CLOUD STRATEGIES for the DIGITAL THREATSCAPE White Paper Why Security As a Service (Secaas) Is Becoming the De-Facto Business Model

CLOUD STRATEGIES FOR THE DIGITAL THREATSCAPE White paper Why Security As A Service (SECaaS) Is Becoming The De-Facto Business Model

By Martin Bergenwall, Senior VP Product Management at Inside Secure

DRIVING TRUST TABLE OF CONTENTS

The case for Security as a Service - 3

Security as a Service in the real world today - 5

Authentication - 5

Premium Entertainment - 7

Payments - 9

Toward a Future-Proof Network - 10

DRIVING TRUST 3

1010101010101010101010101010101010101010101101010101010101010101010101010101010101010110101010101010 1010101010101010101010101010110101010101010101010101010101010101010101011010101010101010101010101010 1010101010101011010101010101010101010101010101010101010101101010101010101010101010101010101010101010 1101010101010101010101010101010101010101010110101010101010101010101010101010101010101011010101010101 0101010101010101010101010101011010101010101010101010101010101010101010101101010101010101010101010101 0101010101010101101010101010101010101010101010101010101010110101010101010101010101010101010101010101 0110101010101010101010101010101010101010101011010101010101010101010101010101010101010101101010101010 1010101010101010101010101010101101010101010101010101010101010101010101010110101010101010101010101010 1010101010101010110101010101010101010101010101010101010101011010101010101010101010101010101010101010 1011010101010101010101010101010101010101010101101010101010101010101010101010101010101010110101010101 0101010101010101010101010101010110101010101010101010101010101010101010101011010101010101010101010101 1010101010101010101010101010101010101010101101010101010101010101010101010101010101010110101010101010 1010101010101010101010101010110101010101010101010101010101010101010101011010101010101010101010101010 1010101010101011010101010101010101010101010101010101010101101010101010101010101010101010101010101010 1101010101010101010101010101010101010101010110101010101010101010101010101010101010101011010101010101 0101010101010101010101010101011010101010101010101010101010101010101010101101010101010101010101010101 0101010101010101101010101010101010101010101010101010101010110101010101010101010101010101010101010101 0110101010101010101010101010101010101010101011010101010101010101010101010101010101010101101010101010 1010101010101010101010101010101101010101010101010101010101010101010101010110101010101010101010101010 1010101010101010110101010101010101010101010101010101010101011010101010101010101010101010101010101010 1011010101010101010101010101010101010101010101101010101010101010101010101010101010101010110101010101 0101010101010101010101010101010110101010101010101010101010101010101010101011010101010101010101010101

As conventional, self-managed IT security proves increasingly costly and vulnerable to hackers, hosted services are rapidly growing in popularity.

Though security as a service (SECaaS)is not a new idea – it’s time has come. Security-as-a-Service: (n). IT (SECaaS) Today’s expanding $146B cloud computing market Integrated security (according to Forrester, 2017) has made the offered by a service SECaaS business model extremely attractive to provider on a IT organizations by offering a range of solutions subscription basis that are often easier, cheaper, and more effective to deliver more cost than a self-managed security approach. Fewer effective, hacker-proof internal security specialists are required, set-up protection than on- and maintenance fees are eliminated, and a pay- premise structure built per-use model reduces cost of ownership while and maintained by an delivering the most updated, state-of-the-art security. in-house systems team. SECaaS adoption is expected to reach 85% of large enterprises by 2020 according to CIO magazine, an increase from less than 5 percent in 2015. Gartner predicts the market will grow to $6B this year — up 20 percent compared to 2016 — reaching $9B by 2020. We believe SECaaS will emerge as the de-facto business model on many networks as it doubles in size again to $16.5B by 2026, according to a Persistence Market Research study.

Many forces are pushing the industry toward SECaaS. “The megatrends of cloud computing and the ‘rise of the developer’, with roughly 111 billion new lines of code being written this year, require security testing as a seamless part of the software development life cycle,” says Mike Kail, founder of SECaaS Cybic (former CIO Yahoo! and Netflix).

DRIVING TRUST 4

“Likewise,” says Kail, “the shortage of cybersecurity talent means we must leverage automation and orchestration of manual tasks and processes to provide this security testing on a continuous basis. In other words, given cloud migration and the dissipation of the security perimeter, security must move from a control function to a solution based upon context.”

The rise in cloud-based security services has surpassed forecasts

IN THE BILLIONS 0 1 2 3 4 5 6 7 8 9 10

2013 $2,13B

2014 $2,63B

2015 $3,17B

2016 $3,65B $4.84B

2017 $4,1B $5.85B

2020 $9B

SOURCES: GARTNER / 2013 Gartner 2013 Gartner 2017 GARTNER / 2017

What is fueling SECaaS’ popularity - making organizations favor licensing security over the Internet? Among the key drivers are: • Growing data volume • Network complexity • Increasingly sophisticated attacks, malware, and blackmail (AKA ransomware). The recent Equifax breach of 145 million user profiles exposed this enormous danger. An entire year before the incident, Equifax was warned by financial analyst MSCI that they were not prepared to combat the “increasing frequency and sophistication of data breaches.” Companies that implement protections in-house find it less and less practical to staff a 24/7 team capable of sustaining enough expertise to thwart breaches. It’s a challenging, ever-changing skill set.

DRIVING TRUST 5

SECURITY AS A SERVICE IN THE REAL WORLD TODAY To appreciate basic SECaaS technology and its increasing appeal, here are three real world examples today in IT (Authentication), Entertainment, and Finance.

1. Strong Authentication - Ensuring only the rightful access Hosted services to protect user identities and transactions

Easy, secure identity verification is essential for the new mobile, online payment economy. It will be the foundation for smartphone purchases, service access, and the growing consumer IoT world where household devices connected to cloud-based network control are part of our daily lives.

Authentication API for online services

All end-user PII is managed / Strong authentication manages stored in customer systems users’ security tokens and keys

PKI Strong Online services Auth API authentication (Existing IAM) service

Access anywhere with username Authenticate and authorize and password (optional) with a digital signature

DRIVING TRUST 6

But passwords are not enough anymore to secure online services. They do not keep online users safe and cause end user frustration. What’s more, frequent password recovery eventually leads to customers abandoning your services.

Continuous breaches of personal information in online services are even forcing legislators to increase the security requirements in financial and other online services. With strong authentication tokenizing users, no personal user information or identities are stored, and the benefits of SECaaS prevail without taking any control away from you. Significant upfront investment (and risk) to develop a homegrown solution is avoided, and coverage can be scaled to meet demand—with no additional infrastructure required.

It’s true that this type of solution can be also deployed on-premises; however, by using the solution as a service, overall security is enhanced. This is because identity and access management not only prevents disruptive security outcomes, but work together, and with such an outsourced strong authentication, the hacker has twice the work to gain access to target users’ accounts.

The SECaaS point here, is that proactively developing your service’s user identity and access management can increase business and drive user engagement. It’s not uncommon for implementers of strong authentication to see an increase of 30% in online service usage after deploying a strong passwordless authentication solution.

DRIVING TRUST 7

2. Protecting Premium Entertainment Preventing piracy through cloud watermarking service

One of the most compelling SECaaS trends is piracy tracking services using forensic watermarking. As premium movie and TV content is increasingly distributed to all devices, the economic stakes for content providers rise. In fact, movie studios will only license their premium programming to service providers that guarantee piracy deterrents through secure identification trace, or watermark, of their titles.

But DRM alone is only part of the battle. The other increasingly relevant aspect is combating situations where content protection is circumvented and premium content is leaked. DRM can only go so far in protecting the content: it is effective within the confines of the devices where it is running, but once the content legitimately leaves the device, all bets are off.

So, companies like Verimatrix, ContentArmor, NexGuard, and MarkAny enable forensic tracking services to identify the source of the leak through the use of trusted video players superimposing a unique pixel pattern, or “watermarking payload”, on the video. This marking is invisible to the human eye and extremely hard to remove without severely damaging video quality. These tools can then extract the watermarking payload and therefore identify the user or the device. Likewise, when the watermark is detected, the service may be degraded, stopped, or the abusing party may be reported.

However, this only happens once the source of the leak is identified, and then the content provider needs to take action against it. This is where the “service” comes into play. The service that has monitored leaked video streams (known pirate websites, torrents, Usenet newsgroups, etc.) must call into action a way to block the individual user by revoking their DRM license or even rescinding membership to the user’s OTT entertainment subscription.

DRIVING TRUST 8

Most critical is preventing premium content being leaked over Peer to Peer (P2P) and social networks – and SECaaS is a growing answer to stop illegal redistribution of your premium and live events, which can cost you millions in lost advertising revenue or subscriber revenue.

Watermarking

Head-end Consumer devices (Android, iOS...) Content distribution network

DRM ContentArmor Profiler/ Pre-processing ContentArmor embedder Content Processed content Display

Forensic/Investigative services Watermaking payload Report to content Traitor tracing provider service Forensic Pirated watermarked Database Watermarked content content

DRIVING TRUST 9

3. Payments - Updating and changing credentials continually Migrating security to the cloud

Credit card use is also moving to the cloud-based SECaaS model. As payments and transactions continue to migrate from plastic cards to mobile devices, the need for a high level of security does not change; however, the way it is implemented does.

A chip on a traditional plastic payment card is designed to keep the payment credentials (especially the cryptographic keys) safe for the five-year life span of the card. It is not possible to update the card without mailing a new one to the cardholder.

Mobile payments are very different. Mobile devices have data connections and allow the payment credentials to be regularly updated and changed as they are used. Because of this, the technology for provisioning mobile payments is known as “Cloud-based Payments”. This clearly demonstrates how the front-line of card security is moving to back-end risk management.

However, this does not mean the security of the payment device can be ignored. Such a method needs a hybrid security approach using cloud services to de-risk while still protecting the front-line device. For example, the onboarding process and the management of personal data is still required to be protected on the mobile device, this will become critically important across this and other markets when the EU’s General Data Protection Regulations (GDPR) are introduced in Europe.

This hybrid approach will become a common model across a range of industries in the near future, because it puts Card Issuers and third party Payment App providers in control. Breaches are minimized and the organization can quickly respond to new threats, and, as needed, upgrade the security of the software.

DRIVING TRUST 10

TOWARD A FUTURE-PROOF NETWORK

Whether it’s User Identity, Entertainment, or Payments stakeholders, security must be a key consideration. Traditionally this has implied complete in-house control. It’s true that product, customer, or financial data can be so sensitive that it’s compelling to keep it closely held. But the benefits of the new SECaaS model are becoming increasingly persuasive.

Today the industry is voting with its feet for service-based solutions. Cloud-based security can outperform traditional security approaches in critical ways. By providing better real-time monitors and forecasting, threats are identified and systems updated faster. Likewise, the on- demand approach is cost-effective: pay-as-you-go security services can limit charges by use.

Up-to-date security system updates create a seamless protection, not “bolted on” as an after-thought, but rather a built-in functionality with maximum performance from the ground up. Importantly for IT companies who are looking to be increasingly efficient, the SECaaS model offers economies of scale by removing the need for internal specialist expertise (which can be expensive and hard to find). Set-up costs are low, and development is done on the latest version without an upgrade pain.

Ask yourself the questions: could your premium content be at risk of being recorded and shared over P2P networks? Do you know your level of risk? It’s important to understand how vulnerable you are and to whom. Could you benefit from reducing your risk with a service to get all of its advantages?

Inside Secure has long anticipated the need and advantages of SECaaS, and has solutions in the market today such as strong passwordless authentication and provisioning, as well as forensic watermarking. These can easily put companies in a position to benefit from using a service to ensure the most effective and current protection.

To learn more, please visit www.insidesecure.com or contact Martin Bergenwall ([email protected])

DRIVING TRUST 11

Inside Secure (Euronext Paris – INSD) is at the heart of security solutions for mobile and connected devices, providing software, silicon IP, tools, services, and know-how needed to protect customers’ transactions, ID, content, applications, and communications. With its deep security expertise and experience, the company delivers products having advanced and differentiated technical capabilities that span the entire range of security requirement levels to serve the demanding markets of network security, IoT and System-on-Chip security, video content and entertainment, mobile payment and banking, enterprise and telecom. Inside Secure’s technology protects solutions for a broad range of customers including service providers, operators, content distributors, security system integrators, device makers and semiconductor manufacturers.

For more information, visit www.insidesecure.com.

DRIVING TRUST