Mobile and Personal Cloud Computing The Next Step in Cloud Computing

Similar documents
Security Considerations for Public Mobile Cloud Computing


Cloud Computing: The Next Computing Paradigm

Mobile Cloud Computing Security Considerations

Security & Trust in the Cloud

White Paper on CLOUD COMPUTING

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Cloud Computing; What is it, How long has it been here, and Where is it going?

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

The NIST Definition of Cloud Computing (Draft)

Cloud Computing. Course: Designing and Implementing Service Oriented Business Processes

SURVEY OF ADAPTING CLOUD COMPUTING IN HEALTHCARE

AskAvanade: Answering the Burning Questions around Cloud Computing

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

Cloud Computing Submitted By : Fahim Ilyas ( ) Submitted To : Martin Johnson Submitted On: 31 st May, 2009

How cloud computing can transform your business landscape

The NIST Definition of Cloud Computing

Security Issues in Cloud Computing

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

Managing Cloud Computing Risk

Module 1: Facilitated e-learning

Cloud Computing for SCADA

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

The Hybrid Cloud: Bringing Cloud-Based IT Services to State Government

What is Cloud Computing? First, a little history. Demystifying Cloud Computing. Mainframe Era ( ) Workstation Era ( ) Xerox Star 1981!

Cloud Computing. Karan Saxena * & Kritika Agarwal**

How cloud computing can transform your business landscape.

A Secure Strategy using Weighted Active Monitoring Load Balancing Algorithm for Maintaining Privacy in Multi-Cloud Environments

Cloud Computing Technology

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

A Study on Analysis and Implementation of a Cloud Computing Framework for Multimedia Convergence Services

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Secure Cloud Computing through IT Auditing

Cloud Computing: Risks and Auditing

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

IS PRIVATE CLOUD A UNICORN?

ISSN: (Online) Volume 2, Issue 5, May 2014 International Journal of Advance Research in Computer Science and Management Studies

Kent State University s Cloud Strategy

Internet threats: steps to security for your small business

Addressing Data Security Challenges in the Cloud

The cloud - ULTIMATE GAME CHANGER ===========================================

Flying into the Cloud: Do You Need a Navigator? Services. Colin R. Chasler Vice President Solutions Architecture Dell Services Federal Government

Cloud Computing. Bringing the Cloud into Focus

The Benefits of Cloud Computing to the E-Commerce Industry July 2011 A whitepaper on how hosting on a cloud platform can lower costs, improve

Essential Characteristics of Cloud Computing: On-Demand Self-Service Rapid Elasticity Location Independence Resource Pooling Measured Service

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

Cloud Computing. What is Cloud Computing?

Getting Familiar with Cloud Terminology. Cloud Dictionary

Cloud Computing/ Semantic Web Initiatives & Tutorial

20 th Year of Publication. A monthly publication from South Indian Bank.

Preemptive security solutions for healthcare

CLOUD TECHNOLOGY IMPLEMENTATION/SECURITY

Security Issues In Cloud Computing and Countermeasures

CHAPTER 8 CLOUD COMPUTING

How To Protect Your Cloud From Attack

Implementing & Developing Cloud Computing on Web Application

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

10 best practice suggestions for common smartphone threats

Cloud Security Introduction and Overview

Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station

The HIPAA Security Rule: Cloudy Skies Ahead?

Security Issues in Cloud Computing

Nine Steps to Smart Security for Small Businesses

CLOUD COMPUTING SECURITY ISSUES

Google Identity Services for work

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Enhancing Operational Capacities and Capabilities through Cloud Technologies

A Survey on Cloud Security Issues and Techniques

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

10 Best Practices to Protect Your Network presented by Saalex Information Technology and Citadel Group

Student's Awareness of Cloud Computing: Case Study Faculty of Engineering at Aden University, Yemen

A Comparative Study of cloud and mcloud Computing

Soft Computing Models for Cloud Service Optimization

Topics. Images courtesy of Majd F. Sakr or from Wikipedia unless otherwise noted.

Architectural Implications of Cloud Computing

Shaping Your IT. Cloud

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

CLOUD COMPUTING GUIDELINES FOR LAWYERS

Capturing the New Frontier:

Transcription:

A Member of OneBeacon Insurance Group Mobile and Personal Cloud Computing The Next Step in Cloud Computing Author: Edgar Germer, Risk Control Specialist Published: November 2015 Executive Summary Cloud Computing has been the hottest buzzword in Information Technology (IT) since Google s CEO George Schmidt introduced it in August 2006 1 By offering greater flexibility and availability of computing resources at a lower cost, cloud computing is a highly attractive alternative to traditional computing environments More recently, cloud computing has grown to include Mobile Cloud Computing (MCC) Mobile devices (eg, smartphones, tablets, laptops, PDAs) enable rich and convenient user experiences, fueling the rapid growth in MCC According to emarketer reports, there will be over 3 billion smartphones and tablets in use by the end of 2015 2,3 In turn, MCC is prompting the growth in all mobileenabled segments such as commerce, learning, healthcare, banking and other areas 4 As the number of internet-enabled mobile devices grows, unfortunately so do malicious web-based threats While there are several concerns with MCC, security is the major issue, 5 echoed by information executives who state that security is and remains their number one concern with cloud computing 6 From a risk management perspective, the accidental release or unauthorized access/conversion of sensitive data can result in significant costs from regulatory compliance such as notification, reputational injury and potential litigation So how can businesses manage the opportunities and exposures associated with cloud computing and MCC? This whitepaper provides an overview of these maturing technologies, security issues and the IT industry countermeasures to address them As the technology behind cloud computing is the foundation for MCC, this paper provides a discussion of cloud computing before addressing MCC Cloud Computing The National Institute of Standards and Technology (NIST) defines cloud computing as a model of enabling convenient, on-demand network access to a shared pool of configurable computing resources (eg, networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction Cloud computing allows the utilization of a computing infrastructure at one or more levels of abstraction, as an on-demand service made available over the internet or other computer network 7 Think of cloud computing as a utility company (eg, gas, electric or phone) where an organization purchases varying quantities of services as needed and pays for the service at the end of the month (metered services) These services include computing, storage and networking Computations take place on the cloud service provider s servers ( the cloud ) located at a remote facility (a colocation ) with the internet being the conduit that transports data between the organization s hardware and the cloud The cloud provider maintains the building, infrastructure, hardware, software, etc, while the organization simply pays for the services they consume risk management advice Readers should consult their own counsel or other representatives for any such advice Any and all third-party 1

Characteristics of Cloud Computing Five characteristics that differentiate cloud services from conventional computing approaches include: 8 On-demand Self-Service - Users can directly purchase computing services such as server time and storage as needed with minimal interaction with the service provider These services can also be readily discontinued when they are no longer needed Broad Network Access - Services are available over the internet and accessed through standard devices such as thin or thick client platforms A thin client is a device with no computational or storage capacity (eg smartphone or tablet) A thick/fat client is a fully functioning computer In both cases all processing and storage is done on a cloud provider s server Resource Pooling - Storage, processing, memory, bandwidth and hardware are shared with other users Rapid Elasticity - Capabilities can be rapidly and elastically purchased in any quantity at any time and discontinued when no longer needed Measured Service - Resource usage is monitored, controlled and optimized through metering capabilities Deployment Models There are four common models cloud service providers use to deploy and organize their services: 9 Public Cloud Computing resources are made available to the general public or organizations over the internet It is owned by a cloud provider selling cloud services to others Private Cloud - At the other end of the spectrum are private clouds where the computing environment is operated exclusively for one organization/customer (eg, the IRS) The private cloud may be managed by the organization or a cloud service provider, and it may be hosted within the organization s premises or elsewhere (eg, at a colocation facility) The organization/customer has control over the infrastructure and computational resources Community Cloud This deployment models is less common A community cloud is similar to a private cloud, but the infrastructure and computing resources are shared by several organizations having common privacy, security and/or regulatory considerations Examples include healthcare and financial community clouds Hybrid Cloud - A hybrid cloud is composed of two or more cloud deployment models (public, private or community) that remain unique entities but are bound together by standardized or proprietary technology This approach allows an organization to store protected or privileged data on a private cloud while retaining the ability to leverage computing resources from the public cloud to run applications that rely on the data For example, hybrid clouds are frequently used in the financial sector where trade orders are processed in a private cloud while trade analytics are conducted on a public cloud infrastructure The degree of control an organization has over the cloud s computational environment varies depending on the type of cloud deployment from almost zero control in public clouds to full control in private clouds 2

Service Delivery Model Just as the different deployment models affect an organization s scope and control over the cloud s computing environment, so too does the service model supported by cloud service providers Three common and frequently-used service models are: 10,11 Software-as-a-Service (SaaS) SaaS provides applications/software delivered over the internet by the cloud service provider eliminating the need to install software on the organization s hardware The provider hosts the software while the subscriber connects and uses it Examples of SaaS include Twitter, Facebook, Yahoo, Gmail and Salesforce Platform-as-a-Service (PaaS) PaaS offers development tools that can be used by software developers to create applications This might include tools that allow an organization to build various web services that enable database access, billing or others Examples of PaaS include Microsoft Windows Azure and Google App Engine Infrastructure-as-a-Service (IaaS) Rather than purchasing servers, software, data center space or network equipment, IaaS provides these resources as an outsourced service The organization provides its application software to the cloud service provider to host The services are typically billed on a utility computing basis (metered) Examples of IaaS include Amazon Elastic Compute Cloud (EC2), Joyent, Rackspace and IBM Computing on Demand Concerns With SaaS, the service level, security, governance, compliance and liability expectations of the service are contractually stipulated, managed and enforced by the provider With PaaS typically the provider is responsible for the security of the underlying operating system, while the user is responsible for the security of the application and other areas With IaaS, the provider is responsible for the underlying infrastructure components to ensure basic service availability and security, while the subscriber is responsible for the rest Additionally, SaaS and PaaS may be hosted on top of IaaS (aka nesting ) These relationships and dependencies among the cloud service delivery models can be a security risk as a breach at any of the services may negatively impact the others Organizations need to carefully review their service level and contractual agreements with their provider(s) and fully understand the level and type of services that are being provided Mobile Cloud Computing (MCC) The Mobile Cloud Computing Forum defines MCC as: Mobile cloud computing at its simplest refers to an infrastructure where both the data storage and the data processing happen outside of the mobile device Mobile cloud applications move the computing power and data storage away from mobile phones and into the cloud, bringing applications and mobile computing to not just smart phones users but a much broader range of mobile subscribers 12 MCC is a combination of mobile networking and cloud computing which enables cloud computing attributes such as on-demand access, computing, networking and storage capabilities, but without the need for memory intensive software applications on the mobile device; however, smaller applications that provide access to the cloud would be present 13 Applications and data stored on cloud service providers servers are accessed by mobile devices via wireless or cellular internet connections Applications are run on the cloud service provider s remote servers and results are transmitted to the user 14 MCC Security Securing MCC users privacy and maintaining the integrity of data or applications is a key issue with both MCC and cloud computing As MCC is a combination of mobile networks and 3

cloud computing, security-related issues are divided into two categories: mobile network users security and cloud security Mobile Network Users Security - Data on mobile devices are more at risk than data on traditional computers because mobile devices are more likely to be left unprotected According to the Cloud Security Alliance, the top mobile device threats that affect security are: 15 Data loss from lost/stolen devices Information stolen by mobile malware Data leakage through poorly written third-party applications Vulnerabilities within devices, operating system and third-party applications Unsecured network access and unreliable access points Unsecured or rogue marketplaces Insufficient management tools, capabilities and access to APIs (application programs interfaces) Near Field Communication (NFC) and proximity-based hackers Countermeasures to Security Issues 16 - Endpoint security including threat detection for the mobile device is critical However, mobile devices have limited processing capability and power issues To address these issues the industry has: Transferred security detection services/responsibilities to the cloud service provider resulting in better detection of malicious code, reduced consumption of resources on mobile devices and reduced software complexity of mobile devices Implemented Intrusion Detection Systems (IDS) and Cloud Intrusion Detection Systems Services (CIDSS) Recommended thin client antimalware and antivirus usage to protect mobile devices from data loss Securing Information on the Cloud Security is paramount in protecting and maintaining the integrity of the data stored within the cloud Specific measures at the various layers are essential, including: 17 Backbone Layer This constitutes security surveillance on cloud physical systems that help monitor the servers and machines in the cloud infrastructure Infrastructure Layer This layer monitors virtual machines (vm) in the cloud Security activities such as storage verifications, vm migration cloud service monitoring, vm isolation, risk evaluation and audits are carried out in this layer Application and Platform Layer Security activities such as user management, key management, authentication, authorization, encryption and data integration are carried out in this layer Responsibility for securing all three layers lies with both the cloud service provider and the organization, with the degree of responsibility varying and depending on the service model (SaaS, PaaS, or IaaS) Authentication Accessing applications over the internet makes access from any network device easier; however, it introduces security risks Authentication is used to verify that the user is who 4

they say they are 18 For high levels of assurance, authentication must be combined with encryption and secure data transmission protocols to ensure security Various authentication mechanisms have been proposed to secure the data access suitable for mobile environments Examples include the use of access or login IDs, passwords, PINS and multifactor authentication Applying identity management through the cloud makes managing identities, regardless of device or location, more convenient Integrity Every mobile cloud user must ensure the integrity of the information they store in the cloud Furthermore, every attempt to access their data must be authenticated and verified Steps for Winning the Battle of Breaches There is no such thing as a 100 percent secured system 19 as it is only a matter of time before a breach occurs Therefore, an organization should proactively plan to deal with breaches by: Defining Objectives Prioritizing objectives and setting realistic risk tolerances This allows the organization to appropriately allocate resources to those areas that are mission critical Implementing a Proactive Security Plan Understanding the threat landscape (eg, hacking, cybercrime attacks, media and social scams, etc) and protecting the organization using both policy and technology (end-point security, firewalls, malware and antivirus software, etc) Preparing a Response to an Attack Hackers are relentless in finding vulnerabilities When a breach does occur, the ability to quickly respond can greatly mitigate the damage from the attack Establishing a Culture of Security Awareness All employees must work together to ensure the safety of enterprise data as it takes only one mistake to infect an entire network Conclusion The forecast for MCC is bright According to a study by ABI Research, more than 240 million businesses will use cloud services through mobile devices by year-end 2015 resulting in MCC revenue of approximately $52 Billion 20 Regardless of which forecast is correct, the message is clear The economic advantages (low capital investment, on-demand service, ease of scalability, accessibility, etc) of MCC are too attractive for businesses to ignore, particularly given the exponential growth of mobile device usage and mobile-focused commercial endeavors For organization planning to use the MCC platform, NIST has the following recommendations: 21 Carefully plan the security and privacy aspects of cloud computing solutions before engaging them Understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements Ensure that the client-side environment meets organizational security and privacy requirements for cloud computing 5

Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments In other words, perform a risk assessment, understand the exposures and proactively reduce risks to an organizationally acceptable level, while understanding that the organization is ultimately responsible for safeguarding its data as well as the data of others that is under its care, custody and control Contact Us About Us To learn more about how OneBeacon Technology Insurance can help you manage online and other technology risks, please contact Lloyd Takata, EVP of OneBeacon Technology Insurance at ltakata@onebeacontechcom or 9528526028 OneBeacon Technology Insurance, a brand of OneBeacon Insurance Group, Ltd, delivers all-lines underwriting solutions for the technology, life science and medical technology, and telecommunications industries, as well as content and media companies The specific capabilities offered include risk control, claims and third-party vendor solutions Products span property, casualty, cyber, E&O, international, products liability and professional coverages Our dedicated team of insurance professionals delivers custom solutions as needed to each of our customers Coverages may be underwritten by one of the following insurance companies: Atlantic Specialty Insurance Company, Homeland Insurance Company of New York, Homeland Insurance Company of Delaware, OBI America Insurance Company and OBI National Insurance Company References 1 Regalado, Antonio (October 31, 2011) Who Coined Cloud Computing?? Business Insider Accessed July 2015 http://wwwtechnologyreviewcom/news/425970/whocoined-cloud-computing/ 2 (January 8, 2015) Tablet Users to Surpass 1 Billion Worldwide in 2015 emarketer Accessed July 2015 http://wwwemarketercom/article/tablet-users-surpass-1-billion- Worldwide-2015/1011806 3 (December 11, 2014) 2 Billion Consumers Worldwide to get Smart (phones) by 2016 emarketer Accessed July 2015 http://wwwemarketercom/article/2-billion-consumers- Worldwide-Smartphones-by-2016/1011694 4 Prasad, Rajendra M; Gyani, Jayadev; Murti, PRK (Vol 2, No 7, 2012) Mobile Cloud Computing: Implications and Challenges Journal of Information Engineering and Application Accessed July 2015 http://wwwgooglecom/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0c D8QFjAA&url=http%3A%2F%2Fwwwiisteorg%2FJournals%2Findexphp%2FJIEA%2Fart icle%2fdownload%2f2571%2f2587&ei=hxuxvpmif5crogtc3igabw&usg=afqjcnenvoi F1s6R0zz3mMP7u8lO9Y9ntw&bvm=bv75097201,dcGU 5 Donald, Cecil A; Oli, Arul S; Arockiam, L (Vol 3, Issue 1, July 2013) Mobile Cloud Security Issues and Challenges: A Perspective International Journal of Engineering and Innovative Technology (IJEIT) Accessed July 2015 http://ijeitcom/vol%203/issue%201/ijeit1412201307_73pdf 6 Hashizume, Keiko; Rosado, David G; Fernandez-Medina, Eduardo; Fernandez, Eduardo B (February 27, 2013) An Analysis of Security Issues for Cloud Computing Accessed July 2015 http://wwwjisajournalcom/content/4/1/5 6

7 Jansen, Wayne; Grance Timothy (December 2011) Guidelines on Security and Privacy in Public Cloud Computing Publication 800-144 NIST Accessed July 2015 http://csrcnistgov/publications/nistpubs/800-144/sp800-144pdf 8 Ibid 4 9 Mell, Peter; Grance Timothy (September 2011) The NIST Definitions of Cloud Computing Publication 800-145 NIST Accessed October 2015 http://csrcnistgov/publications/nistpubs/800-145/sp800-145pdf 10 Ibid 7 11 Ibid 2 12 Ibid 4 13 Ibid 4 14 Bahar, Newaz Ali; Habib, Ahsan Md; Islam, Manowarul Md; (July 2013, Vol 3, No 3) Security Architecture For Mobile Cloud Computing International Journal of Scientific Knowledge Accessed July 2015 http://wwwijskorg/uploads/3/1/1/7/3117743/2_mobile_cloud_computingpdf 15 Ibid 5 16 Ibid 5 17 Ibid 5 18 Ibid 2 19 Ibid 5 20 Bhargava, Bharat Introduction to Mobile Cloud Computing Purdue University Accessed July 2015 https://wwwcspurdueedu/homes/bb/cloud/mccpptx 21 Ibid 7 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information