Yesterday was a good time for enterprise security practitioners. Back then it was enough to install a device to protect a building, and that was it. Unfortunately, such good times are gone. In fact, we should have started having doubts several years ago, when firewalls seemed to be ineffective against new threats. Why? Three reasons:
- Enterprise firewalls simply have too many rules, some redundant, some ineffective, or even worse, some negating others. Most enterprise firewalls contain over several hundred rules, clearly more than anyone can understand.
- The bad guys always improve faster than the good guys and use the firewall rules to penetrate enterprise networks, for instance, using ports 80 and 443 to do so.
- Most Web traffic is now encrypted, thanks to SSL, which makes firewalls unable to detect whether traffic is correct or not.
Now you can tell me: OK, you’re right. But hey, we have a brand new arsenal, like an intrusion prevention system (IPS), a web application firewall, a new generation of firewall, an antivirus. The list is endless. All these are great tools that interfere with the application level, which is the higher network level. So are they sufficient? While these tools are fantastic, they are very hard to set up because we must first know how the application works. Generally, these tools are used by default with some form of signature database, which is always out of date. “C’est la vie!”
These tools, despite what tool producers claim, are unable to compete effectively with advanced persistent threats and advanced targeted attacks. Even before the advent of the cloud and Bring-Your-Own-Device (BYOD), there was data mobility, and perimeter tools were already obsolete. Like the great robbery, it’s easier to steal content when it’s on the go rather than placed in a safe. Don’t get me wrong; I’m not saying you must throw away your firewalls or IPS appliances. They can still be useful, especially since they generate logs that help you understand what is happening in your network. However, this kind of perimeter security defense is also obsolete. Since the arrival of cloud technology and BYOD, there is nothing new to protect. Instead, data is everywhere and thus beyond the protective capacities of perimeter security.
So what’s the problem? The point is that we must focus security on data, because data represents the wealth of any enterprise. Of course, there are many different kinds of data in the corporate world, such as programs, enterprise documentation, personal data, emails, databases and more. This is the so-called data-centric model, and much has been written about it, as in general it starts with documentation classification. Mainly wishful thinking though, since the model usually ends there.
So, is there a solution? We propose attaining a good security level particularly, in cloud usage, by encrypting all data and by decrypting closer to devices. But encryption is not enough. Even a good encryption, if badly implemented, can be worse as it provides a false sense of security. Remember what happened with the NSA surveillance, which plays on encryption implementation and not on algorithms themselves. Encryption must therefore be complemented by strict key management, access control to the protected data and accounting for data access. The goal of effective security is to provide adequate answers to the following fundamental questions:
- How to guarantee reliable, end-to-end data protection in insecure and heterogeneous environments?
- How to ensure that people can only access data for which they have permission?
- How to enforce accounting and traceability of data access and usage?
Obviously, we’re not talking only about enterprise security here. In order to meet their end users’ viewing expectations, content service providers have no choice but to embrace open networks, on the go consumption and BYOD paradigms as part of their multiscreen content services. For their end users, data means content like movies, sports events, TV series, and their related metadata which offer a fully immersive and enriched user experience. Because content represents the service provider’s wealth, here, too, the point is to focus security on content, with a holistic approach for end-to-end content protection, content access control and content traceability.
Yesterday was a good time for pay TV security practitioners. And if you still believe that it’s enough to install a device to protect a content service, we have some bad news for you: those good times are gone.
David Leporini is the Executive Vice President of Marketing, Products and Security. Prior to this role, David was a member of the Executive Board of Viaccess and served as CTO since 2007
Connect with David Leporini: