data traffic, leaving metadata and protocols unencrypted. Layer 1 encryption is therefore a necessary addition to comprehensive IT security strategies.

A high-risk scenario: Store now, decrypt later

Today, data is intercepted, stored and later decrypted, for example with the help of quantum computers – a threat known as ‘store now, decrypt later’. Fiber optic infrastructures connecting data centers and other critical networks are particularly affected. The guide therefore recommends relying on quantum-secure key procedures today and protecting all Layer 1 communication – including metadata such as IP or MAC addresses.

ConnectGuard™: Quantum-secure and crypto-agile encryption

Quantum-secure ConnectGuard™ Layer 1 encryption combines established symmetric algorithms with modern post-quantum cryptographic (PQC) methods in a hybrid architecture, delivering future-proof security at the physical level. The solution encrypts all data regardless of the protocol used – directly on the line, with minimal latency and maximum performance. Thanks to its crypto-agile architecture, it adapts flexibly to future cryptographic standards and new threat scenarios to ensure sustainable protection in a changing IT security landscape.

BSI-approved network security for the highest requirements

Adva Network Security is the only provider in Germany offering a BSI-approved encryption solution for optical transport systems (Layer 1) based on ConnectGuard™ technology. With tailor-made security solutions for optical and Carrier Ethernet networks, we meet the highest requirements for confidentiality, availability and integrity – especially for public authorities and critical infrastructures.

Holistic protection through technology and services

Our security approach encompasses much more than just technology. Penetration tests and Security Operations Center (SOC) services ensure that potential threats are detected early and countered in a targeted manner. All services are developed, operated and tested in Germany – for maximum transparency and trust.

Adva Network Security stands for certified security, easy integration and maximum performance – from Germany, for a sovereign digital future.