ORLANDO, Fla. -- The burgeoning influx of employee-owned smartphones and tablets in the workplace has added to the complexity of securing cloud-based systems, according to a panel of experts who urged IT security teams to consider setting enforceable mobile policies alongside cloud policies.
There seems to be somewhat of a classic brute-force security approach to address the issues, but if you dumb down devices too much you are going to be impacting the user.
William Corrington, consultant, Stony Point Enterprises LLC
The process for setting policies addressing both mobile and cloud is easier said than done, said Tom Kellermann, vice president of security vendor Trend Micro Inc. He said hybrid cloud policies developed in conjunction with mobile security policy should be as a collaborative effort involving all of an organization's data owners, administrators and others who know the business and can find a middle ground.
"Make a conscious decision policy wise about what the devices are being used for," Kellermann said, adding that security technologies are still emerging to better protect smartphones and tablets. "I think there is a need to make the device context aware."
At the 2012 Cloud Security Alliance (CSA) Congress, Kellermann joined William Corrington, a consultant at Stony Point Enterprises LLC, and Jon-Michael Brook, a senior principal security architect with Symantec's public-sector business unit, in a discussion on mobile security threats and their effect on cloud security. The discussion highlighted many of the findings in a report to be released Thursday from the CSA covering cloud-related guidance for critical areas of mobile security. The report concludes that while organizations are beginning to implement policies to address mobile security issues, many still wrestle with the challenges of securing corporate data on personally owned devices.
The walled garden maintained by Apple's iOS leaves antivirus vendors out of the equation, but also appears to be keeping cybercriminals at bay. Meanwhile Google Android devices are a growing security problem because the open architecture attracts malicious applications and an ever increasing amount of mobile malware.
"There seems to be somewhat of a classic brute-force security approach to address the issues, but if you dumb down devices too much you are going to be impacting the user," Corrington said.
Adding to the mobile security conundrum, Corrington said, are a multitude of cloud environments that are slowing eroding the concept of perimeter away. In a complex ecosystem with multiple players and service providers, organizations must consider the issue from an access control perspective.
"A strong identity ecosystem is really critical," Corrington said. "Authentication and identity management should be bidirectional."
Corrigan said identity attributes and device attributes in conjunction can be used to infer a trust level and define access to resources based on the trust level. For example, he said a device authenticated with two-factor authentication would be given a higher trust level and access to more resources.
Segmenting personal and business data is a tough problem that hasn't been fully solved, said Brook. Technologies can wrap some apps with IT policies and wall off corporate data on the device. Basic security policies should be enforced. He said encryption should be turned on, and location services and remote-wipe capabilities should be employed.
"Follow through with what you actually put into policy and put some teeth into it," Brook said. Enforcing policies give employees the signal that the company is serious about security.
Security will get better, because technologies are still emerging, said panel moderator Salim Hariri, director of the Autonomic Computing Laboratory at the University of Arizona. Hariri said researchers are testing moving target defenses with software behavior encryption, designed to make it more difficult for attackers to root a device by changing the environment randomly.
"With faster processors we might create multiple decoy environments at the same time," Hariri said. "One is active the rest are honeypots."