Mobile and Personal Cloud Computing The Next Step in Cloud Computing

Transcription

1 A Member of OneBeacon Insurance Group Mobile and Personal Cloud Computing The Next Step in Cloud Computing Author: Edgar Germer, Risk Control Specialist Published: November 2015 Executive Summary Cloud Computing has been the hottest buzzword in Information Technology (IT) since Google s CEO George Schmidt introduced it in August By offering greater flexibility and availability of computing resources at a lower cost, cloud computing is a highly attractive alternative to traditional computing environments More recently, cloud computing has grown to include Mobile Cloud Computing (MCC) Mobile devices (eg, smartphones, tablets, laptops, PDAs) enable rich and convenient user experiences, fueling the rapid growth in MCC According to emarketer reports, there will be over 3 billion smartphones and tablets in use by the end of ,3 In turn, MCC is prompting the growth in all mobileenabled segments such as commerce, learning, healthcare, banking and other areas 4 As the number of internet-enabled mobile devices grows, unfortunately so do malicious web-based threats While there are several concerns with MCC, security is the major issue, 5 echoed by information executives who state that security is and remains their number one concern with cloud computing 6 From a risk management perspective, the accidental release or unauthorized access/conversion of sensitive data can result in significant costs from regulatory compliance such as notification, reputational injury and potential litigation So how can businesses manage the opportunities and exposures associated with cloud computing and MCC? This whitepaper provides an overview of these maturing technologies, security issues and the IT industry countermeasures to address them As the technology behind cloud computing is the foundation for MCC, this paper provides a discussion of cloud computing before addressing MCC Cloud Computing The National Institute of Standards and Technology (NIST) defines cloud computing as a model of enabling convenient, on-demand network access to a shared pool of configurable computing resources (eg, networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction Cloud computing allows the utilization of a computing infrastructure at one or more levels of abstraction, as an on-demand service made available over the internet or other computer network 7 Think of cloud computing as a utility company (eg, gas, electric or phone) where an organization purchases varying quantities of services as needed and pays for the service at the end of the month (metered services) These services include computing, storage and networking Computations take place on the cloud service provider s servers ( the cloud ) located at a remote facility (a colocation ) with the internet being the conduit that transports data between the organization s hardware and the cloud The cloud provider maintains the building, infrastructure, hardware, software, etc, while the organization simply pays for the services they consume risk management advice Readers should consult their own counsel or other representatives for any such advice Any and all third-party 1

2 Characteristics of Cloud Computing Five characteristics that differentiate cloud services from conventional computing approaches include: 8 On-demand Self-Service - Users can directly purchase computing services such as server time and storage as needed with minimal interaction with the service provider These services can also be readily discontinued when they are no longer needed Broad Network Access - Services are available over the internet and accessed through standard devices such as thin or thick client platforms A thin client is a device with no computational or storage capacity (eg smartphone or tablet) A thick/fat client is a fully functioning computer In both cases all processing and storage is done on a cloud provider s server Resource Pooling - Storage, processing, memory, bandwidth and hardware are shared with other users Rapid Elasticity - Capabilities can be rapidly and elastically purchased in any quantity at any time and discontinued when no longer needed Measured Service - Resource usage is monitored, controlled and optimized through metering capabilities Deployment Models There are four common models cloud service providers use to deploy and organize their services: 9 Public Cloud Computing resources are made available to the general public or organizations over the internet It is owned by a cloud provider selling cloud services to others Private Cloud - At the other end of the spectrum are private clouds where the computing environment is operated exclusively for one organization/customer (eg, the IRS) The private cloud may be managed by the organization or a cloud service provider, and it may be hosted within the organization s premises or elsewhere (eg, at a colocation facility) The organization/customer has control over the infrastructure and computational resources Community Cloud This deployment models is less common A community cloud is similar to a private cloud, but the infrastructure and computing resources are shared by several organizations having common privacy, security and/or regulatory considerations Examples include healthcare and financial community clouds Hybrid Cloud - A hybrid cloud is composed of two or more cloud deployment models (public, private or community) that remain unique entities but are bound together by standardized or proprietary technology This approach allows an organization to store protected or privileged data on a private cloud while retaining the ability to leverage computing resources from the public cloud to run applications that rely on the data For example, hybrid clouds are frequently used in the financial sector where trade orders are processed in a private cloud while trade analytics are conducted on a public cloud infrastructure The degree of control an organization has over the cloud s computational environment varies depending on the type of cloud deployment from almost zero control in public clouds to full control in private clouds 2

3 Service Delivery Model Just as the different deployment models affect an organization s scope and control over the cloud s computing environment, so too does the service model supported by cloud service providers Three common and frequently-used service models are: 10,11 Software-as-a-Service (SaaS) SaaS provides applications/software delivered over the internet by the cloud service provider eliminating the need to install software on the organization s hardware The provider hosts the software while the subscriber connects and uses it Examples of SaaS include Twitter, Facebook, Yahoo, Gmail and Salesforce Platform-as-a-Service (PaaS) PaaS offers development tools that can be used by software developers to create applications This might include tools that allow an organization to build various web services that enable database access, billing or others Examples of PaaS include Microsoft Windows Azure and Google App Engine Infrastructure-as-a-Service (IaaS) Rather than purchasing servers, software, data center space or network equipment, IaaS provides these resources as an outsourced service The organization provides its application software to the cloud service provider to host The services are typically billed on a utility computing basis (metered) Examples of IaaS include Amazon Elastic Compute Cloud (EC2), Joyent, Rackspace and IBM Computing on Demand Concerns With SaaS, the service level, security, governance, compliance and liability expectations of the service are contractually stipulated, managed and enforced by the provider With PaaS typically the provider is responsible for the security of the underlying operating system, while the user is responsible for the security of the application and other areas With IaaS, the provider is responsible for the underlying infrastructure components to ensure basic service availability and security, while the subscriber is responsible for the rest Additionally, SaaS and PaaS may be hosted on top of IaaS (aka nesting ) These relationships and dependencies among the cloud service delivery models can be a security risk as a breach at any of the services may negatively impact the others Organizations need to carefully review their service level and contractual agreements with their provider(s) and fully understand the level and type of services that are being provided Mobile Cloud Computing (MCC) The Mobile Cloud Computing Forum defines MCC as: Mobile cloud computing at its simplest refers to an infrastructure where both the data storage and the data processing happen outside of the mobile device Mobile cloud applications move the computing power and data storage away from mobile phones and into the cloud, bringing applications and mobile computing to not just smart phones users but a much broader range of mobile subscribers 12 MCC is a combination of mobile networking and cloud computing which enables cloud computing attributes such as on-demand access, computing, networking and storage capabilities, but without the need for memory intensive software applications on the mobile device; however, smaller applications that provide access to the cloud would be present 13 Applications and data stored on cloud service providers servers are accessed by mobile devices via wireless or cellular internet connections Applications are run on the cloud service provider s remote servers and results are transmitted to the user 14 MCC Security Securing MCC users privacy and maintaining the integrity of data or applications is a key issue with both MCC and cloud computing As MCC is a combination of mobile networks and 3

4 cloud computing, security-related issues are divided into two categories: mobile network users security and cloud security Mobile Network Users Security - Data on mobile devices are more at risk than data on traditional computers because mobile devices are more likely to be left unprotected According to the Cloud Security Alliance, the top mobile device threats that affect security are: 15 Data loss from lost/stolen devices Information stolen by mobile malware Data leakage through poorly written third-party applications Vulnerabilities within devices, operating system and third-party applications Unsecured network access and unreliable access points Unsecured or rogue marketplaces Insufficient management tools, capabilities and access to APIs (application programs interfaces) Near Field Communication (NFC) and proximity-based hackers Countermeasures to Security Issues 16 - Endpoint security including threat detection for the mobile device is critical However, mobile devices have limited processing capability and power issues To address these issues the industry has: Transferred security detection services/responsibilities to the cloud service provider resulting in better detection of malicious code, reduced consumption of resources on mobile devices and reduced software complexity of mobile devices Implemented Intrusion Detection Systems (IDS) and Cloud Intrusion Detection Systems Services (CIDSS) Recommended thin client antimalware and antivirus usage to protect mobile devices from data loss Securing Information on the Cloud Security is paramount in protecting and maintaining the integrity of the data stored within the cloud Specific measures at the various layers are essential, including: 17 Backbone Layer This constitutes security surveillance on cloud physical systems that help monitor the servers and machines in the cloud infrastructure Infrastructure Layer This layer monitors virtual machines (vm) in the cloud Security activities such as storage verifications, vm migration cloud service monitoring, vm isolation, risk evaluation and audits are carried out in this layer Application and Platform Layer Security activities such as user management, key management, authentication, authorization, encryption and data integration are carried out in this layer Responsibility for securing all three layers lies with both the cloud service provider and the organization, with the degree of responsibility varying and depending on the service model (SaaS, PaaS, or IaaS) Authentication Accessing applications over the internet makes access from any network device easier; however, it introduces security risks Authentication is used to verify that the user is who 4

5 they say they are 18 For high levels of assurance, authentication must be combined with encryption and secure data transmission protocols to ensure security Various authentication mechanisms have been proposed to secure the data access suitable for mobile environments Examples include the use of access or login IDs, passwords, PINS and multifactor authentication Applying identity management through the cloud makes managing identities, regardless of device or location, more convenient Integrity Every mobile cloud user must ensure the integrity of the information they store in the cloud Furthermore, every attempt to access their data must be authenticated and verified Steps for Winning the Battle of Breaches There is no such thing as a 100 percent secured system 19 as it is only a matter of time before a breach occurs Therefore, an organization should proactively plan to deal with breaches by: Defining Objectives Prioritizing objectives and setting realistic risk tolerances This allows the organization to appropriately allocate resources to those areas that are mission critical Implementing a Proactive Security Plan Understanding the threat landscape (eg, hacking, cybercrime attacks, media and social scams, etc) and protecting the organization using both policy and technology (end-point security, firewalls, malware and antivirus software, etc) Preparing a Response to an Attack Hackers are relentless in finding vulnerabilities When a breach does occur, the ability to quickly respond can greatly mitigate the damage from the attack Establishing a Culture of Security Awareness All employees must work together to ensure the safety of enterprise data as it takes only one mistake to infect an entire network Conclusion The forecast for MCC is bright According to a study by ABI Research, more than 240 million businesses will use cloud services through mobile devices by year-end 2015 resulting in MCC revenue of approximately $52 Billion 20 Regardless of which forecast is correct, the message is clear The economic advantages (low capital investment, on-demand service, ease of scalability, accessibility, etc) of MCC are too attractive for businesses to ignore, particularly given the exponential growth of mobile device usage and mobile-focused commercial endeavors For organization planning to use the MCC platform, NIST has the following recommendations: 21 Carefully plan the security and privacy aspects of cloud computing solutions before engaging them Understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements Ensure that the client-side environment meets organizational security and privacy requirements for cloud computing 5

6 Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments In other words, perform a risk assessment, understand the exposures and proactively reduce risks to an organizationally acceptable level, while understanding that the organization is ultimately responsible for safeguarding its data as well as the data of others that is under its care, custody and control Contact Us About Us To learn more about how OneBeacon Technology Insurance can help you manage online and other technology risks, please contact Lloyd Takata, EVP of OneBeacon Technology Insurance at ltakata@onebeacontechcom or OneBeacon Technology Insurance, a brand of OneBeacon Insurance Group, Ltd, delivers all-lines underwriting solutions for the technology, life science and medical technology, and telecommunications industries, as well as content and media companies The specific capabilities offered include risk control, claims and third-party vendor solutions Products span property, casualty, cyber, E&O, international, products liability and professional coverages Our dedicated team of insurance professionals delivers custom solutions as needed to each of our customers Coverages may be underwritten by one of the following insurance companies: Atlantic Specialty Insurance Company, Homeland Insurance Company of New York, Homeland Insurance Company of Delaware, OBI America Insurance Company and OBI National Insurance Company References 1 Regalado, Antonio (October 31, 2011) Who Coined Cloud Computing?? Business Insider Accessed July (January 8, 2015) Tablet Users to Surpass 1 Billion Worldwide in 2015 emarketer Accessed July Worldwide-2015/ (December 11, 2014) 2 Billion Consumers Worldwide to get Smart (phones) by 2016 emarketer Accessed July Worldwide-Smartphones-by-2016/ Prasad, Rajendra M; Gyani, Jayadev; Murti, PRK (Vol 2, No 7, 2012) Mobile Cloud Computing: Implications and Challenges Journal of Information Engineering and Application Accessed July D8QFjAA&url=http%3A%2F%2Fwwwiisteorg%2FJournals%2Findexphp%2FJIEA%2Fart icle%2fdownload%2f2571%2f2587&ei=hxuxvpmif5crogtc3igabw&usg=afqjcnenvoi F1s6R0zz3mMP7u8lO9Y9ntw&bvm=bv ,dcGU 5 Donald, Cecil A; Oli, Arul S; Arockiam, L (Vol 3, Issue 1, July 2013) Mobile Cloud Security Issues and Challenges: A Perspective International Journal of Engineering and Innovative Technology (IJEIT) Accessed July Hashizume, Keiko; Rosado, David G; Fernandez-Medina, Eduardo; Fernandez, Eduardo B (February 27, 2013) An Analysis of Security Issues for Cloud Computing Accessed July

7 7 Jansen, Wayne; Grance Timothy (December 2011) Guidelines on Security and Privacy in Public Cloud Computing Publication NIST Accessed July Ibid 4 9 Mell, Peter; Grance Timothy (September 2011) The NIST Definitions of Cloud Computing Publication NIST Accessed October Ibid 7 11 Ibid 2 12 Ibid 4 13 Ibid 4 14 Bahar, Newaz Ali; Habib, Ahsan Md; Islam, Manowarul Md; (July 2013, Vol 3, No 3) Security Architecture For Mobile Cloud Computing International Journal of Scientific Knowledge Accessed July Ibid 5 16 Ibid 5 17 Ibid 5 18 Ibid 2 19 Ibid 5 20 Bhargava, Bharat Introduction to Mobile Cloud Computing Purdue University Accessed July Ibid 7 7