In the view of Ramses Gallego, security strategist and evangelist at Quest Software, and international vice president of ISACA (Information Systems Audit and Control Association), mobile security is now one of the key issues when it comes to defending Cloud services.
Any developer working to build Cloud -delivered applications now has to work on the assumption that mobile devices are going to be at least part of the mix at the client end of the chain, if not the primary end-user tool.
But that combination of mobile client and Cloud service delivery is creating a sea-change in the fundamental concepts of what security now means and how it can be applied. Till now there has been one main model for securing end-user devices, protecting the device itself at the endpoint. In the Cloud , however, that is becoming far from the best option.
“We still think we have to throw solutions at the end point, using many applications to secure the device physically,” Gallego said. “But developers now have to have the right set of mind that says no matter what kind of information you build with the information, no matter where it is stored – Amazon, Google or iCloud – or even where it is stored geographically, security is going to be embedded into it.”
Gallego will be presenting a paper on this subject at the upcoming ISACA EuroCACS event 10th -12th September in Munich.
His contention is that the key to security now is governing who has access to the data and what they are allowed to do with it, particularly in a world where easily downloadable client apps proliferate. “The world is becoming `applified’, by which I mean I see it coming that enterprises will have their own appstores. I am seeing many companies allowing users to bring their own device or whatever they want. So they will be entitled to use apps X, Y and Z, depending on their role in the company.”
To get to this the security - the policies and procedures that businesses govern the rights of access to data, the rights of action allowed with that data, and a wide range of other controls and parameters on user interaction with applications and data – will need to be embedded in the data.
In other words, the data itself manages who gets to work with it and the parameters of what work can be done by that individual, and when. Coupled with identity management policies and processes capable of authenticating individual users, Gallego sees this as the basis of future security models.
“It will be the data that is screaming `you cannot do this with me. You cannot send me to that system or device, and you cannot print me on that Starbucks printer’.”
At the same time, of course, users will need to be able to take those actions, be allowed that flexibility with data that can be sent to unauthenticated individuals or printed via open networks. This is why the security has to be embedded into the data itself, rather than the management of user actions per se.
BYOD rings changes
The Cloud changes one significant fundamental when it comes to security thinking. The client device, indeed the whole Cloud , can be riddled with viruses and Trojans, and that need have no detrimental effect.
So defending the individual devices will be no longer relevant. Indeed, trying to defend the number of different devices that might be on an individual business Cloud service, even an on-premise private Cloud , will be difficult. Once that Cloud becomes hybrid – as most will over time – trying to secure individual devices will become an insurmountable problem.
“I have seen a beta device that has a screen on one side that is the `personal you’ and a screen on the other side that is the `professional you’. But no matter what device you are using I don’t care. I will be looking at the authorisation schema, for this is about post-access control. We used to do pre-access control such as who you are, what is your password?
“But now we are moving from a system-centric view of data protection to a data-centric view, so you don’t need to protect the physical devices, you need to protect the data. I will be allowed/not allowed to do things with the data depending on who I am, what I am doing and when I am doing it. This is about identity intelligence, not identity management.”
The growing Bring Your Own Device (BYOD) movement adds a further level of complication to security, and it is one that brings an aspect of `big brother’ to the security party. He sees this now involving a trade-off that will probably become accepted behaviour, but which many, especially potential BYOD users, may not have thought about yet when it comes to the full implications.
“As a CIO, I accept that you will want to bring in and use your own laptop, iPad or whatever. But the employees have to accept that this is my castle and my rules. That means I back it up, the whole thing, even if there are pictures of you, personal messages and the rest. That is the type of trade-off and agreement between company and employee that will be required. I have seen people accepting this, and I have seen them not accept it because there are personal pictures or whatever on that device. Then they have to accept that they use a device that the company is prepared to buy.”
He stressed that there is a balance here, a deeper trade-off between employees and employers. As he put it, the former need to behave, but the latter has to do a much better job at communicating with their employees about the `why’ of security. That staff can bring in and use their own devices and probably be more productive is certainly probable. But the employees need to understand that the company has to protect the brand. Without the maintenance of brand values there is often no business left to employ anyone.
DLP on the agenda
This moves the whole discussion into the area of DLP, which in Gallego’s view now stands for two different but related tasks. Till now it has stood for Data Loss Protection, but now it also stands for Data Leak Prevention, and this is where staff behaviour and actions can be the problem. Data leaks are one of the great threats to company brand value, and now something that EU Directives make expensive events if not avoided, with significant fines being imposed for their occurrence.
“I don’t talk about this as IT risk management,” he said. “This is enterprise risk management. At the end of the day this is about protecting the enterprise as a whole.”
In his view the idea now has to combine several levels of rules that data can use to control what happens to it. First of all there has to be role-based access control which can monitor who is accessing the data. But there must also be rules governing the content- and context-based reaction of the data to those accesses.
“Businesses are working in a world of geolocation, so depending on where you are in the world, and how you are connected, you can access server X but not Y, or access data A but not C. So context-based computing will be extremely important in a world which is Cloud ified, appified and mobilised. This is not just pre-access control but also post-access control. The data can shout at you that you cannot do that.”
So the context of an allowable action – for example accessing a server to download or forward a specific datafile – will be important. It may be an allowable action, but if the context is wrong – accessing it via mobile device at 3am using international roaming services – the data can refuse to co-operate.
All of this begs one obvious question: what is needed from developers and industry to make this happen? This approach might be easy to engineer in a `Cloud ’ connecting two users, but what if a third party needs to join, and is working in a different way?
If a geolocated, Cloud -driven, time-independent, technology-agnostic environment is to work properly there will surely have to be more standards?
“The architecture you set out is right, and to me that needs two or three layers. One is the data, the presentation layer. Data should be in the upper part of the stack and then you can Cloud ify it, create an array of applications accessing and presenting the information. But not everyone is building their Cloud s on that model. Many are still talking about APIs, and that means vendor lock-in with zero interoperability. They want to build Cloud s in siloes based on their own vision of the world. As a consumer I do not want vendor lock-in.
“The second part is standards. You and I can build a Cloud between us using anything. But what when we introduce a third party? And what happens when it grows to 6 million people, or 40 million people? So standards like SAML, XML, and all those standards on identity federation such as OpenID, are important. There is still a way to go, but if developers stick to those standards it will be possible to build a single, unified identity that is `me’.”
At the end of the day his ideas can be summed up quite simply. Developers looking to build applications and services that exploit not just the Cloud but also the burgeoning mobile client market and the consequent BYOD movement have one over-riding objective. Ensure that it is as interoperable as possible.
From that will follow the use of standards, and the application of security models that are data-centric, providing context-based, post-access identity intelligence as an integral part of policy-based business operations management.