[整理]Mobile Cloud Security

Mobile Cloud Security

Mobile devices now are the default tool ofbusiness, because they provide the instantaneous, just-in-time, connected andcollaborative starting point for just about all business process.

Mobilecloud computing platforms represent a more secure way for provisioningapplications and online services to users over mobile networks. Mobile cloudprovisioning takes advantage of the inherent benefits of cloud computing thoughits monitoring, security detection and malware-prevention capabilities toprotect its mobile customers.

That’snot to say that cloud-based applications and services are completely free frompotential malware, but that it is more difficult for hackers to manipulatecloud service providers and their services than it is to distribute malware bycreating and infecting individual applications in the various app stores.Having apps and services residing in the cloud mitigates the need forinstalling and maintaining highly complex virus-scanning and malware protectionon the handsets themselves – although some on-device malware protection shouldalways be considered.

Mobile cloud security is also one of theissues raised by the FBI and other experts in the Cyber Security 2012videocast.

Ingeneral, mobile users can benefit greatly from cloud services forcomputationally intensive information processing and collection such asinformation search, data processing, data mining, network status monitoring,field sensing and so on. However, existing mobile cloud service model operatesmostly one-directional. That is to say, consumer electronics devices can usethe cloud as a computing and information resource, but the cloud has littlecontrol over the consumer electronics devices.

When discussing mobilecloud security threats, the primary concern is threats to smartphones andtablet platforms. These threats can be divided into three categories:

1)       Physicalthreats

2)       Threats tomobile network security

3)       The threatof malware

1、Physical threats

There are three basic types of physicalthreats to mobile devices: lending, loss, and theft . Lending a mobile deviceto family member or  friend does raisethe possibility of enabling the person to access data or applications to whichthat person is not authorized. Mobile device feature a pin-based or password-basedlockout capability, but this feature is often not used by owners. Even when thelockout feature is enabled, there are ways to subvert the lockout. Loss ortheft of mobile device could provide root-level access to cloud services anddata. Mobile apps are often providing direct and automated access to cloudservices and data. If an admin-level person's mobile device is stolen, thiscould be a major threat to highly confidential data or even cloud servicesadministered by such a person from an insecure mobile device.

Challenges:

Subscriber identity module (SIM) cards caneasily be removed from many devices and read by anyone.

Solutions:

Developer can add an extra layer ofapplication and data-level security when critical data is controlled by theirsoftware. Developer should not store any data on a SIM card that does not needto be stored there. Cloud backup service is important when someone's mobilephone is lost, he or she can backup his or her data from mobile cloud securitycenter. Intuitively, biometrics based identification techniques on the CEdevices such voice recognition, fingerprints, etc, can be used as a secondauthentication method to  protect themobile devices.

2、Mobile network security

Smartphones are accessible througha 3G or 4G cellular network, Wi-Fi andBluetooth, and some are accessible by infrared-frequency identification (RFID). Users can easily access to phone services, Internet services and  Short Messaging Service (SMS) communications.However,from a security perspective, all interfaces have the potential toexpose sensitive information and receive malicious data. For example, bluetoothdevices easily connect to each other. Consequently, many device vendorsimplement Bluetooth in a manner that provides for easy connectivity whileexposing the information assets of individuals and orgnizations to greaterrisk. Although security is available for Bluetooth,  many devices are set todiscovery/visible-to-all mode, which enables them to respond to all serviceinquiries. In other words, these devices are exposed to data leakage or therapid spread of malware. Bluetooth devices can also be targets of Denail ofService attacks typically by bombarding the device with requests to the pointthat it causes the battery to degrade.

In wireless network, eavesdropping andspoofing are easier than with wired networks. The main attacks areeavesdropping, man in the middle and denial of service.There also are somethreats from fraud management in mobile networks, such as access fraud andsubscription fraud. Security mechanisms like authentication and confidentialityprevent access fraud but they cannot help with subscription fraud. As for thesituation, we need real-time fraud detection to monitor subscriber behavior inreal-time and adapt user profile based on the monitoring.

Challenges:

Detecting and mitigating those threats is amajor challenge of the mobile broadband era.Whether it be via the cloud or theterminal, or in the mobile network infrastructure itself, mobile operators areultimately responsible for working with industry partners to protect thenetwork and the end user from debilitating security attacks. Mobile cloud bynature is highly virtualized and highly federated, and we need an approach toestablish control and manage identities across our cloud and other peoples'clouds. It is difficult to locate the mobile cloud attack, and it is much moredifficult to implement a centralized data protection solution on mobiledevices.

Solutions:

To prevent unauthorized access to mobiledevices and to provide cloud-access protection, there are certain measures thatcan be taken. As with all security challenges the first step is to educate the users.Every mobile user should know about the right way and the wrong way to useBluetooth, wifi. Also, policies should be in place that govern the use ofbusiness-owned and privately-owned wireless devices. In addition, by usingone-time passwords, rather than locally stored passwords on the handsets, it'spossible to maintain a higher security level in the mobile cloud. It's possibleto embed an personalized configuration profile on each employee mobile device,thereby implementing a personal security token or credential on each mobiledevice. Hence, only employees with trusted devices that comply with corporatesecurity policy can access corporate application and data in a private cloudsetting.

Because there is no identification based onthe physical access, so peer entity authentication and data originauthentication are needed.

Both mobile and cloud require the emergenceof a new security control point that stand below mobile devices and above cloudproviders. We have to control and protect the flow of information betweenmobile devices and cloud storage.

3、The threat of malware

Smartphones are becoming more sophisticatedand fully featured computers, which attracts growing attention of malwarecreators. As the number of Internet-enabled handheld mobile devices continuesto grow, web-based threats will continue to grow in number and sophistication.Not just viruses and botnets, but also phishing from malicious domains andsocial networks, identity theft and spam. Banker Torjans targeting platformssuch as the iphone and Windows Mobile have appeared in recent years, and fakemobile banking applications have shown up in the ap stores of some mobileplatform as well.

Challenges:

From a security viewpoint, relevant mobiledevices (smartphones and tablets ) interact with the external world moreintimately and through a wider array of technologies. We need to protect mobileInternet users from many types of multiple and sophisticated security threats.Based-cloud application have some difference with traditional application onPC. The identity layer is harder than ever for the simple reason that there aremore apps per user than ever before. Services are becoming any-to-any, whereinternal and external classifications don't matter nearly as much as before.

Solutions:

Authorized software can be stored in anddistributed from the cloud. When malware is detected or suspected, thesmartphone software can be restored from trusted backups in the clouds.Empowering the employees while arming them with the proper education on thethreats is vital. We need to change users' behavior by education. A companyshould educate its employees to educate about threats that are out there in thewild and making sure folks understand what to look out for when using theirmobile network or apps. Secondly, we must harden the network infrastuctureitself. Every mobile user should protect his/her network and mobile deviceswith anti-malware, anti-spyware, and botnet mitigation to restrict mobileaccess to unauthorized sites and filter spam

Future of mobile cloud security

Mobile cloud computing is an emergingmarket driven by the popularity of smartphones and tablet computers. As moremobile devices enter the market, security issues will grow as well. As thedevelopment of Internet of Things, more intelligent devices can interact withthe mobile cloud and  bring new securityconcerns.

Reference

http://www.ibm.com/developerworks/cloud/library/cl-mobilecloudsecurity/IBM

http://www.computerweekly.com/news/2240031739/Mobile-cloud-security-How-to-address-the-issues英国关于企业移动云安全的保护

https://cloudsecurityalliance.org/csa-news/data-loss-mobile-ranks-top-threat-enterprises/CSA最近调查

http://www.mcafee.com/cn/solutions/cloud-security/news/20111219-01.aspx  移动云应用增多

http://www.datacenterknowledge.com/archives/2011/04/12/smartphone-security-and-the-mobile-cloud/

http://www.cso.com.au/mediareleases/15405/websense-expands-mobile-cloud-security-reach-with/Websense移动云安全方案

http://www.heavyreading.com/mobile-networks/  Heavy Reading Mobile Networks Insider