Securing the intersection of cloud and mobility

NIST.jpgNational Institute of Standards and Technology (NIST) conducted a three-day workshop in March 2014 on "The Intersection of Cloud and Mobility". The URL for the NIST’s workshop webcast can be found here. I wrote about the workshop in brief in my previous blog. It also captured some of NIST’s publications that I often refer to. In this blog, I will discuss the security aspect of cloud and mobility intersection.

 

Data security and privacy was a common topic discussed in many sessions of NIST's workshop. There was a concurrence amongst the speakers that security is still in its infancy when it comes to mobility and cloud. In fact, in 2011 when I was speaking at a CIO meeting about cloud security, many had failed pilots on cloud sourcing their corporate email. Primarily because of security and privacy reasons. Three years later, today almost every enterprise seems to have already moved some of their IT platforms to cloud and have plans to move more IT services on to cloud. That’s the speed at which change is happening.

 

Enterprises are also cautious and cognizant of the fact that any serious security issue in their cloud and mobility adoption journey can cause irrevocable damage not only to their organization but to the entire community of enterprises taking the same journey. This is where I think government is becoming a catalyst and encouraging the advancement by setting up organizations such as FedRAMP. FedRAMP is responsible for cloud authorization, a rigorous six month process to authorize cloud vendors intending to work with any federal government. This certainly helps enterprises take the experience gained from government deployments and increase the speed of their adoption to cloud and mobility.

 

Jacob West, CTO of HP Security in his keynote speech at NIST’s workshop session, highlights many focus areas for the IT community to be prepared and manage security and privacy challenges. Starting from making IT security as a part of curriculum for computer science graduates, ensuring that prominence is given to hire all IT Security roles, actively collaborate among IT security communities to share the security best practices. Very crucial and fundamental to managing security and privacy challenges. With cloud and mobility adoption, it only adds to the existing challenges as enterprises will have to deal with more service providers and vendors.

 

One can appreciate the importance of security and privacy challenges in cloud by going thru the security, privacy and risk management documents that are published and available on the Internet. These documents are typically too big and not very easy to summarize. However, NIST's Security and Privacy guidelines (SP 800-144) with its two page summary available on the 45th page succinctly describes the top areas of security concerns for cloud adoption. This vital document SP 800-144 talks about nine areas:

 

  • Governance
  • Compliance
  • Trust
  • Architecture
  • Identity and Access Management
  • Software Isolation
  • Data protection
  • Availability and Incident Response

 

These nine areas and precautions for each, covers almost all aspects of cloud security and privacy. There are two more documents that I would recommend are - Cloud computing pattern from Open Security Architecture and CSAguide from Cloud Security Alliance.

 

Going through these references it becomes clear that IT governance team within enterprises are going to be responsible for defining Security, Privacy and Risk management policies and also enforcing them. Enterprises are taking a cue from agencies such as FedRAMP (who in turn refer to NIST security guidelines document - SP-800-53r4).

 

secure cloud keyboard.jpgThe second part of the security problem is related to client devices. The focus here is predominantly on the identity, access management and data protection. Before granting access to the corporate information, the identity of mobile user and his access profile has to be understood by checking:

 

  • "Who is the user?"
  • "Where is he?"
  • "How is he connected?"
  • "What information or services he is trying to access?"

 

Only then the user is granted access to corporate service and information.

 

The next step in the security is to protect the data on the device. Protecting the data on smart phones is much more complex and challenging. Every smart phone (or a tablet) comes with preloaded apps. User then installs more apps from app stores. The apps are smart and exploits many features of a smart phone. Even an entry level smartphone has about 15 sensors.  The enterprise apps are expected to be smarl as well, and exploit the same features to improve the business processes. For a device like this, preventive measures like locking, encryption or wipe-out, and basic mobile device management are fundamental. Security and privacy has to go beyond preventive measures and need to address:

 

  • OS security
  • The security of the application and its environment
  • The security of data and information stored on phone
  • Access rights to apps
  • Data access rights
  • Sensors access rights

There are probably more to be considered,  as these smart phones are getting more sophisticated every day.

 

Certainly, security and privacy are complex subjects for cloud and mobility adoption. But certainly not a white elephant to manage. The good news is that there is a lot of work already happening in this domain and many enterprises have successfully adopted cloud and mobility without compromising security or privacy. It is just a matter of time these security solutions will prevail.

 

Feel free to post a comment or reach out to me here if you want to continue the discussion about cloud and mobility or to find out how I can help you maximize your business's potential and reduce potential risks through IT.

 

 

Labels: software
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Enterprise Architect helping large enterprises and telecom service providers with business aligned IT solutions for over two decades.
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.