Introduction
The era of personalisation is upon us. Dynamic content including television programmes, mobile phone ringtones and music can now be delivered, even wirelessly, on demand. While personalisation is a popular end user request, it is also being driven by service and content providers because it brings not just subscription and advertising revenue but also differentiation from the competition. The trend is further fuelled by explosive growth of communications devices and software, including mobile phones, video and music players, digital television and PC software.
Private Business
Personalisation requires transmission of personally identifying data and financial information. As a result criminals endeavour to intercept or otherwise steal this sensitive traffic for illicit purposes including identity theft, and banking or credit card fraud. Still another type of information abuse is copyright theft, involving the circumvention of copyright safeguards – digital rights management (DRM) software – for piracy, epitomised by illegal music distribution via peer-to-peer (P2P) networks.
Historically, sensitive network information was ‘secured’ by private networks such as the Society for Worldwide Interbank Financial Telecommunication (SWIFT) infrastructure used by banks. Private networking is still the most robust method to protect information, although they must be physically secured from unauthorised users. But spurred by increased demand for higher performance business systems, organisations traditionally on private networks such as X.25 and Frame Relay have migrated to IP-based networking, not because they wish to connect with the Internet but because IP has evolved at a significantly faster clip than legacy networking protocols. When private networks run on the IP protocol, complete separation from the Internet becomes paramount.
There are, however, applications that cannot operate on a private network. An Internet banking Website must be available over the Internet and at some point communicate with the bank’s highly sensitive back-end systems. Aside from securing the “front end” – or Internet – portion of this service, communications with back-end systems must be restricted and monitored. It is here where intrusion detection and prevention (IDP) systems come into play. IDP systems are sophisticated security devices that understand protocols and network behaviour. They monitor network traffic for anomalies, and either flag administrative staff or instantly halt abnormal network behaviour before further harm is caused.
Elusive Authenticity
When transactions, whether for personalisation, billing or content data, are performed over the Internet rather than in a controlled private network environment, there is an additional need to verify the identity of all parties involved.
End user authentication can be as simple as a combination of user-id and password, with a stronger measure involving dynamically-generated ‘token’ codes, such as via the RSA SecurID device.
Authenticating merchants and content providers is more involved. Vendors need to be authenticated to ensure end-user information such as credit card numbers do not fall into the wrong hands. This is not a simple matter, and general consumer unawareness of this issue is one of the main reasons why phishing attacks have been so successful at snaring information. The only real solution is end-user education.
Identity Crisis
Consumers of Internet banking services may be unaware of the need to verify the identity of the Web server they are connecting to. Simply typing in the URL – the bank’s Internet address – is insufficient. Users should first ensure they have a secure Web connection, designated by the ‘lock’ icon and the https protocol in the URL and also verify the site’s security certificate, a simple procedure that is performed differently on different Web browsers. The security certificate is issued by a third party, trusted Certificate Authority and is a digital metaphor for an ‘identity card’. Thanks to sophisticated mathematical algorithms, it is virtually impossible to counterfeit, but it is valueless to untrained users.
The Security Squeeze
It seems obvious that the strongest possible security measures should be implemented by all parties involved in transactions, but there are costs. Security mechanisms need to be purchased and administered. In addition to financial and human resource expenses, security can also slow down procedures and constrain network performance.
Implementing security measures is a delicate balancing act, although because of increasing variety and quantity of threats, providers are likely to err on the side of caution and compromise performance rather than information. Network equipment vendors are also offering in-line security devices, often hardware-based, that minimize performance impact.
These purpose-built security devices have given rise to ‘front end processing,’ the practice of separating the security mechanism from the information delivery system. In the case of an e-commerce Website, the Web Tier (traditionally comprising the Web-server, Web application servers and database system) becomes isolated from the transactional processing system.
In a way, the centralisation of transactional processing is reinterpreting the legacy mainframe paradigm of yesteryear.
Data Centralisation
The practice of centralisation is being applied beyond Web architecture optimisation. Distributed organisations are embarking on consolidation initiatives, mimicking the revival of mainframe topology by collapsing network servers and bandwidth connectivity into physically centralised data centres.
Data centre consolidation simplifies network topology and bandwidth provisioning, saving costs. Data centres also allow organisations to focus on IT security and data integrity efforts, catering to increasing needs for regulatory compliancy including data archival and business continuity.
Securing the Vault
Protecting data centres begin with physical protection. The best digital security mechanisms can be circumvented if unencrypted data on laptops, hard disks, or DVDs are physically stolen. An industry anecdote recounts a consultant who hacked into a network without entering the premises merely by unscrewing the front door security panel and using the exposed Ethernet cabling.
After physical security comes digital protection. Firewalls form a first line of defence and have evolved from simple port-blockers to intelligent devices that scan traffic packets for anomalies. The two most common transaction-oriented protocols are Session Initiation Protocol (SIP) and Extensible Markup Language (XML). Appropriate firewalls need to be capable of analysing SIP and XML traffic.
While port blocking and packet inspection can thwart intrusion attempts, service downtime is often as damaging as information theft, especially for realtime transactions such as for stock trading or Internet banking. Therefore, data centre firewalls need to defend against denial-of-service (DoS) or distributed DoS attacks which criminals often use to blackmail organisations.
Network attacks can also be mitigated with the help of an organisation’s service provider. IP-address spoofing masks network traffic, hiding the geographical location of intruders. Although service providers can combat criminal anonymity by activating anti-spoofing features, many do not do so because of performance degradation. It is important to deploy routers that deliver anti-spoofing without performance penalties.
Unrestricted Vulnerabilities
Network security becomes even harder to ensure when information flows through the air. Wireless networks including Wi-Fi and mobile data networks are attractive targets for criminals because they can be hacked anywhere. Unsecured wireless LANs are accessible by anyone within range, and its mobile data can be intercepted.
For customer billing, mobile operators keep detailed transaction information. While they have historically operated within private wireless networks, many operators are now connected to the Internet to provide value-added services. These Internet back-doors are attractive hacker targets because of either the sensitive personal and financial information residing in the operator networks, or nuisances such as SMS spam. Therefore, measures even more stringent than for data centres need to be taken for operator infrastructure.
But at least mobile operators have dedicated IT teams. In the case of wireless LANs the onus of network security discipline falls onto the network administrator, or even the end-user. Access to wireless infrastructure is difficult to manage, due to factors including the inherent physical characteristics of radio signals and brute-force passphrase attacks by hackers forcing their way into WLANs. To compensate for these weaknesses, WLANs should be secured with Secure Sockets Layer (SSL) VPN technology. SSL is the same encryption standard used for securing Web browsers during e-commerce transactions and SSL VPNs can be used on top of basic wired or wireless LAN security for added protection. Because of their security strength and the advantage of not requiring client software pre-installation, SSL VPNs are quickly becoming the de facto secure remote access solution for organisations of all scales compared to other solutions such as IPSec-based VPNs, especially when the service needs to be rolled out across large numbers of computers.
Conclusion
The advent of personalisation has been a boon for providers and consumers. But guarding against information abuse requires a comprehensive digital security framework that considers every aspect of the information exchange and encompasses all the parties involved in the transaction.
Even the best technological security solutions can fail if users are inadequately trained, or if security policies are improperly designed or enforced. Personalisation provides customised services to individuals but it will only continue to be successful when it services the right individuals.
 Greg Bunt is Regional SE Manager at Juniper Networks, Asia Pacific.
|
