Strategies to Avoid End-user Vulnerability

By: Nancee Ruzicka

Research recently presented by Ericsson indicates that by the end of 2019 it is predicted there will be more than 9 billion mobile subscriptions and that greater than 80% of those subscriptions will be for mobile broadband (i.e. data) services. And that doesn’t include estimates for M2M and other connected devices. As the number of smart phones and connected devices soars, service providers become increasingly vulnerable to hacks and data breaches resulting from compromised devices and applications in customers’ hands and homes.

Yet, it is entirely unrealistic to expect service providers to manage every instance of every device and application that is now or will be available in the future. The better option is to secure and manage network assets, applications, and data at the core of the network so that the services being sold to customers are protected. Understanding what devices are accessing service provider infrastructure and data is important; but ensuring that it is protected, regardless of device or application, is paramount. That way, if a device is compromised, the network, services, and applications that service providers rely on remain secure.

The 2014 Verizon Data Breach Investigations Report shows that servers have been the prime target of attacks for every one of the 10 years that Verizon has been compiling data. The report also shows that as the number of smart phones and intelligent devices continues to grow, so too does the incidence of attack. The rapid development of applications and wide distribution of content and storage platforms using cloud technology makes end-user devices an attractive access point to vulnerable servers and poses a significant risk to service providers as they roll out virtualization, content-based services, and M2M.

Delivering a comprehensive, customer-friendly approach to end-user security that protects the service provider while still empowering the customer, requires that user access to servers, applications, and data is consistent, secure, and accounted for. Implementing a selfish strategy that secures operator assets first will protect critical infrastructure and data while also protecting the customer.

Secure the Core

The networks that consumers and businesses rely on are secure subsets of the public network. Virtual Private Networks (VPNs) and carrier Ethernet services are proven methods for connectivity that are so reliable most people take connectivity for granted. Communication service providers spend billions every year on network security, prevention, and investigation of breaches.

Service providers tend to take a “system high” approach to security. That is, they put a blanket over the whole network and protect every physical connection at the highest possible level.  Although malicious traffic traverses the public network, the Verizon report shows that, over the past 10 years, compromise of service provider infrastructure such as routers and switches is consistently very low. So service providers are safe, right?

Not really. While service providers should not decrease their vigilance in securing the network, they must now implement a more comprehensive security strategy for new digital services applications and device access. When identifying gaps and preventing breaches, the already-secure network should be of less concern than securing service and customer applications and protecting data regardless of source, user, or device.

The top target – servers, specifically cloud services and data centers – are where many service providers plan to build virtual network devices, deliver value-added services, and manage business or M2M operations. Ensuring the security of all that additional IT and application infrastructure requires more than secure connections.

Decreasing vulnerability of IT infrastructure requires that service providers come to grips with how best to enable, monitor, and manage devices, applications, and users without having to apply and enforce restrictive or complex procedures. On airplanes we are told to “secure your own oxygen mask first and then help those around you”. When it comes to securing customer services, the same advice applies. Service providers must ensure that their own infrastructure, applications, and data are secured, monitored, and managed. Customers can and will use any device they choose, but access to service provider networks, servers, and applications should be carefully monitored and controlled to ensure that whatever threats come from outside actors will not cause substantial damage.

Managing individual user devices and applications has been somewhat effective in controlling access to service provider resources, but it does not address the core information security challenge of protecting operator infrastructure, applications, and data regardless of device, even if that device has been compromised. One solution is to wrap applications with security that prevents compromises such as unauthorized access or data loss.


Latest Updates

Subscribe to our YouTube Channel