“Cloud Computing” has been the hottest buzzword in Information Technology (IT) since Google’s CEO George Schmidt introduced it in August 2006.1 By offering greater flexibility and availability of computing resources at a lower cost, cloud computing is a highly attractive alternative to traditional computing environments. More recently, cloud computing has grown to include “Mobile Cloud Computing (MCC).” Mobile devices (e.g., smartphones, tablets, laptops, PDAs) enable rich and convenient user experiences, fueling the rapid growth in MCC. According to eMarketer reports, there will be over 3 billion smartphones and tablets in use by the end of 2015.2,3 In turn, MCC is prompting the growth in all mobile-enabled segments such as commerce, learning, healthcare, banking and other areas.4
As the number of internet-enabled mobile devices grows, unfortunately so do malicious web-based threats. While there are several concerns with MCC, security is the major issue,5 echoed by information executives who state that security is – and remains – their number one concern with cloud computing.6From a risk management perspective, the accidental release or unauthorized access/conversion of sensitive data can result in significant costs from regulatory compliance such as notification, reputational injury and potential litigation.
So how can businesses manage the opportunities and exposures associated with cloud computing and MCC? This whitepaper provides an overview of these maturing technologies, security issues and the IT industry countermeasures to address them. As the technology behind cloud computing is the foundation for MCC, this paper provides a discussion of cloud computing before addressing MCC.
The National Institute of Standards and Technology (NIST) defines cloud computing as “a model of enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction. Cloud computing allows the utilization of a computing infrastructure at one or more levels of abstraction, as an on-demand service made available over the internet or other computer network.”7
Think of cloud computing as a utility company (e.g., gas, electric or phone) where an organization purchases varying quantities of services as needed and pays for the service at the end of the month (metered services). These services include computing, storage and networking. Computations take place on the cloud service provider’s servers (“the cloud”) located at a remote facility (a “colocation”) with the internet being the conduit that transports data between the organization’s hardware and “the cloud.” The cloud provider maintains the building, infrastructure, hardware, software, etc., while the organization simply pays for the services they consume.
Five characteristics that differentiate cloud services from conventional computing approaches include:8
There are four common models cloud service providers use to deploy and organize their services:9
The degree of control an organization has over the cloud’s computational environment varies depending on the type of cloud deployment – from almost zero control in public clouds to full control in private clouds.
Just as the different deployment models affect an organization’s scope and control over the cloud’s computing environment, so too does the service model supported by cloud service providers. Three common and frequently-used service models are:10,11
With SaaS, the service level, security, governance, compliance and liability expectations of the service are contractually stipulated, managed and enforced by the provider. With PaaS typically the provider is responsible for the security of the underlying operating system, while the user is responsible for the security of the application and other areas. With IaaS, the provider is responsible for the underlying infrastructure components to ensure basic service availability and security, while the subscriber is responsible for the rest. Additionally, SaaS and PaaS may be hosted on top of IaaS (a.k.a. “nesting”). These relationships and dependencies among the cloud service delivery models can be a security risk as a breach at any of the services may negatively impact the others. Organizations need to carefully review their service level and contractual agreements with their provider(s) and fully understand the level and type of services that are being provided.
The Mobile Cloud Computing Forum defines MCC as: “Mobile cloud computing at its simplest refers to an infrastructure where both the data storage and the data processing happen outside of the mobile device. Mobile cloud applications move the computing power and data storage away from mobile phones and into the cloud, bringing applications and mobile computing to not just smart phones users but a much broader range of mobile subscribers.”12
MCC is a combination of mobile networking and cloud computing which enables cloud computing attributes such as on-demand access, computing, networking and storage capabilities, but without the need for memory intensive software applications on the mobile device; however, smaller applications that provide access to the cloud would be present.13 Applications and data stored on cloud service providers’ servers are accessed by mobile devices via wireless or cellular internet connections. Applications are run on the cloud service provider’s remote servers and results are transmitted to the user.14
Securing MCC users’ privacy and maintaining the integrity of data or applications is a key issue with both MCC and cloud computing. As MCC is a combination of mobile networks and cloud computing, security-related issues are divided into two categories: mobile network users’ security and cloud security.
Responsibility for securing all three layers lies with both the cloud service provider and the organization, with the degree of responsibility varying and depending on the service model (SaaS, PaaS, or IaaS).
Accessing applications over the internet makes access from any network device easier; however, it introduces security risks. Authentication is used to verify that the user is who they say they are.18 For high levels of assurance, authentication must be combined with encryption and secure data transmission protocols to ensure security. Various authentication mechanisms have been proposed to secure the data access suitable for mobile environments. Examples include the use of access or login IDs, passwords, PINS and multifactor authentication. Applying identity management through the cloud makes managing identities, regardless of device or location, more convenient.
Every mobile cloud user must ensure the integrity of the information they store in the cloud. Furthermore, every attempt to access their data must be authenticated and verified.
There is no such thing as a 100 percent secured system19 as it is only a matter of time before a breach occurs. Therefore, an organization should proactively plan to deal with breaches by:
The forecast for MCC is bright. According to a study by ABI Research, more than 240 million businesses will use cloud services through mobile devices by year-end 2015 resulting in MCC revenue of approximately $5.2 Billion.20
Regardless of which forecast is correct, the message is clear. The economic advantages (low capital investment, on-demand service, ease of scalability, accessibility, etc.) of MCC are too attractive for businesses to ignore, particularly given the exponential growth of mobile device usage and mobile-focused commercial endeavors.
For organization planning to use the MCC platform, NIST has the following recommendations:21
In other words, perform a risk assessment, understand the exposures and proactively reduce risks to an organizationally acceptable level, while understanding that the organization is ultimately responsible for safeguarding its data as well as the data of others that is under its care, custody and control.
To learn more about how OneBeacon Technology Insurance™ can help you manage online and other technology risks, please contact Dan Bauman, Vice President of Risk Control for OneBeacon Technology Insurance at firstname.lastname@example.org or 262.966.2739.
OneBeacon Technology Insurance, a brand of OneBeacon Insurance Group, Ltd., delivers all-lines underwriting solutions for the technology, life science and medical technology, and telecommunications industries, as well as content and media companies. The specific capabilities offered include risk control, claims and third-party vendor solutions. Products span property, casualty, cyber, E&O, international, products liability and professional coverages. Our dedicated team of insurance professionals delivers custom solutions as needed to each of our customers. Coverages may be underwritten by one of the following insurance companies: Atlantic Specialty Insurance Company, Homeland Insurance Company of New York, Homeland Insurance Company of Delaware, OBI America Insurance Company and OBI National Insurance Company.
1 Regalado, Antonio (October 31, 2011). “Who Coined ‘Cloud Computing?’?” Business Insider. Accessed July 2015. http://www.technologyreview.com/news/425970/who-coined-cloud-computing/
2 (January 8, 2015). “Tablet Users to Surpass 1 Billion Worldwide in 2015.” eMarketer. Accessed July 2015. http://www.emarketer.com/Article/Tablet-Users-Surpass-1-Billion-Worldwide-2015/1011806
3 (December 11, 2014). “2 Billion Consumers Worldwide to get Smart (phones) by 2016.” eMarketer. Accessed July 2015. http://www.emarketer.com/Article/2-Billion-Consumers-Worldwide-Smartphones-by-2016/1011694
4 Prasad, Rajendra M.; Gyani, Jayadev; Murti, P.R.K. (Vol 2, No 7, 2012). “Mobile Cloud Computing: Implications and Challenges.” Journal of Information Engineering and Application. Accessed July 2015 http://www.iiste.org/Journals/index.php/JIEA/article/view/2571
5 Donald, Cecil A.; Oli, Arul S.; Arockiam, L. (Vol 3, Issue 1, July 2013). “Mobile Cloud Security Issues and Challenges: A Perspective.” International Journal of Engineering and Innovative Technology (IJEIT). Accessed July 2015. http://ijeit.com/Vol%203/Issue%201/IJEIT1412201307_73.pdf
6 Hashizume, Keiko; Rosado, David G; Fernandez-Medina, Eduardo; Fernandez, Eduardo B. (February 27, 2013). “An Analysis of Security Issues for Cloud Computing.” Accessed July 2015. http://www.jisajournal.com/content/4/1/5
7 Jansen, Wayne; Grance Timothy. (December 2011). “Guidelines on Security and Privacy in Public Cloud Computing – Publication 800-144.” NIST. Accessed July 2015. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf
8 Ibid 4
9 Mell, Peter; Grance Timothy. (September 2011). “The NIST Definitions of Cloud Computing – Publication 800-145.” NIST. Accessed October 2015. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
10 Ibid 7
11 Ibid 2
12 Ibid 4
13 Ibid 4
14 Bahar, Newaz Ali; Habib, Ahsan Md.; Islam, Manowarul Md.; (July 2013, Vol 3, No 3). “Security Architecture For Mobile Cloud Computing.” International Journal of Scientific Knowledge. Accessed July 2015. http://www.ijsk.org/uploads/3/1/1/7/3117743/2_mobile_cloud_computing.pdf
15 Ibid 5
16 Ibid 5
17 Ibid 5
18 Ibid 2
19 Ibid 5
20 Bhargava, Bharat. “Introduction to Mobile Cloud Computing.” Purdue University. Accessed July 2015. https://www.cs.purdue.edu/homes/bb/cloud/MCC.pptx
21 Ibid 7