RSA Conference 2010: Is Security Relevant to Streaming?
While Digital Rights Management (DRM) is discussed at length on the StreamingMedia.com message boards and mailing lists, and occasionally touched upon in magazine and online articles, the overarching discussion of security within the streaming industry is seldom discussed.
To find out more about the potential of security in streaming media, and our reciprocal role in the security of nationally important content delivery, I've been attending the RSA Conference—put on by RSA, the security division of EMC, in San Francisco. What I found there was quite interesting.
First, there is a concerted effort by government agencies to protect both their assets and those of its corporate citizens.
Howard Schmidt, who is the Cybersecurity Coordinator for the White House, used his keynote presentation to remind attendees—which included security experts from a variety of federal, state and local agencies as well as private company representatives—to remind the audience that an effective security strategy will require a joint effort of policy and implementation.
"Partnerships and transparency go hand in hand," said Schmidt. "If the government desires private industry assistance to make sure cybersecurity is secure, we must have transparency. We need to be able to seek out innovative partnerships with industry, government and academia."
Schmidt announced the partial declassification of what both this and the previous Administration dub the Comprehensive National Cybersecurity Initiative, which has twelve points necessary for the protection of content within the geographic United States as well as content in the hands of embassies and U.S. corporations outside of U.S. borders. Schmidt said corporate espionage is as prevalent as government espionage.
Second, to expand on what Schmidt said about corporate espionage, there is a growing concern about the sophistication of corporate attacks that move beyond just brute-force attacks on a company's firewall in an attempt to access the corporation's intranet and file servers.
The most recent and, some would argue, most sophisticated case of corporate espionage has been in the news for several weeks.
Dubbed "Operation Aurora" for its wide-ranging attack landscape, the attack was successful in extracting user names and passwords from up to 100 major software companies. One area being given close scrutiny in Operation Aurora is the fact that key people within each organization were targeted with malware tweaked to their interests or job descriptions, in an attempt to get the initial payload inside the corporation's firewall. At least one instance included the offer of streaming media content that required a plug-in be downloaded.
The most famous of the Operation Aurora attacks occurred at Google, whose penetration made international news when the company claimed the hackers were from China and were using the exploits to identify human rights advocates and dissidents within China that had Gmail accounts.
During a presentation at RSA, George Kurtz of McAfee noted that the security breach was more often used to exfiltrate (steal or exploit) source code for computer programs.
"In several cases, the attackers executed precision strikes to gain access to Source Code Management systems (SCMs)," said Kurtz, who is chief technology officer at McAfee. "SCMs house source code, the crown jewels of any tech company. In our analysis of the attacks we found that the perpetrators went through several hoops to ultimately compromise the systems of the SCM users at the targeted organizations. This means that the attackers now had access to the SCM system and could siphon out source code or, worse, modify and add code."
Given the millions of lines of code that comprise Software as a Service (SaaS), desktop or mobile applications, the attacks mean that companies may have to re-assess code before releasing it to end customers, to avoid further compromising additional machines with viruses or bot-net attack enablers.
How Can The Streaming Industry Prevent Attacks?
Two ways that the streaming media industry can address the concerns that come out of the Operation Aurora attacks are to consider full end-to-end encryption of content, alongside the encryption of delivery pathways, and to use trusted identification systems.
The former, full end-to-end encryption, is making its way into popular streaming servers such as Adobe's Flash Media Server (FMS)via its tie-in to Flash Access 2.0. While FMS 3.5 already has AES 128-bit encryption on the transport stream, the company announced at its Adobe MAX conference in October that it will have bit-level encryption of the content itself when Adobe Flash Player 10.1 and HTTP streaming are announced. According to a blog post by Dan Rayburn, this should occur within the next month.
Regarding the use of trusted identification systems, there are several ways to approach this, and each has bearing to streaming media delivery and consumption.
The first is through the use of a multi-factor authentication solution. This type of solution has been popularized in the security industry by companies whose products are used by federal agencies, financial services, and healthcare companies, each of whom need to provide customer portal access to sensitive personal materials such as Social Security benefits, bank statements, and patient health records.
A two-factor authentication platform supporting HIPAA medical record privacy and security compliance requirements, for instance, in which the customer creates his own user name and password and then is sent an email or SMS text with a temporary passcode that must be entered as the second form of authentication.
Companies like Anakam, whose multi-factor authentication services are widely used in healthcare and banking, also provide interactive voice response (IVR) telephone calls for initial setup or to warn when an attempt to change a password or log in from a foreign location is detected. The solution can also be set to time out at a particular time, which could provide an additional level of DRM that is less restrictively based than a device lockdown.
Another way to address this is through code hardening. During a recent Operation Aurora webinar that was hosted by the New York chapter of Infragard, Adobe announced it was looking into exploitations of Flash and Acrobat.
A third way is use a type of trusted system that uses known identification that is used to speed access across multiple portals. One such solution was announced at RSA by a group of industry heavyweights: CA, Equifax, Google, PayPal, VeriSign and Verizon announced the formation of the Open Identity Exchange (OIX), a non-profit organization that is being administered with the help of Booz Allen Hamilton to confirm credentials from one trusted site to another.
A case in point on this might be the ability to tie together an OpenID login, such as a Gmail user name and password, with an information card (often referred to as a token) in a form of two-factor authentication based on what the group calls an Open Identity Trust Framework (OITF) model.
"The framework defines the identity proofing, security, and privacy policies that must be followed by identity service providers to reach a specified level of assurance," the OIX group said in a press release. "In some cases it will also specify the data protection policies that must be followed by both identity service providers and relying parties to reach a specified level of protection."
To reach both a level of assurance that a requesting party is who they say they are, as well as a level of protection needed for content (such as we see in the digital rights management of streaming content that is locked to a particular device or timeframe) the last piece needed is "an assessor for the trust framework—a person or a company who has the professional experience necessary to assess whether an identity service provider or relying party is in compliance with the policies specified."
The trust frameworks are intended to be published and publicly accessible, as will be listings of assessors who meet the qualifications specified in the trust framework. And, should a breach occur, the OITF "includes roles for auditors and dispute resolution service providers to assist in ongoing assessment of trust framework participants and resolution of any disputes that may arise."
As more and more employees use their smartphones on enterprise networks, security firms are taking a cue from content protection and controlled-access media technologies