The increasingly connected nature of enterprises and unified communications requires a rethink on security models.
Editor’s Note: The RCR Wireless News Reality Check section is where C-level executives and advisory firms from across the mobile industry share unique insights and experiences.
The arrival of the internet changed a lot of things, including the way we looked at security. Suddenly, the network became the focal point of every security strategy. Keeping outside threats from getting inside became a priority for every CIO.
The cloud, like the internet before it, has upended our view of security again. This time it’s no longer an inside versus outside battle. We now live in a borderless world where threats can happen anywhere, anytime. Protecting businesses from outside threats alone doesn’t make sense in an age when half of all security threats originate from inside an organization because of poor security practices, sabotage and other means.
The solution to pervasive threats is simple if extreme: don’t trust anyone or any application. And, by extension in an internet of things-enabled world, don’t trust anything. By adopting a zero-trust security posture, companies must embark on a security posture to identify and plug all security holes that can damage their business and erode customer trust. Recent denial of service attacks and data exfiltration crimes illustrate that even seemingly innocuous elements like partner portal sites or official looking emails can provide an entry point to disaster. In the extreme, heating, ventilation and air conditioning systems have be used to exfiltrate critical customer information. Any entry point into a business must be part of a comprehensive security strategy.
So where to start? Protecting everything at the outset is not a realizable security strategy – unless you have an unlimited resource to apply to the problem. Instead, organizations need to focus their initial security investments to areas, applications and access points that matter most. One of the critical areas often overlooked is unified communications.
Years ago when communications ran on isolated voice networks distinct from the data center, voice applications were regarded as inherently secure because they weren’t connected to the internet. The convergence of voice and data communications onto common networks has now resulted in voice/UC services and endpoints being as vulnerable to compromise as any other enterprise application or infrastructure component.
UC applications represent a bigger risk than voice over internet protocol because of what’s at stake: voice, video, email, text messages, file share and most importantly access into the broader network. UC communications sessions routinely expose critical enterprise digital assets. It’s also important to note that UC represents a different kind of risk than data communications. They use highly “stateful,” complex protocols, run on different devices and have different sensitivities to latency and packet loss. Using a data-based security strategy – that is, securing a UC session with a firewall – simply doesn’t work for these reasons. Instead, you need a specialized type of firewall for real-time UC applications: a session border controller.
But what does this have to do with the cloud? Like other applications before them, UC applications are now moving into the cloud to leverage its natural efficiency, scalability and flexibility. And they’re moving to the cloud in a big way, as in year-over-year exponential growth big. However, shifting UC into the cloud does move it out of the secure environment of the data center and, because of the multitenant nature of the cloud, increases the potential threat surface for UC applications. To support this rapid onramp of cloud-hosted UC services a multilayered security strategy is required.
However, most security elements, like the SBC, independently manage their own security context and do not communicate with each other. While SBCs are your first step to a secure network, what if you could orchestrate service policies across all elements involved in service and network security?
For example, let’s say a SBC detects an endpoint conducting a denial of service attack. At the application layer, the SBC can blacklist this endpoint, but there is much more that can be done with this information when the SBC acts alone. An enhancement to this model is to view all elements involved in the security stack (SBCs, firewalls, routers, etc.) as sensors that generate contextual information related to security. These sensors may be inline handling traffic or may take information from the network via monitoring. These sensors feed their data into a context domain or a security controller that performs analytics, determine anomalies, identifies potential threats, and determines the best course of action for mitigation and future prevention. This notion of “networked security” enables not only increasingly sophisticated threat detection capabilities but also ensures that the actions in response to a threat are applied throughout the network as compared to a single network node.
With the rapid adoption of software-as-a-service by enterprises, another cloud-based security concern is derived from the need to streamline management and control of real-time digital services across the enterprise while meeting governance and compliance requirements. As more enterprises embrace the digital economy, they must also address this gap in their security planning with services that involve different service providers and different APIs. Companies need to ensure they continue to protect their digital services to prevent a new area of attack for hackers.
So, not only are the traditional borders between networks disappearing with the cloud, but the border around applications themselves is also blurring. Companies need to secure their communications channel between end points; but must also secure the paths between different APIs that are invoked to create the application.
It’s a fact of life that security threats – malware, DoS attacks, viruses – will evolve and evolve quickly. DoS attacks, for example, were once the province of experienced computer scientists. Today, they can be purchased on the internet like for less than $10. Similarly, the botnet army of devices available to mount DDoS attacks will soon grow by the billions as the IoT arrives.
Security solutions need to evolve at a quicker pace than the threats they face. Companies need to let go of the idea that they can stop everything at the border, and seize the opportunity to protect themselves with a dynamic, real-time, security aware strategy that can block and mitigate the small percentage of truly harmful attacks, 100% of the time.