AT&T: Network perimeter security should be virtual

AT&T says companies will save time and money by ceding the process of fighting threats such as botnets, spam, and DoS attacks to ISPs

Enterprise companies will soon begin offloading many of their network security responsibilities to telecommunications and Internet service providers and save vast amounts of time and money doing so, if AT&T has its way.

Speaking to the assembled crowd at the IDC Security Forum in New York on Wednesday, Edward Amoroso, chief security officer for AT&T's services division, predicted that enterprises will begin adopting more "virtual" security capabilities from their ISPs and bandwidth providers in the coming years as those companies are better positioned to do battle with botnets, spam, and DoS (denial-of-service) threats.

Based on the bandwidth providers' existing abilities to see spikes in traffic that are telltale signs of botnet, spam, or other malware activity -- long before enterprises can see evidence of the attacks on their own -- Amoroso contends that companies will soon concede the process of fighting the threats and turn to companies such as AT&T for help.

"We think that security at the perimeter should be virtual, which is a somewhat controversial concept, because a lot of time, effort, and career capital has already been spent securing the perimeter," Amoroso said. "But we think a lot of existing technologies there are running out of legs, and simply running firewalls at the gateway is no longer a valuable proposition."

The U.S. government's Telecommunications Act of 1996 prevents carriers from approaching customers and marketing services to them based on any trends they observe on the end-users' network connections. However, the companies can already identify much of the spam and malware activity being carried out in the pipe, based on their massive infrastructure, and should be enlisted to help solve security issues, he said.

For threats such as distributed DoS that can easily be thwarted upstream, the CIO said, it makes little sense for companies to continue to invest in new technologies and staff when the carriers could easily detect and snuff out the campaigns ahead of time.

"How do you stop DDoS at the edge? The physics just don't make sense. When these attacks happen, the customers' routers will already be dead," said Amoroso. "We think the idea that the pipe should be dumb is strange; with spam accounting for 90 percent of all traffic on the e-mail pipe, we're delivering nothing but more attacks, malware, and junk. If people want us to keep doing that we can, but why would they want us to keep doing that when we can see it, scoop it, study it, and stop it?"

Lest someone should contend that AT&T and other carriers are merely licking their chops at the prospect of adding pricey new security services to their products, the expert said security services should eventually become a set of nonoptional capabilities included with the purchase of ISP and telephony services.

Much as the carrier community focused on providing faster services in the 1980s and added tools to improve quality to their products in the 1990s, the CIO said that security services will become a de facto element of all the capabilities that the firms market.

While early adopters are already paying a premium to use the security capabilities offered by carriers today, eventually the price should be blended into the packages of capabilities that companies buy from providers such as AT&T, the expert predicted.

At the same time, AT&T and other carriers would have to sacrifice their existing businesses of selling firewall management and intrusion detection-type systems into enterprises, he said. But the move to push security tools to the bandwidth providers is one that has been made even more likely by the complexity of those technologies.

"I think we'll come out of this decade thinking it was silly to have separate perimeter security systems, it doesn't make sense to build the network and overlay security as an afterthought," Amoroso said. "We have as large of a managed security services business as anyone, but this work is better off embedded in the pipeline."

Emerging mobile and VoIP services will also include integrated security capabilities that replace many of the systems being implemented to protect those technologies today, according to the AT&T CIO.

"We can virtualize these things, and any carrier can do it; this is the direction that perimeter security is headed in. It's not a collision course, but rather something very pleasant, as finally there's something smooth and simple to solve these problems," he said. "It's absurd that all we hear today is that the carrier plays no role in all of this, that companies should do it at the edge. We know it's a lot of work, but we're already prepared to do it."

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies