According to Frost & Sullivan, enterprises in the Asia Pacific region are increasingly outsourcing network infrastructure security as they find themselves ill-equipped to handle complex and multiple cyber threats. They therefore estimate that the Asia Pacific Managed Security Services (MSS) market is going to reach US$5.34 billion in 2019. The managed security services (MSS) market in the region is also gathering momentum due to stringent regulations, and the popularity of cloud computing as well as the bring-your-own-device trend.
Organisations are now more aware of the benefits of security service models for protecting network infrastructure, gaining operational flexibility, supporting internal growth, and achieving performance objectives.
“The improved quality of services and the enhanced service level agreements offered by professional security service providers play an important role in accelerating trust in third-party services among enterprises,” said Frost & Sullivan Information and Communication Technologies Industry Manager Cathy Huang. “Organisations are also adopting security services as an add-on to their existing security setup.”
However, the strong mind-set towards product ownership will somewhat dampen the growing momentum of the market in the Asia Pacific region. With the availability of affordable security products, enterprises prefer spending on dedicated appliances rather than purchasing services they would not wholly own.
Nevertheless, the client base will widen significantly in the future as awareness of the advantages of MSS improves. Many enterprises, especially those from banking, financial services and insurance (BFSI) and government verticals, are already employing a phased approach towards MSS, Frost & Sullivan believes.
“MSS providers must continue to expand their service portfolios to include emerging advanced services such as data loss protection, Web application firewall and security forensics” noted Huang. “Services pertaining to security analytics and risk management are likely to be introduced in the near future.”
And since businesses are becoming increasingly concerned with the amount of personal and company data that is available to government authorities - not only without having to ask permission from anyone in the company, but without anyone even finding out about it – the picture starts to get even more complicated.
Ironically, the company SecurEnvoy Ltd states, that data can often be accessed via the very security company that a business uses to make its data secure, e.g. a provider of hardware tokens or two factor authentication. Under the current laws, government organisations can request copies of specific secret keys, which businesses use to access their corporate data. However, the government can also request them from the authentication companies that automatically store copies of their customers’ codes when created.
Indeed, authentication companies offer different methods to customers. Many of these companies manufacture and send pre-programed tokens with their corresponding seed records: secret keys that are used to create a series of digits on devices to be used as a method of authentication when logging on remotely. However, the pre-programed service has a fundamental flaw within the architecture of the authentication technology. As the secret keys (seed records) are generated prior to the customer needing them, and not on demand as end users enrol their phones, the authentication company is required to store customer seed records on file, which poses a significant safety risk. As long as some authentication companies continue to hold these secret keys, governments can legally request copies of them and could delve into company data unbeknown to the business. With this method, users also have to store a seed record on their device and you can imagine what happens when the user’s phone gets passed on or lost? If the seed record is still on the device, then the individual’s corporate identity goes with it, SecurEnvoy explains.
But it is the seed records stored by the authentication companies that allow other organisations to legally access company data. Different cases have brought cause for concern in recent times, from government authorities being able to access company data without the knowledge of company’s customers, to millions of seed records being compromised after a successful attack on the authentication company.
“This level of security breach is completely unnecessary and can be easily avoided”, SecurEnvoy Ltd affirms. “It is possible to create seed records without the authentication provider needing to store them at all because the seed records can be split into two sections. Half of the record can be created when enrolling and only stored on the customer’s own server and user device; the other half is derived from the finger print of the user’s device and passed back to server at enrol. Each time a pass code is required by the user, the device decrypts the first part and then re-fingerprints the device to derive the second part. These seed records are only ever known to the local security server that resides within the customer’s own computer room and only part known to the end user’s device. Therefore, the authentication provider never even knows what the secret keys are.”
By operating this way, authentication companies cannot give out copies of seed records to government authorities or any other organisations, because the records simply won’t be in their possession. This technology shouldn’t overwhelm business leaders. Put simply, it stops data breaches which can otherwise be easily achieved, and have catastrophic effects on a business.
And taking into consideration one of the media highlights in 2013, the whistle-blower Edward Snowden, businesses should be indeed concerned about what data government authorities can obtain and make appropriate arrangements.