이날 행사에는 아카마이 고객사인 OTT 플랫폼 티빙(TVING)이 발표 기업으로 참여해 ‘공격이 진화하면 방어도 진화한다’를 주제로 아카마이 솔루션 도입 과정과 보안 대응 사례를 소개했다.

아카마이에 따르면, 앞서 티빙은 플랫폼 성장에 따라 증가한 크리덴셜 스터핑 및 디도스(DDoS) 공격에 대응하기 위해 아카마이 보안 플랫폼을 도입했다. 해당 솔루션을 통해 트래픽이 급증하는 공격 상황에서도 서비스 성능 저하를 최소화하며 운영을 유지한 것으로 나타났다.

이 과정에서 티빙은 대규모 공격 환경에서도 서비스 가용성을 일정 수준 유지했으며, 기존 인프라의 가시성 한계를 일부 보완한 것으로 알려졌다. 이에 따라 서비스 운영과 관련된 일부 지표에서 개선이 나타난 것으로 전해졌다.

아카마이는 이러한 대응에 티빙이 보안 파트너 선정 과정에서 검토한 자사의 기술 역량이 영향을 미쳤다고 밝혔다. 티빙은 SLA 정책과 인프라 안정성, 제로데이 공격 등 알려지지 않은 위협에 대한 대응 가능성을 주요 평가 요소로 고려했다. 또한 도입에 앞서 약 2개월간의 기술 검증(PoC)을 거쳐 보안 정책을 조정했으며, 현재는 서비스 제공 국가 전반에 걸쳐 유사한 수준의 보안 체계를 적용했다.

또한 AI 기반 정책을 통해 티빙 서비스 환경에 맞춘 분석 기능을 활용하고, 탐지된 보안 이벤트에 대한 근거를 실시간으로 확인할 수 있다는 점도 아카마이 도입을 검토하는 과정에서 고려된 요소로 작용했다. 아카마이는 애플리케이션 및 API 프로텍터(APP & API Protector)와 어카운트 프로텍터(Account Protector)를 중심으로 한 다층 방어 체계를 제공하고 있다.

이 체계에는 사용자 에이전트 위조 여부를 식별하기 위해 티엘에스(TLS) 암호화 스택 정보를 분석하는 제이에이포(JA4) 핑거프린트 기술이 적용되며, 이를 통해 크롬으로 위장한 파워셸(PowerShell) 기반 봇 트래픽을 구분할 수 있다. 또한 키보드와 마우스 입력 간격을 밀리초 단위로 분석해 반복적인 패턴을 탐지하는 방식으로 계정 탈취(ATO, Account Takeover) 시도를 식별하는 기능도 포함된다. 이와 함께 글로벌 엣지 네트워크를 활용해 공격 트래픽을 초기 단계에서 분산 차단함으로써, 대규모 공격 상황에서도 서비스 운영에 미치는 영향을 줄이는 데 초점을 두고 있다.

이경준 아카마이코리아 대표는 “아카마이의 전 세계 4,400개 이상의 엣지 기반 플랫폼이 공격 원점에서부터 위협을 차단해 방어와 성능을 동시에 보장한다”며, “대한민국 대표 OTT 플랫폼인 티빙이 글로벌 시장에서 안전하게 성장할 수 있도록 최상의 인프라와 지능형 보안 역량을 지속적으로 지원하겠다”고 밝혔다.

최진형 티빙 보안 엔지니어는 “아카마이와의 협력을 통해 사이버 위협 인지 후 최종 대응 시간을 획기적으로 단축하고 고객 계정을 확실하게 보호할 수 있게 되었다”며, “아카마이의 인프라 신뢰성과 독보적인 분석 능력을 바탕으로 앞으로도 고객들에게 가장 안전한 시청 환경을 제공하겠다”고 언급했다.
dl-ciokorea@foundryco.com

Beyond your human workforce, a vast and growing population of non-human identities—applications, service accounts, cloud instances, and now, autonomous AI agents—operates with significant access, often in the shadows. This explosion of “unseen” identities is creating a critical governance gap and a new, often unmanaged, vector for risk.

As one of our customers aptly put it, there is a palpable tension in the boardroom: a mandate to innovate at full speed with technologies like AI, set against the imperative to avoid the kind of security incident that lands the company on the front page. The pressure to innovate is immense, but the ROI from new technology can’t be realized until it’s in production, and it can’t be put into production without proper governance.

Even before the widespread adoption of AI agents, security teams were already struggling to manage the sheer volume and variety of identities. Now, the proliferation of machines and intelligent agents has pushed this challenge to a breaking point. A complete identity strategy must now extend beyond the human workforce to encompass every facet of this new identity landscape.

While these non-human identities represent a new frontier, governing them doesn’t require starting from scratch. The most effective approach is to bring these new identity types under the umbrella of your existing, proven identity governance framework. Once aggregated into a centralized model, all the shared services—certification, workflow automation, and access reviews—that have been honed for years can be applied to them, creating a unified view and consistent control.

To manage this complex and dynamic environment, security leaders must move toward a model of adaptive identity. This approach allows for the dynamic adjustment of access policies for all identities based on real-time context and risk. It’s about having the intelligence to understand not just who or what is accessing your systems, but also why, when, and how.

Confidence in your security posture is the bedrock of agility; without it, the pace of modern business is unsustainable. From a scaling perspective, automation is essential. Gaining clear visibility and automated control over all your identities, both human and non-human, is the only way to innovate safely and secure the unseen.

To discover actionable strategies for securing non-human identities and safely navigating AI innovation, register for our free global virtual broadcast, IdentityTV 2026, on May 19.

Google has made a big step forward by extending end-to-end encryption to Android and iOS devices for Gmail client-side encryption (CSE) users, says an expert.

“All in all, this is a welcome update, especially in light of recent concerns surrounding WhatsApp’s encryption methods,” said Gartner analyst Avivah Litan. “Google’s approach offers verifiable customer-managed keys and ensures the provider does not have access to encrypted content.”

This, she said, addresses allegations raised in the January 2026 lawsuit against Meta regarding their internal access to customer encrypted message data.

Meta has reportedly said the claims are false, and that WhatsApp messages remain protected by default. The suit’s allegations have not been proven in court.

Litan noted that Google’s encryption update is only for organizations subscribing to its Enterprise Plus with Assured Controls edition. Messages and attachments are encrypted directly on-device, with encryption keys managed externally by the customer.

“For CSOs in regulated industries, this development is significant, as it supports secure mobile communication, compliance with regulations such as HIPAA [the U.S. Health Insurance Portability and Accountability Act] and GDPR [the European General Data Protection Regulation], and reduces the risk of plaintext data exposure on mobile devices,” she said. “External recipients retain the ability to reply via a web portal.”

However, Litan added, the capability remains opt-in, requires premium licensing and administrative configuration, and disables several Gmail functions, including AI features and comprehensive search, on encrypted content. But, she pointed out, the limitations are consistent with those in Gmail web and desktop implementations.

It’s also a capability that Microsoft doesn’t provide. A Microsoft spokesperson said in an email that the company doesn’t currently offer end-to-end Outlook encryption on mobile, although messages can be digitally signed and encrypted. 

In its April 9 announcement, Google said Workspace users can compose and read end-to-end encrypted messages natively within the Gmail app on Android and iOS without the need to download extra apps or use mail portals. Users with a Gmail E2EE license can send an encrypted message to any recipient, regardless of their email address. If the recipient uses the Gmail app, the encrypted message will be delivered as a normal message thread to their inbox, but if not, they can seamlessly and securely read and reply in their own native browser. This, Google said, ensures that all users have a simple and secure interface, regardless of their email service or device.

Google Workspace admins will need to enable the Android and iOS clients in the CSE admin interface to give users access to the new capability. This can be done in the Admin Console.

End users also need to be taught the new process: To add client-side encryption to any message, they must click the lock icon and select ‘additional encryption’. Then they can compose a message and add attachments as they normally do.

Forrester Research Senior Analyst Andrew Cornwall noted the biggest benefit for enterprises is that Workspace admins or Google can disable the ability to take screenshots and screen recordings when users read an encrypted message in the Gmail app. That will prevent Android and iOS recipients from forwarding a message as an image, he said, noting that Google can also disable screenshots in Android Chrome for business users and presumably will do this when Android users with email programs other than Gmail open a message in a browser.

From a user’s perspective, he added, this encryption gives Gmail an advantage over third-party email programs like Outlook and Thunderbird, which won’t automatically decrypt messages that have been encrypted using Google’s encryption mechanism. Unlike some encryption methods, Gmail doesn’t require the exchange of a key in advance, so users will be more likely to use it.

However, he pointed out, Google’s client-side encryption doesn’t encrypt headers or message senders, so an attacker with access to the device can still get some potentially sensitive information even with encryption enabled.

“If you’re planning to use Gmail to commit financial crimes or plan a revolution,” he added, “you should know that Google controls the display and often the keyboard on devices they build. Even if emails are encrypted on device, your messages may still be available while being read or composed.”

And while end-to-end encryption (E2EE) is considered by experts to be an excellent protection against the hijacking of data in transit, it won’t protect data on compromised devices, stolen and hacked devices, or in unencrypted backups.

David Shipley, CEO of security awareness provider Beauceron Security, noted the extension of Gmail end to end encryption to mobile platforms will help organizations ensure compliance with privacy concerns. “On the downside,” he added, “this is going to be a powerful tool for criminals. If they spin up a Google Workspace tenant and send encrypted messages to end users who aren’t on Gmail, in those cases, users will get a link to a new portal to read the sent message which will not be intercepted by a lot of security tools like email filters.”

This article originally appeared on Computerworld.