Navigating the 'unholy' matrimony of mobile and cloud
- By (ISC)2 Government Advisory Board Executive Writers Bureau
- Aug 31, 2012
Chief information security officers (CISOs) are increasingly faced with pressure to adapt existing security paradigms and practices to facilitate emerging technology revolutions that fuel business innovation and citizen services. This is exemplified by the rise of smarter mobile devices with access to corporate data driven by the explosion of consumerized IT and the confluence of cloud-delivered services. As a result, a new framework for the underlying security model must be established in order to securely enable essential enterprise/citizen interactions.
Mobility and cloud computing are so intertwined that separating the two in the context of ubiquitous electronic transactions is difficult at best. This is based on the fact that accessing a cloud requires a device. Increasingly, that device is mobile and is quickly transitioning from laptop or netbook to tablet or smart phone.
The grace period on mobile security is over
Employees in both the public and private sectors are quickly realizing that smart phones and tablets rival the computing power of traditional PC-centered devices. Offering feature-rich, better-designed user interfaces and built-in support for wireless connectivity, these devices have become the mobility devices of choice for technology users. Despite the richer and better-designed user interfaces, the main functionality and core processing for these devices typically takes place in the cloud. This wasn’t always the case since first-generation mobile apps contained all the functionality in the application itself, requesting data from the back-end service.
Fortunately, the federal government historically has taken a more conservative and risk-averse stance to technology adoption than the private sector, which has largely shielded federal CISOs from the onslaught of "bring your own device" (BYOD) clarion calls. Conversely, private-sector CISOs have had to upgrade, if not completely overhaul, their corporate security program and policies to facilitate the transformative and business-enabling effects the explosion of consumerized IT and cloud-delivered services require.
The harsh realities of today’s technology-rich business environment is that the network boundary is truly ubiquitous, extending to the palms of employees carrying mobile devices as well as in the cloud. CISOs must soon accept that the time of the legacy hardened perimeter-based security architecture model is history.
So how then should government CISOs look to secure the mobile cloud? Unfortunately, there are no easy answers, no quick checklists and no cookie-cutter approaches. There are, however, some basic truisms that should be included in the core underlying framework:
• Secure access provisioning. Easy access to the right data/applications/information at the appropriate authorization levels needed by employees to do their jobs.
• Robust security and privacy at both the endpoint and within the cloud in order to enforce corporate policy on both device and cloud infrastructures.
• Device agnostic approach. The flexibility to support more than the latest "flavor of the month" smart phone technology.
• Trusted Internet Connection (TIC). For private cloud offerings, some federal agencies will enforce accesses to traverse their TIC or corporate infrastructure. The option exists to facilitate connectivity from anywhere.
• Government cloud (“Gloud”). Shared infrastructure and/or leveraging the buying power of government through the lines of business model.
• Trusted identities. Integration with varying multi-factor authentication mechanisms.
• Security Assessment and Authorization (SA&A) reciprocity. Assess once, use many with the need to only assess risk acceptance.
In the end, government CISOs must transform existing legacy hardened perimeter-based security architectures to support secure access provisioning, robust security and privacy at both the endpoint and the cloud demarcation points, while providing flexibility to support the range of mobile devices employed by today’s users.
As if security practitioners weren’t already faced with abundant security challenges from these respective technological advancements, the “unholy” matrimony of the two further exacerbates the challenge of ensuring adequate corporate protections while not impeding the transformative effects of these technologies on the government innovation landscape.