Securing the Public Cloud for the Mobile Workforce

There are two great drivers in current computing: a general migration into the public cloud, and the growth of mobile computing. The two are connected, for it is because of cloud computing that mobile computing is evolving so fast: the ubiquitous access to web technology makes the immediacy and geo-freedom of mobile computing attractive and inevitable. This article was first published by, and is reprinted here with kind permission of, Raconteur (Security in the Cloud, the Times, 12 October 2010). For more information on special reports in The Times Newspaper, call Dominic Rodgers on +44 207 033 2106.But both cloud computing and mobile computing have their own and different security issues – and both need to be solved before the full potential of either can be realised. That’s what we’re going to discuss here: how the cloud can be secured for the mobile workforce; and how the mobile workforce can be secured for the cloud. We’ll start with security in the cloud.

Bruce Schneier

Public cloud computing and security
The basic question is simple: how can you be secure in the public cloud. And the basic answer is also simple. “You can’t,” says Bruce Schneier. “In the cloud you’ve given your data to someone else. How can you secure what you don’t have? You don’t even know where it is.”

This is a purist’s view: there is no such thing as absolute security. It doesn’t mean that you have to abandon the cloud, it means that you must understand the problems in order to be adequately secure. There are two key points here:

• absolute security is impossible (which is true in any form of computing). In the cloud it is primarily because you have to place your trust in a third-party
• where is your data? Knowledge of its geo-location is essential in order to ensure compliance with laws such as the EU’s data protection regulations

Neither of these problems will stop the migration to the cloud – the economic arguments are too compelling. “When you look at the incredible amount of scalability, and the flexibility and cost savings that combining the cloud model with mobile computing will bring,” says William Beer, director, OneSecurity practice, PricewaterhouseCoopers, “I’m convinced that this is just going to lead to some very positive changes in the whole way we conduct business.”

Philippe Courtot, chairman and CEO, Qualys

The key to being adequately secure in the cloud is having trust in your supplier. Philippe Courtot, chairman and CEO of Qualys, doesn’t believe this should be too difficult. “If you look at the current environment,” he argues, “first you design the network, then you choose your applications and integrate those applications and finally you secure them. This is actually beyond the capability of most companies. Think of new vulnerabilities and how long it takes to implement workarounds and then patch in the updates. Cloud computing can greatly simplify the problem by creating an environment that is ready-made and better controlled by security specialists.”

PwC’s Beer counsels that you must then look beyond the infrastructure at other aspects; such as forensics. “What happens,” he asks, “when something goes wrong?” [Is this a Freudian slip: not ‘if’, but ‘when’?] “What happens when you run into a problem and you need to move out of one cloud provider into another cloud provider? There are storm clouds on the horizon if we don’t consider these issues.”

So the choice of your cloud provider is important. You have to be able to trust that provider. The key here is your contract, your service level agreement (SLA) with that provider; if you’re not happy, shop around until you are. One area in particular you must explore is the geo-location of your data. This is particularly relevant for European companies that need to comply with very strict regulations on the ‘export’ of personal information. In order to maximise the cost-saving potential of cloud computing, the provider must be able to move data to the most efficient location – which could be a server in a foreign land; and that might be in breach of European law.

Eran Feigenbaum, director of security at Google Apps

Here’s an example of the complexity. Google is a major cloud player. Google Apps is a major cloud application. But what if an EU company stores personal customer data in a Google Apps spreadsheet? Since the user doesn’t know where that is, isn’t it effectively illegal?

“We don’t think it is,” says Eran Feigenbaum, Google Apps’ director of security. “We don’t believe that there is a problem here. We have Safe Harbor certification [the agreement between the EU and USA that the US company is acceptable to EU data protection requirements].” Feigenbaum contests that since Google’s Apps servers are primarily located in the US and Europe, and since Google has had Safe Harbor certification since 2004, use of Google Apps automatically complies with EU data protection requirements. Is he right? There has been no legal confirmation that he is right. Can we take the risk? Can we afford not to?

But it would be wrong to think that moving to the cloud is just a security danger – it is also a security opportunity. Eric Baize, senior director of the Product Security Office at EMC, points out that when computer systems were first designed, security wasn’t part of the process. “You had computers, and network components, and applications and you integrated them and got them all working together – and then you went to separate suppliers to add security on the top. You don’t do that anymore. Today most security companies have become divisions within infrastructure suppliers. EMC was one of the first when it took over RSA; more recently Intel has acquired McAfee and HP has bought ArcSight.” Baize believes that before long, the only independent security companies will be start-ups. The effect though, is that security is now an integral part of the infrastructure. “When you buy a storage device today, you don’t have to add encryption afterwards; encryption is already a feature of storage.”

Moving to the cloud is, then, an enormous opportunity to get security right from the ground up. We always should have been concentrating on people and data, but we never did. Because security was separate to the infrastructure, and because the infrastructure was visible and the data wasn’t, we concentrated on trying to secure the infrastructure. Now things have reversed: the security is integral to an infrastructure that we cannot see. “Today,” says Baize, “we can have a security aware infrastructure rather than a security layer on top of the infrastructure.”

In theory then, there is no reason why cloud security should not be as good if not better than computer room security. But what about the geo-location issue? In a private cloud it is not an issue: you still own the infrastructure and ‘cloud’ is just a computing approach. You can use data loss prevention technology to prevent personal data leaving your network. Baize believes the same approach should be taken in the public cloud. “Look at data loss prevention (DLP) technology,” he says. “We are teaching our systems to be aware of content, and to respond to that content.” In DLP, that awareness prevents sensitive data from leaving the corporate network; in the cloud it could be used to prevent European data from leaving the EU.

William Beer, Director of PwC's OneSecurity

Securing the mobile user
A security aware cloud is one thing. That will help the user have confidence in his data. But with a growing mobile workforce, and the growing consumerization of computing, we won’t have security unless the data can also have confidence in the user. Once again, PwC’s Beer points out that not enough of us have considered the liability aspects of this development.

“Consumerization means that the lines are becoming blurred between personal and professional computing. Companies are allowing their staff to choose and use their own mobile devices. The same iPad could be used to update the company Facebook page, the member of staff’s personal Facebook page, the member of staff’s partner’s personal Facebook page, and the company website. What happens if this personal use then causes a problem for the company? Who is liable? What redress is possible?”

Apart from liability, there are two issues here: what can be done with the mobile device, and who is using it. In terms of what can be done, Philippe Courtot sees a growing relevance for thin computing. “I’ve been saying for ten years now that we are not meant to be dependent upon a huge complex operating system like Windows on the desktop, and that, essentially, most of our computing will be in the cloud.” He was a bit ahead of his time, but this is finally happening. Users are abandoning expensive and feature-cluttered bloated desktop applications for the free (at least at the personal level) Google Apps and Microsoft Office Web Apps. When you think of this, all you need is a browser; and all you need for that is a smartphone or tablet.

Small handheld devices like this are ideal for the mobile worker; and they can more easily be locked down by the manufacturer. Consider the iPhone and the iPad, and the efforts taken by Apple to lock down its products. This can be annoying for the personal user; but a blessing for the company. However, it doesn’t solve the second issue: since mobile devices are so easily lost or stolen, how can the corporate data in the cloud be confident that it is the authorised user operating the mobile device? We’re talking, of course, about authentication: not just authenticating the device, but authenticating the user to the device – and it’s one of the hottest issues of the day.

For example, one possible route would be biometrics. Most governments are sufficiently confident in biometrics to promote their use for authenticating citizens with ID cards. Most security professionals, however, are less convinced. For example, if the user’s biometric template is stored centrally it is subject to loss, theft, alteration and corruption just like any other data. If your password is compromised, you change it. But you cannot change your biometric template.

Now consider Apple. It has, within the last few weeks patented the idea of using heartbeats as a biometric measure, and also bought a face recognition company. At this stage it is pure conjecture – but could we be moving towards biometric authentication of the user by the device taking periodic snapshots of the user’s face and simultaneously monitoring heartbeat rhythms. If the user is not the registered owner or, in motor insurance terms, a named other driver, then the device could be shut down (and maybe its location sent to the police).

This could be one approach. An alternative could be that just announced by Google: two factor authentication (2FA) for its Google Apps. “A couple of years ago,” explained Eran Feigenbaum, “we sat down and discussed what we could do to improve user security. We came to the conclusion that the weakest link in the security chain is the user password. Every day thousands of accounts are phished, hacked or guessed. So we looked at two-factor authentication. 2FA is not new – its been around for a while – but by and large it hasn’t really taken off. One reason is the cost – so we wanted to have a service that is free. A second problem is complexity, both for the admins and the user – so we wanted to make things easy as well as free. It has to be easy – we find that if you make it easy for users to do the right thing, they tend to. If you don’t, they’ll find ways around it.”

Google’s solution is an out-of-band six digit code either generated by a BlackBerry, iPhone or Android app, or generated by Google and sent to the user’s mobile phone whenever a login is attempted. It just ensures that the person attempting the login is actually the owner of the account. This, combined with Google Apps session encryption, raises Google’s cloud security to a level similar to that used by many banks. But there is still one problem common to both biometrics on Apple devices and 2FA on Google: they are limiting – Apple to Apple and Google to Google. What the cloud needs is something that transcends individual device or service provider, and places no limits on its users.

Eric Baize, Senior Director, Secure Infrastructure Group, EMC Corporation

RSA’s Eric Baize thinks the answer could lie in what he describes as a ‘risk score’. This involves “looking at multiple aspects of the transaction and the connection to make sure that we have adequate assurance that the user behind the device is not someone who has stolen the password,” he explains. “We’d be looking at things like are you connecting from the same device as the last time you connected; are you connecting from the same geo-location as before; are you using the same browser; are you generating the same type of transaction as you usually generate. It’s an accumulation of factors to create a composite score that reflects the risk involved. If the risk score is low enough, the connection is allowed; if it is a high risk score, the connection is disallowed.” It’s a technology already used effectively by the banks, and there’s no reason that such an established and proven technology should not be applied to the cloud.

It’s going to be difficult. We’re going to need to ask questions we’ve never asked before. But marrying mobile and cloud computing will revolutionise the way we do business. And if we do it right, we now have the skills and technology to build security into the infrastructure rather than applying it over the top.