In the last article on Cloud Broadcasting we looked at reliability and the client-server model in Amazon Web Services high availability zones. In this article, we look more at cloud security, a very emotive word in the IT community.
A bank can take an amount of cash, put it in a safe, weld the doors shut, enclose it in a four-foot-thick reinforced concrete box and bury it two hundred feet underground with no doors or staircase. We could continue for hours about how we improve the security for our cash; put a building over the container so nobody knows it’s there, delete all documentation, then end up with a solution that is so secure the money would probably decay before anybody could get their hands on it.
It’s fair to say we could make the storage so secure that the money would never be seen again. And here lies the problem, the solution starts to become insecure when we provide access to the cash. We have a door to the safe, steps to the underground chamber, signposts to the staircase. All potential areas of vulnerability.
Once we provide access we can start to improve security again using increasingly draconian methods; guards could be placed on the entrance to the staircase, electronic retina scanners could be used to open locked doors and all staff would need to be accredited. These seem like good security measures to stop thieves and anybody trying to break into our datacentre. However, any one of them can be easily defeated, not using hi-tech computer hacking methods, but simple old-school criminal behaviour as people are the weakest link in any security system.
To build effective security systems we need to understand the psychology and behaviour of the criminal. What do they want from breaking in? What are they going to achieve? What is their true motivation? In our banking analogy, the answers to these are straightforward; it’s possible that some criminals have broken into banks for the challenge, but it’s more likely they want the cash.
Understanding criminal behaviour in the IT world is a whole different game. Terrorist attacks over the past ten years have demonstrated some people think differently to us, they possess strange ideologies that seem to support terrorist behaviour which is completely alien to most of us.
Analyzing data from network monitoring tools is a full time job and the amount of work needed can easily overwhelm IT departments. (click to enlarge).
Criminals still break into computer systems to gain cash, but we also have the added dimension of terrorists breaking into networks to show they can, gaining publicity they demonstrate a superiority which shows their perceived dominance.
Even gaining cash isn’t as simple as it used to be. Criminals lock important business files and send ransom notes to owners to unlock and release the data.
Always Playing Catchup
The biggest problem with IT security is that many of us simply do not think like criminals. If we did, we would be a criminal and wouldn’t bother coming into work each day. Although IT managers do a fantastic job of protecting their datacentres, they’re not in control of the entire system as users need to gain access to the network and data servers. As soon as we provide access the system becomes vulnerable.
Firewalls can stop outside attackers from trying to access the system, and anti-virus software can check for malicious code such as ransom-ware. But it’s always playing catch-up, the vendor of the firewall or anti-virus software must have had an attack on one of their other clients before they can send an update to you to protect your system.
Cannot Compete with AWS
Security is an exercise in risk management, not absolute truths and guarantees. No IT Manager in the world can guarantee a user system to be completely secure. If your private datacentre hasn’t been compromised, then it’s only a matter of time.
Cloud service providers like Amazon Web Services (AWS) do provide a good compromise and hope for the future. They have some of the best security network and infrastructure engineers in the world working on their systems twenty-four hours a day all year round. Few companies could hope to compete with their knowledge and experience, to the point where government agencies have started to use cloud services.
AWS reports on its web site that it has seventeen security certificates including the US Department of Defence Security Requirements Guide (DoD SRG), and a plethora of independent audits are regularly conducted to keep check on security.
Security starts with the users and they must play their part in keeping systems secure
Locations of datacentres is a closely guarded secret and AWS go to great lengths to restrict human access to the infrastructure. Power backups, fire detection and suppression, and temperature are constantly monitored and maintained where required. Even decommissioning of old hard disk drives is taken seriously, they are degaussed and physically damaged beyond repair, before disposal, all with appropriate audit controls in place.
Network security includes limited points of access with firewalls and advanced monitoring systems at cloud access points. Traffic is constantly monitored for distributed denial of service attacks, man in the middle attacks, IP spoofing, port scanning and IP sniffing by other users. Dedicated teams of engineers are employed to deal with these issues when they occur.
Management access is provided using SSH public-key authentication as well as traditional login credentials to provide audit trails of whose logged in, and advanced levels of security to protect your system from unscrupulous attackers.
Although cloud service providers make their infrastructures and networks as secure as they can possibly be, they do rely on their clients making their software and access to their services secure. Appropriate risk management should be conducted by broadcasters to assess users access to the system.
Even in today’s security aware working environments, it’s not uncommon to see a yellow note stuck to the side of a computer monitor with the word “password” written on it. The best cloud security systems in the world cannot protect valuable data against this and CEO’s must support their IT department in enforcing personal security.
You might also like...
SMPTE ST 2110 is currently in final draft and possibly will soon be published. Different from previous SMPTE standards, SMPTE 2110 is a Family of Standards covering live production based on IP. However, because it is still under wraps in the secret…
Two major developments that stood out for me this year - the acceptance that IP won’t solve all problems, and that Imagine Communications is making source code available to their clients.
Point to point connections with well-designed standards have given broadcaster engineers piece of mind for many years, knowing when they connect one AES-3 audio output to an AES-3 audio input, the two will connect seamlessly and audio will pass without…
Engineers, operators and technology managers need to understand IP technology. The depth of knowledge will vary depending on job title, but everyone in this industry needs to begin making the knowledge transition now. The Broadcast Bridge is your source for…
The AES67 audio standard provides unique benefits for audio networking to accommodate remote broadcasts and multi-channel immersive audio recording. Greg Shay, Chief Technology Officer (CTO) at The Telos Alliance, explains how audio engineers can benefit by using the technology to…