COMMENTARY

Navigating the 'unholy' matrimony of mobile and cloud

Chief information security officers (CISOs) are increasingly faced with pressure to adapt existing security paradigms and practices to facilitate emerging technology revolutions that fuel business innovation and citizen services. This is exemplified by the rise of smarter mobile devices with access to corporate data driven by the explosion of consumerized IT and the confluence of cloud-delivered services. As a result, a new framework for the underlying security model must be established in order to securely enable essential enterprise/citizen interactions.

Mobility and cloud computing are so intertwined that separating the two in the context of ubiquitous electronic transactions is difficult at best. This is based on the fact that accessing a cloud requires a device. Increasingly, that device is mobile and is quickly transitioning from laptop or netbook to tablet or smart phone.


Related:

The grace period on mobile security is over


Employees in both the public and private sectors are quickly realizing that smart phones and tablets rival the computing power of traditional PC-centered devices. Offering feature-rich, better-designed user interfaces and built-in support for wireless connectivity, these devices have become the mobility devices of choice for technology users. Despite the richer and better-designed user interfaces, the main functionality and core processing for these devices typically takes place in the cloud. This wasn’t always the case since first-generation mobile apps contained all the functionality in the application itself, requesting data from the back-end service.

Fortunately, the federal government historically has taken a more conservative and risk-averse stance to technology adoption than the private sector, which has largely shielded federal CISOs from the onslaught of "bring your own device" (BYOD) clarion calls. Conversely, private-sector CISOs have had to upgrade, if not completely overhaul, their corporate security program and policies to facilitate the transformative and business-enabling effects the explosion of consumerized IT and cloud-delivered services require.
 
The harsh realities of today’s technology-rich business environment is that the network boundary is truly ubiquitous, extending to the palms of employees carrying mobile devices as well as in the cloud. CISOs must soon accept that the time of the legacy hardened perimeter-based security architecture model is history.

So how then should government CISOs look to secure the mobile cloud? Unfortunately, there are no easy answers, no quick checklists and no cookie-cutter approaches. There are, however, some basic truisms that should be included in the core underlying framework:

• Secure access provisioning. Easy access to the right data/applications/information at the appropriate authorization levels needed by employees to do their jobs.

• Robust security and privacy at both the endpoint and within the cloud in order to enforce corporate policy on both device and cloud infrastructures.

• Device agnostic approach. The flexibility to support more than the latest "flavor of the month" smart phone technology.

• Trusted Internet Connection (TIC). For private cloud offerings, some federal agencies will enforce accesses to traverse their TIC or corporate infrastructure. The option exists to facilitate connectivity from anywhere.

• Government cloud (“Gloud”). Shared infrastructure and/or leveraging the buying power of government through the lines of business model.

• Trusted identities. Integration with varying multi-factor authentication mechanisms.

• Security Assessment and Authorization (SA&A) reciprocity. Assess once, use many with the need to only assess risk acceptance.

In the end, government CISOs must transform existing legacy hardened perimeter-based security architectures to support secure access provisioning, robust security and privacy at both the endpoint and the cloud demarcation points, while providing flexibility to support the range of mobile devices employed by today’s users.

As if security practitioners weren’t already faced with abundant security challenges from these respective technological advancements, the “unholy” matrimony of the two further exacerbates the challenge of ensuring adequate corporate protections while not impeding the transformative effects of these technologies on the government innovation landscape.

 

About the Author

Members of the (ISC)2 U.S. Government Advisory Board Executive Writers Bureau include federal IT security experts from government and industry. For a full list of Bureau members, visit http://www.isc2.org/gabewb.

Reader Comments

Fri, Sep 7, 2012 Devin C

BYOD and Cloud seem to be imposing competing needs on the enterprise. The author makes device agnostic approaches a part of any successful integration of these two technologies, and rightly so. Unfortunately, device agnosticism is really aimed at enabling consumerization, not secure mobility and cloud. Any successful mobile plan should be device agnostic, but BYOD should not be the driving factor. Device and vendor independence, along with creating a heterogeneous device and software environment for mobility should be the ultimate goals. However, achieving successful BYOD and cloud strategies is going to mean less control over the enterprise environment, and less freedom for the users over their own devices.

Fri, Sep 7, 2012 Franklin Terry Dallas

I'm sure you have heard this one already but to secure the Cloud, why not require figure print reconition to gain access. That would signicantly reduce possible security breaches. It would also make it easy to narrow down the source of any breech in PII.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above