Mobile and Personal Cloud Computing - The Next Step in Cloud Computing

Edger Germer
November 11, 2015

Executive Summary

“Cloud Computing” has been the hottest buzzword in Information Technology (IT) since Google’s CEO George Schmidt introduced it in August 2006.1 By offering greater flexibility and availability of computing resources at a lower cost, cloud computing is a highly attractive alternative to traditional computing environments. More recently, cloud computing has grown to include “Mobile Cloud Computing (MCC).” Mobile devices (e.g., smartphones, tablets, laptops, PDAs) enable rich and convenient user experiences, fueling the rapid growth in MCC. According to eMarketer reports, there will be over 3 billion smartphones and tablets in use by the end of 2015.2,3 In turn, MCC is prompting the growth in all mobile-enabled segments such as commerce, learning, healthcare, banking and other areas.4

As the number of internet-enabled mobile devices grows, unfortunately so do malicious web-based threats. While there are several concerns with MCC, security is the major issue,echoed by information executives who state that security is – and remains – their number one concern with cloud computing.6From a risk management perspective, the accidental release or unauthorized access/conversion of sensitive data can result in significant costs from regulatory compliance such as notification, reputational injury and potential litigation.

So how can businesses manage the opportunities and exposures associated with cloud computing and MCC? This whitepaper provides an overview of these maturing technologies, security issues and the IT industry countermeasures to address them. As the technology behind cloud computing is the foundation for MCC, this paper provides a discussion of cloud computing before addressing MCC.

Cloud Computing

The National Institute of Standards and Technology (NIST) defines cloud computing as “a model of enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction. Cloud computing allows the utilization of a computing infrastructure at one or more levels of abstraction, as an on-demand service made available over the internet or other computer network.”7

Think of cloud computing as a utility company (e.g., gas, electric or phone) where an organization purchases varying quantities of services as needed and pays for the service at the end of the month (metered services).  These services include computing, storage and networking. Computations take place on the cloud service provider’s servers (“the cloud”) located at a remote facility (a “colocation”) with the internet being the conduit that transports data between the organization’s hardware and “the cloud.” The cloud provider maintains the building, infrastructure, hardware, software, etc., while the organization simply pays for the services they consume.

Characteristics of Cloud Computing

Five characteristics that differentiate cloud services from conventional computing approaches include:8

  • On-demand Self-Service - Users can directly purchase computing services such as server time and storage as needed with minimal interaction with the service provider.  These services can also be readily discontinued when they are no longer needed.
  • Broad Network Access - Services are available over the internet and accessed through standard devices such as thin or thick client platforms. A “thin client” is a device with no computational or storage capacity (e.g. smartphone or tablet). A “thick/fat” client is a fully functioning computer. In both cases all processing and storage is done on a cloud provider’s server. 
  • Resource Pooling - Storage, processing, memory, bandwidth and hardware are shared with other users.
  • Rapid Elasticity - Capabilities can be rapidly and elastically purchased in any quantity at any time and discontinued when no longer needed.
  • Measured Service - Resource usage is monitored, controlled and optimized through metering capabilities.

Deployment Models

There are four common models cloud service providers use to deploy and organize their services:9

  • Public Cloud – Computing resources are made available to the general public or organizations over the internet. It is owned by a cloud provider selling cloud services to others.
  • Private Cloud - At the other end of the spectrum are private clouds where the computing environment is operated exclusively for one organization/customer (e.g., the IRS). The private cloud may be managed by the organization or a cloud service provider, and it may be hosted within the organization’s premises or elsewhere (e.g., at a colocation facility). The organization/customer has control over the infrastructure and computational resources.
  • Community Cloud – This deployment models is less common.  A community cloud is similar to a private cloud, but the infrastructure and computing resources are shared by several organizations having common privacy, security and/or regulatory considerations. Examples include healthcare and financial community clouds.
  • Hybrid Cloud - A hybrid cloud is composed of two or more cloud deployment models (public, private or community) that remain unique entities but are bound together by standardized or proprietary technology. This approach allows an organization to store protected or privileged data on a private cloud while retaining the ability to leverage computing resources from the public cloud to run applications that rely on the data. For example, hybrid clouds are frequently used in the financial sector where trade orders are processed in a private cloud while trade analytics are conducted on a public cloud infrastructure.

The degree of control an organization has over the cloud’s computational environment varies depending on the type of cloud deployment – from almost zero control in public clouds to full control in private clouds.

Service Delivery Model

Just as the different deployment models affect an organization’s scope and control over the cloud’s computing environment, so too does the service model supported by cloud service providers. Three common and frequently-used service models are:10,11

  • Software-as-a-Service (SaaS) – SaaS provides applications/software delivered over the internet by the cloud service provider eliminating the need to install software on the organization’s hardware. The provider hosts the software while the subscriber connects and uses it. Examples of SaaS include Twitter, Facebook, Yahoo, Gmail and Salesforce.
  • Platform-as-a-Service (PaaS) — PaaS offers development tools that can be used by software developers to create applications. This might include tools that allow an organization to build various web services that enable database access, billing or others. Examples of PaaS include Microsoft Windows Azure and Google App Engine.
  • Infrastructure-as-a-Service (IaaS) – Rather than purchasing servers, software, data center space or network equipment, IaaS provides these resources as an outsourced service. The organization provides its application software to the cloud service provider to host. The services are typically billed on a utility computing basis (metered). Examples of IaaS include Amazon Elastic Compute Cloud (EC2), Joyent, Rackspace and IBM Computing on Demand.

Concerns

With SaaS, the service level, security, governance, compliance and liability expectations of the service are contractually stipulated, managed and enforced by the provider. With PaaS typically the provider is responsible for the security of the underlying operating system, while the user is responsible for the security of the application and other areas. With IaaS, the provider is responsible for the underlying infrastructure components to ensure basic service availability and security, while the subscriber is responsible for the rest. Additionally, SaaS and PaaS may be hosted on top of IaaS (a.k.a. “nesting”). These relationships and dependencies among the cloud service delivery models can be a security risk as a breach at any of the services may negatively impact the others. Organizations need to carefully review their service level and contractual agreements with their provider(s) and fully understand the level and type of services that are being provided.  

Mobile Cloud Computing (MCC)

The Mobile Cloud Computing Forum defines MCC as: “Mobile cloud computing at its simplest refers to an infrastructure where both the data storage and the data processing happen outside of the mobile device.  Mobile cloud applications move the computing power and data storage away from mobile phones and into the cloud, bringing applications and mobile computing to not just smart phones users but a much broader range of mobile subscribers.”12

MCC is a combination of mobile networking and cloud computing which enables cloud computing attributes such as on-demand access, computing, networking and storage capabilities, but without the need for memory intensive software applications on the mobile device; however, smaller applications that provide access to the cloud would be present.13 Applications and data stored on cloud service providers’ servers are accessed by mobile devices via wireless or cellular internet connections. Applications are run on the cloud service provider’s remote servers and results are transmitted to the user.14

MCC Security

Securing MCC users’ privacy and maintaining the integrity of data or applications is a key issue with both MCC and cloud computing. As MCC is a combination of mobile networks and cloud computing, security-related issues are divided into two categories: mobile network users’ security and cloud security.

  • Mobile Network Users’ Security - Data on mobile devices are more at risk than data on traditional computers because mobile devices are more likely to be left unprotected. According to the Cloud Security Alliance, the top mobile device threats that affect security are:15
    • Data loss from lost/stolen devices.
    • Information stolen by mobile malware.
    • Data leakage through poorly written third-party applications.
    • Vulnerabilities within devices, operating system and third-party applications.
    • Unsecured network access and unreliable access points.
    • Unsecured or rogue marketplaces.
    • Insufficient management tools, capabilities and access to APIs (application programs interfaces).
    • Near Field Communication (NFC) and proximity-based hackers.
  • Countermeasures to Security Issues16 - Endpoint security including threat detection for the mobile device is critical. However, mobile devices have limited processing capability and power issues. To address these issues the industry has:
    • Transferred security detection services/responsibilities to the cloud service provider resulting in better detection of malicious code, reduced consumption of resources on mobile devices and reduced software complexity of mobile devices
    • Implemented Intrusion Detection Systems (IDS) and Cloud Intrusion Detection Systems Services (CIDSS). Implemented Intrusion Detection Systems (IDS) and Cloud Intrusion Detection Systems Services (CIDSS).
    • Recommended thin client antimalware and antivirus usage to protect mobile devices from data loss.
  • Securing Information on the Cloud – Security is paramount in protecting and maintaining the integrity of the data stored within the cloud. Specific measures at the various layers are essential, including:17
    • Backbone Layer – This constitutes security surveillance on cloud physical systems that help monitor the servers and machines in the cloud infrastructure.
    • Infrastructure Layer – This layer monitors virtual machines (vm) in the cloud. Security activities such as storage verifications, vm migration cloud service monitoring, vm isolation, risk evaluation and audits are carried out in this layer.
    • Application and Platform Layer – Security activities such as user management, key management, authentication, authorization, encryption and data integration are carried out in this layer.

Responsibility for securing all three layers lies with both the cloud service provider and the organization, with the degree of responsibility varying and depending on the service model (SaaS, PaaS, or IaaS).

Authentication

Accessing applications over the internet makes access from any network device easier; however, it introduces security risks. Authentication is used to verify that the user is who they say they are.18 For high levels of assurance, authentication must be combined with encryption and secure data transmission protocols to ensure security. Various authentication mechanisms have been proposed to secure the data access suitable for mobile environments. Examples include the use of access or login IDs, passwords, PINS and multifactor authentication. Applying identity management through the cloud makes managing identities, regardless of device or location, more convenient.

Integrity

Every mobile cloud user must ensure the integrity of the information they store in the cloud. Furthermore, every attempt to access their data must be authenticated and verified.

Steps for Winning the Battle of Breaches

There is no such thing as a 100 percent secured system19 as it is only a matter of time before a breach occurs. Therefore, an organization should proactively plan to deal with breaches by:

  • Defining Objectives – Prioritizing objectives and setting realistic risk tolerances. This allows the organization to appropriately allocate resources to those areas that are mission critical.
  • Implementing a Proactive Security Plan – Understanding the threat landscape (e.g., hacking, cybercrime attacks, media and social scams, etc.) and protecting the organization using both policy and technology (end-point security, firewalls, malware and antivirus software, etc.).
  • Preparing a Response to an Attack – Hackers are relentless in finding vulnerabilities. When a breach does occur, the ability to quickly respond can greatly mitigate the damage from the attack.
  • Establishing a Culture of Security Awareness – All employees must work together to ensure the safety of enterprise data as it takes only one mistake to infect an entire network.

Conclusion

The forecast for MCC is bright. According to a study by ABI Research, more than 240 million businesses will use cloud services through mobile devices by year-end 2015 resulting in MCC revenue of approximately $5.2 Billion.20

Regardless of which forecast is correct, the message is clear. The economic advantages (low capital investment, on-demand service, ease of scalability, accessibility, etc.) of MCC are too attractive for businesses to ignore, particularly given the exponential growth of mobile device usage and mobile-focused commercial endeavors.

For organization planning to use the MCC platform, NIST has the following recommendations:21

  • Carefully plan the security and privacy aspects of cloud computing solutions before engaging them.
  • Understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.
  • Ensure that the client-side environment meets organizational security and privacy requirements for cloud computing.
  • Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.

In other words, perform a risk assessment, understand the exposures and proactively reduce risks to an organizationally acceptable level, while understanding that the organization is ultimately responsible for safeguarding its data as well as the data of others that is under its care, custody and control.

Contact Us

To learn more about how OneBeacon Technology Insurance™ can help you manage online and other technology risks, please contact Dan Bauman, Vice President of Risk Control for OneBeacon Technology Insurance at dbauman@onebeacontech.com or 262.966.2739.

About Us

OneBeacon Technology Insurance, a brand of OneBeacon Insurance Group, Ltd., delivers all-lines underwriting solutions for the technology, life science and medical technology, and telecommunications industries, as well as content and media companies. The specific capabilities offered include risk control, claims and third-party vendor solutions. Products span property, casualty, cyber, E&O, international, products liability and professional coverages. Our dedicated team of insurance professionals delivers custom solutions as needed to each of our customers. Coverages may be underwritten by one of the following insurance companies: Atlantic Specialty Insurance Company, Homeland Insurance Company of New York, Homeland Insurance Company of Delaware, OBI America Insurance Company and OBI National Insurance Company.

References

1 Regalado, Antonio (October 31, 2011). “Who Coined ‘Cloud Computing?’?” Business Insider. Accessed July 2015.  http://www.technologyreview.com/news/425970/who-coined-cloud-computing/

2 (January 8, 2015). “Tablet Users to Surpass 1 Billion Worldwide in 2015.” eMarketer. Accessed July 2015. http://www.emarketer.com/Article/Tablet-Users-Surpass-1-Billion-Worldwide-2015/1011806

(December 11, 2014).  “2 Billion Consumers Worldwide to get Smart (phones) by 2016.” eMarketer. Accessed July 2015.  http://www.emarketer.com/Article/2-Billion-Consumers-Worldwide-Smartphones-by-2016/1011694

4 Prasad, Rajendra M.; Gyani, Jayadev; Murti, P.R.K. (Vol 2, No 7, 2012). “Mobile Cloud Computing: Implications and Challenges.”  Journal of Information Engineering and Application.  Accessed July 2015 http://www.iiste.org/Journals/index.php/JIEA/article/view/2571

Donald, Cecil A.; Oli, Arul S.; Arockiam, L. (Vol 3, Issue 1, July 2013). “Mobile Cloud Security Issues and Challenges: A Perspective.” International Journal of Engineering and Innovative Technology (IJEIT). Accessed July 2015. http://ijeit.com/Vol%203/Issue%201/IJEIT1412201307_73.pdf

6 Hashizume, Keiko; Rosado, David G; Fernandez-Medina, Eduardo; Fernandez, Eduardo B. (February 27, 2013). “An Analysis of Security Issues for Cloud Computing.”  Accessed July 2015. http://www.jisajournal.com/content/4/1/5

Jansen, Wayne; Grance Timothy. (December 2011).  “Guidelines on Security and Privacy in Public Cloud Computing – Publication 800-144.”  NIST.  Accessed July 2015. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf

Ibid 4

9 Mell, Peter; Grance Timothy. (September 2011). “The NIST Definitions of Cloud Computing – Publication 800-145.” NIST.  Accessed October 2015. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf

10 Ibid 7

11 Ibid 2

12 Ibid 4

13 Ibid 4

14 Bahar, Newaz Ali; Habib, Ahsan Md.; Islam, Manowarul Md.; (July 2013, Vol 3, No 3). “Security Architecture For Mobile Cloud Computing.” International Journal of Scientific Knowledge.  Accessed July 2015. http://www.ijsk.org/uploads/3/1/1/7/3117743/2_mobile_cloud_computing.pdf

15 Ibid 5

16 Ibid 5

17 Ibid 5

18 Ibid 2

19 Ibid 5

20 Bhargava, Bharat. “Introduction to Mobile Cloud Computing.” Purdue University.  Accessed July 2015. https://www.cs.purdue.edu/homes/bb/cloud/MCC.pptx 

21 Ibid 7