Security versus performance: a tug of war?

Opinion by Fran Trentley

As security threats have evolved over the past ten years, IT professionals responsible for network security have been under increasing pressure to protect digital properties without impacting performance levels, all on a budget.

As security threats have evolved over the past ten years, IT professionals responsible for network security have been under increasing pressure to protect digital properties without impacting performance levels, all on a budget.

The performance and reliability of websites has become so critical to the success of an organisation that reconciling with the performance demands of users and providing adequate security measures has become a 'tug of war' for some.

The hacking community does not rest on its laurels; at Akamai we are seeing threats double every year. Compared with only five years ago the distributed nature, capacity and frequency of attacks have grown massively.

Distributed denial-of-service (DDoS) attacks and SQL injections now account for more than 50 per cent of attacks, according to the Imperva hacker intelligence initiative. Although the average size of DDoS attacks hover between 10-20Gbs, we have seen them in excess of 120Gbs. The target of these attacks are no longer restricted to e-commerce or high-tech customers, everyone is targeted.

This year, US companies will spend more than $130 billion as a result of data breaches (according to the Ponemon Institute). That's more than triple what companies spent combating breaches just a few short years ago, and if new solutions are not embraced the problem is likely to continue growing exponentially.

For e-commerce sites, an attack of sufficient severity can not only slow sales, but prevent completed transactions entirely. To put this in perspective, one Akamai customer, a leading US online retailer, averages approximately $100,000 of sales per minute during the peak holiday shopping period.

So imagine the financial impact of an attack that lasts hours — or days. Attacks of this magnitude have occurred with some regularity over the last several years, and will no doubt continue to grow in frequency and size.

But beyond the financial costs of a serious security breach, there are other considerations that vary depending on the specific focus of the attacking party. Today's evolving cast of perpetrators — individuals and groups who range from the stereotypical ‘glory hound' hacker to issue-driven hacktivists, organised crime organisations, and nation states who engage in hacking for political or military advantage — have a range of disparate goals when attacking a target.

Overwhelming a website to cause denial-of-service to legitimate traffic, perhaps the most common type of attack, is only the beginning. Stealing Personal Identifiable Information (PII), mining sites and databases for corporate or state secrets, stealing intellectual property and furthering specific political agendas are all ‘fair game' for today's attackers.

Just having an opinion or association with a cause that perpetrators place a value on can make you a target for DDoS attacks. The recent political debates on piracy bills such as SOPA and PIPA saw organisations supporting legislation experience a significant increase in attacks on their web properties.

Can you have a security infrastructure that protects you under extreme attacks, without impacting performance during ‘normal' operating conditions?

Security professionals believe they need to spend more time and money protecting their web assets, but the reality is that budget and resources are finite. The other challenge is with more complex security infrastructures, there is a direct impact on performance, which when related to operational efficiency can affect the bottom line of a company, and actually be more costly than an individual attack.

Whatever you place at the network perimeter, there is still one overriding problem – you can't keep pace with the speed at which threats are growing in size, complexity and frequency.

Some companies have employed services such as ‘traffic scrubbing' and re-routing, but this alone impacts performance, as your traffic travels further and incurs a performance degradation. The result of this is that some companies have even resorted to only turning on these services once they are aware of an attack!

There are no silver bullets in security but attacks that are massive in scale and distribution need to be controlled by security infrastructures that can dynamically deal with those challenges. Attacks have moved from layers three and four of the TCP/IP stack up to level seven, and often move between originating servers whilst underway.

An architectural change to approaching security is needed and cloud-based services have become the best answer today to these distributed cloud-like security threats. The right service can act as a punch bag absorbing attacks and keeping them away from your front door, whilst allowing genuine traffic through unabated. They maintain user performance whilst scaling dynamically to suppress attacks that themselves are changing minute by minute.

Moving to cloud-based security is not an easy psychological transition to make, even if the benefits are compelling; there is a ‘box hugger' in all of us to one degree or another. The move from asset owner to service manager, is not a technical one, but one that has many wrestling with their conscience.

Attackers are embracing methods that the cloud is best positioned to deal with and it is now virtually impossible for all but the very largest organisations to fund the kind of in-house security arrangements that would be needed to keep large attacks at bay. Security and performance do not have to be at odds with one another, but to achieve the optimal balance, it is necessary to think outside the network and the box.

Fran Trentley is senior director of Akamai's global security and government services


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events