Cloud Goes Mobile
Users and enterprises are concerned with cloud security: Is my data in the cloud protected against unauthorized access? Does the cloud have good enough data backup? When I erase my data, can I be sure it's really gone (including backups!)? The discussion has therefore focused on how to make the cloud/data centers secure: access control, use of data encryption, intrusion detection, RAID-type storage, ... etc., etc. But there is now a trend to "bring your own device" (BYOD) where employees bring their own devices inside the corporate cloud and/or connect them remotely over mobile broadband. The perimeter of the cloud is thus eroding and we could even have "Trojan horses" inside the firewalls via personal devices that are not properly managed (using anti-virus etc.). So enterprises and cloud providers are also starting to feel worried about loosing control, just as some users feel when they no longer know how their data is handled. Such a potential, mutual (dis)trust issue needs to, of course, be handled.
The Cloud Security Alliance (CSA) has recently started a new research group, the Mobile Working Group to look at these issues. To get a good starting point for their work, they conducted a survey on the "Top Threats" when mobile devices connect to the cloud.
Not surprisingly, data loss is seen as a major threat (just as it is in non-mobile clouds). Perhaps more surprisingly, threats related to NFC are also brought up. This may, at first, seem surprising since NFC has been defined with security in mind (physical proximity makes certain attacks harder). However, how do you know who is "at the other end" of the NFC connection? Who will get your mobile payment data? This, as such, requires that, for example, authentication to be added.
What do you see as the main threats? Do you share the views of the CSA survey?
It's really important to look at how we can merge clouds with mobile devices in a trustworthy way. Certainly, smartphones and iPads connecting to the cloud are only the tip of the iceberg. If the vision of a Networked Society is to become a reality, we will need to handle billions of different devices connected to cloud(s). At Ericsson, we are participating in activities looking at how to make (even the tiniest) device (e.g. a small sensor) secure so that it won't pose unacceptable risks to itself or to the cloud. For example, the PROSPER project is looking at secure virtualization techniques for restricted devices. Ericsson has been a member of CSA since this spring.
--Mats Näslund, Ericsson Research