Blog Articles

Why SSL Alone Doesn’t Cut It Anymore

In the 1995 motion picture The Net, Sandra Bullock plays a system analyst whose social interactions occur mainly online within the confines of her computer screen. She telecommutes to work, disassembles computer games, and orders pizza online, all the while she chats with a friend over the phone. However, none of her computer prowess and hacking skills could protect her from identity theft, the movie’s main plot. After cyberterrorists tamper with all of her life records by exploiting a program backdoor already present within federal computers, she is committed to use her knowledge and skillset to piece her life back together and expose the conspiracy.

thenetimg

Even in the mid 90’s when smartphones were not around and e-commerce was still at its infancy, the pivotal role of computer and network security, and the dangers of the lack thereof, was well understood and recognized. Long before the Internet of Things (IoT) became the next big IT buzzword, the notion of pervasive computing was resonating within computer research labs and tech industry halls. Indeed, the idea of doing computing from anywhere, at any time, to shop, work (or you name it), was just too attractive not to miss, so it became a major influencer in this paradigm shift. The concept would soon make big waves across the entire IT community, and eventually society as a whole, with its ripple effect touching virtually all aspects of modern life. However, with the advent of new technology and its potential adoption, not only is there needed change and innovation, but also new challenges. Cybersecurity brings user authentication, data integrity, and message confidentiality to computers, networks, and the data they operate on. How to keep ensuring these crucial goals while also supporting the myriad of rich media applications that continue to flourish among an increasingly large number of interconnected devices?

Ubiquitous computing brings along the need to expand the IP address space as well as reinforcing the security protocols required to cope with the plethora of interconnected devices. The IoT paradigm, apart from demanding increased control and security measures, has brought along the added need to process large amounts of data coming from multiple sources at real time. Unfortunately, SSL/TLS, the current standard that allows devices (clients) to connect securely, does not scale well with the stringent requirements of IoT, or with most applications with real-time constraints, for that matter. The main bottlenecks in SSL/TLS are speed and connection latency, which also stem from the weakest link in its security chain – the SSL/TLS key exchange handshake.

When a client first connects to a secure server using the SSL/TLS protocol, the symmetric keys required to encrypt and decrypt the application data must be exchanged between client and server. This handshake usually takes between 4-6 message transmissions (2-3 round-trip times or RTTs), or more cycles depending on the algorithms negotiated by client and server. Add the time required to process each message, the absence of data optimization, the inability to provide secure storage, and the negotiation process which opens up potential vulnerabilities of its own, and you have a “one size fits all” design within SSL/TLS that makes it impossible to meet the space, time, and resource requirements of IoT and other real-time applications. The ideal protocol to create secure connections must be able to address specific application needs without compromising its security and operation. This can be accomplished by performing specific customizations that favor speed, reduce latency, and process data efficiently.

Just like the system analyst in The Net had to think outside the box and reinvent herself in order to get her identity back, sometimes existing security protocols such as SSL/TLS need to be reexamined, purged, and reinvented in light of new technology trends and paradigms. Sometimes it is just preferable to start with a clean slate over which to build the right foundation. Ideally, such a foundation must be designed with a specific application domain in mind, be free of existing technology biases and preconceptions, and simply allow a customizable mix of features which can be enabled or disabled on a per project or application basis. CENTRI’s BitSmart technology takes the right step in this direction. Solutions such as BitSmart acquire even more validity in light of ongoing paradigm shifts and recent newcomers in the field, such as ubiquitous computing and the Internet of Things (IoT), respectively, which impose even tighter security and operational requirements to distributed and real-time applications.

Luis Paris Chief Scientist CENTRI Technology

About the Author Luis Paris is the Chief Scientist at CENTRI. Luis oversees CENTRI’s research and focuses on the company’s core technologies, with an emphasis on how it can be applied to emerging markets like machine-to-machine (M2M) and the Internet of Things.  He has an exhaustive history focused on teaching, learning and innovating with the goal of making the connected experience smarter, faster and more efficient.  Connect with Luis on LinkedIn.

 

Waiting for the “Sh–IoT” to hit the fan

A lot has been written about the Internet of Things or IoT in the past several years. Tens of billions of connected devices around the world in the not too distant future. Huge improvements with new products and services from wearable devices to smarter oil rigs. Enhanced customer experiences. A giant market opportunity for a growing and hungry ecosystem of providers. All fantastic promises that are slowly coming true. But what about security?

After everyone stops dreaming about all of the amazing possibilities that can unfold with new IoT innovations, this is the one area of the movement that we need to get right from the start as too much is at stake. If you think today’s data breaches of confidential enterprise information are a big deal, wait until the first major IoT security breaches affect the availability of your gasoline, your ability to power your home, control your car or a manufacturer’s ability to build the goods that you purchase. In fact, each of these areas have experienced a minor security hack within the past year – what happens when the hackers get really serious?

IoT collage-sm

Industry news about IoT security seems to share similar themes – great opportunity but very few are really thinking about security yet. As per usual, it’s innovation first, with security as a distant follower. Unlike other software or product innovations that were born in the past from business and engineering units that worked within defined network parameters or connection points, the IoT is very different. Almost everything exists outside the network edge. Traditional dumb or headless devices become “smart” overnight and are connected wirelessly to provide new capabilities and the intelligent data that comes with them. There are no standards, various protocols and device types from the largest equipment to the tiniest sensors.

Securing the Internet of Things will require far different security parameters than enterprises employ today with their networks. Firewalls, SSL and other current standards will not cut it in this new era where volume, scale and device variance will rule the IoT. The Cloud, public or private networks, websites and applications accessed across different mobile devices are the new delivery mechanisms. If an IoT connected device is like a delicious cake, data would surely be the main ingredient. Protecting this data must be a primary goal to ensure that the innovations are worth developing in the first place. If we are still struggling with enterprise cyberattacks with the current landscape, adding billions of other connected devices and equipment only provides a larger playground for hackers to plan their next attacks which could be far more devastating in impact considering command and control can be compromised.

Today, Cloud security providers and mobile application security providers can offer security to some parts of the IoT. Unfortunately, security in Cloud, on device and everywhere else will require protection of the data itself and these point solutions can only provide a fraction of the security required. Not all data will live in a Cloud or behind a firewall. CENTRI’s BitSmart can secure end-to-end data flow from IoT sensors to datacenters with next generation encryption. If the devices themselves are secured and the data is encrypted, breaches in the wrong hands will not allow unauthorized control and the data will be useless to the hackers. Now that’s a good start with security to prevent the Sh–IoT from hitting the fan.

Thanks for reading,

James

About the Author James Salter is the Director of Marketing at CENTRI. James has nearly 20 years of experience in software and technology marketing and enjoys sharing his insights on data security, enterprise issues, the Internet of Things and driving value from solutions. Connect with James on LinkedIn.

Think Like the Bad Guys: How CIOs Can Plan For Future Cyberattacks

On a recent vacation, my family and I went to Washington D.C. to visit all the great memorials, museums and government buildings that represent a lot of the history of this great country. Two of our favorite museums were the Crime Museum and the International Spy Museum.

The International Spy Museum was filled with fascinating artifacts from throughout the history of spying in periods like World War II when Allied spies battled Axis spies for critical war-time advantage or the Cold War when American and Soviet spies battled for information that would provide the upper hand in the nuclear arms race. Interestingly enough, the last exhibit (and presumably one of the newer) was entitled ‘Weapons of Mass Disruption’. This exhibit was less about history and more about the realities of cyber-terrorism we live with today.

spyvsspy

Similarly, the Crime museum was filled with fascinating artifacts from the age old battle between famous lawmen like Wyatt Earp and notorious criminals like Jesse James or Bonnie & Clyde. Again, the final exhibit was less historical and more about the present, focusing on today’s white collar ‘silent criminals’ or cyber-criminals.

These museums not only show us the evolution of crime and terrorism over time but throughout much of history, the matching evolution of counter-crime and counter-terrorism. Why then, does it seem that over the past 10-15 years the art of counter-crime has stagnated while crime has continued to evolve? This is evidenced in the seemingly at-will security breaches we see in the news day after day, such as; Anthem, JP Morgan Chase, eBay, Home Depot, Target, and many more. The thought that my business is too small or the vertical my business is in is not of interest to hackers has also been proven wrong. Breaches have spanned businesses from financial, gaming, insurance, government, healthcare, education, social, retail, entertainment and the list goes on.

In the past, a CIO’s main focus was how many servers do I need, or how big do my servers need to be to ensure that my infrastructure can handle all my consumers transactions or all my consumers data … the advent of high-tech in business shifted the ‘bad guy’ focus from criminals wanting to steal from my company to the new arch-enemy … ‘downtime’. While CIO’s focused their technical guru’s attention on combating downtime the criminal mindset continued to evolve. CIO’s must now designate equal or greater effort to evolving the way they combat cyber-crime and cyber-terrorism. On the bright side there are already some great organizations and products out there like CENTRI’s BitSmart that are not only geared toward helping combat cyber-crime/cyber-terrorism but dedicated to evolving to stay ahead.

So, when future exhibits are added to museums like the Crime Museum or the International Spy Museum, how will your organization be represented? Will it be one of the organizations that were victimized by now famous cybercriminal ‘masterminds’ or will it be one of those organizations that thwarted the criminals … and maybe even helped lead to their capture?

Thanks for reading,

Mike

About the Author Mike Mackey is the vice president of engineering at CENTRI, responsible for the continued development of the company’s data security and optimization solutions. Mike brings tremendous depth and experience leading teams that build market-leading products, and his strong customer focus is one of the keys to the continued growth of CENTRI.  Connect with him on LinkedIn.

The Three Little Pigs and Network Security

The Three Little Pigs is a timeless classic. You remember it, right? Three pigs. Two of them spent their time slacking off and built really flimsy houses out of sticks and straw. The third pig worked really hard and built a strong house out of brick. Once the big bad wolf comes calling, he makes short work blowing over the first two houses and the pigs run for cover to pig #3 and his more secure brick house. The wolf is thwarted and the pigs are safe. Great story, happy ending and the moral is simply to work hard and you’ll be okay.

3littlepigs

I see a lot of parallels between this tale and how enterprises have to survive with securing their networks today. However, if this story was re-written in 2015 in a world of increased threats, it’s a little less about working harder and a lot more about working smarter.

Let’s pretend that it’s present day and the pigs represent your enterprise data and the wolf is a hacker. No way that the wolf gives up at the sight of one brick house. After all, the U.S. State Department alone faces thousands of hacking attempts each day on its computer networks. This wolf runs over to Home Depot and buys a sledgehammer. Maybe he gets a few dozen friends to help him dig under the house. Or he rents a bulldozer. Whatever happens, I’m sure that these three little pigs end up as three little dinners.

Perhaps the pigs could have built an even bigger house, maybe something with a fence, a moat or a fortified basement. No matter what, the wolf would have found a way around the defenses. This is much like how enterprises try to defend themselves against external hackers. In fact, they also have to deal with internal threats. Maybe the third pig is in on it and the first two pigs are already bacon?

The pigs don’t need a bigger house. That’s akin to deploying more firewalls or detection systems. What they really need are invisibility cloaks to protect themselves, just like enterprises need to encrypt their data to protect themselves from hackers. Something that will completely protect them once the wolf eventually breaks in. This is the same strategy that more enterprises need to employ today.   The point isn’t just to make it difficult for the wolf to get inside, the point is to completely protect the pigs. This is why old ideas about network security don’t cut it anymore and new ideas about data security and proper encryption solutions are much smarter – and will lead to the road of survival and secure data.

My rewrite of the classic tale picks up at the end like this: Wolf breaks into brick house, but it’s empty. The pigs seem to have disappeared. Wolf looks around, gives up and moves on to the other house down the street. The pigs are happy and safe. Moving forward, all pigs can live in houses made of sticks, straw or bricks and play outside as long as they wear invisibility cloaks. The End.

Thanks for reading,

James

About the Author James Salter is the Director of Marketing at CENTRI. James has nearly 20 years of experience in software and technology marketing and enjoys sharing his insights on data security, enterprise issues, the Internet of Things and driving value from solutions. Connect with James on LinkedIn

Encrypt Everything, Period: Enterprises Today Cannot Leave Their Data Exposed

Cyber security is top of mind for every corporate executive, while consumers read the headlines about recent data breaches and wonder if these enterprises are doing enough to protect their data. Most corporations and consumers are relying on outdated security solutions that were believed to be sufficient just a few years ago. That is not the case today; we now live in a mobile-first world where data about everything and anything we do online is captured, analyzed and used to help deliver a more personalized experience. The corporations that capture the data have an ever growing responsibility to prevent misuse of the data and the consumers have an every growing concern regarding the security of that data.

Traditional security measures have been focused on defensive technologies that are reactive in nature, such as a corporate firewall between an internal trusted network and the external untrusted Internet. Or more commonly understood anti-virus software that scans emails and computers looking for malware. One of the primary changes in recent years is the use of mobile devices as the primary connection to the Internet for online shopping, banking, gaming, health and fitness and countless other uses.   In the not too distant future the number of connected devices – often referred to the Internet of Things – will grow from about one device per person to perhaps 10 devices per person; the number of connected devices could reach 20 billion within the next few years.

With the rapidly increasing number of connected devices and the vast amount of data created by these devices, a new way of thinking about data security is required. Ways that build upon the traditional solutions that act as the first line of defense but also focus on protecting the corporate and consumer data in the event that the first line of defense fails. This is generally accepted by most security professionals as the most responsible approach and best practices for computer security. Encrypting all data through the entire life cycle of the data has the highest potential of preventing data breaches – if all data is encrypted, then hackers and thieves that gain access to the data are not able to make sense of the data – simply put, the motivation goes away.

Data encryption has been used selectively for many years; however, its wide use has been limited by the complexity of traditional encryption technologies or by the additional processing power and increased processing time required by these solutions. Most security professionals understand the need for encryption but have had to choose between flexibility and good security – security was often a lower priority until recently. Technologies like CENTRI’s BitSmart can provide data encryption and compression for the entire life cycle – at the point where data is generated, through the network where data is transmitted, within the application where data is process and within the storage where data is saved.

Layered security is the best approach to prevent cyber security and data breaches, but traditional defensive solutions are no longer sufficient, full lifecycle data encryption is necessary. Zero trust is a philosophy promoted by Forrester Research where there is no longer a trusted internal network and an untrusted external network. CENTRI believes that by leading the industry with BitSmart and an encrypt all data mantra, the zero trust model is made possible. Enterprises interested in truly protecting their data would be wise to adopt an “encrypt everything” policy and supporting solutions now.

Thanks for reading,

Vaughan

 

About the Author Vaughan Emery is the founder and CEO. He works closely with customers and technology partners to deliver the company’s solutions. Throughout his career, Emery has developed key business relationships with fortune 5000 companies, mobile operators and technology partners within the United States, Asia and Europe. Previously, he founded a mobile security technology company, which developed an advanced malware security solution for mobile phones and embedded devices. He has over 20 years of leadership experience in commercial product development, technology services and business development. Connect with him on LinkedIn.

    Next