mobile endpoint security and the cloud

[Balaji Prasad]

With the increasing proliferation of mobile apps and their ever-rising popularity as a viable gateway into the enterprise or the cloud - enforcing security on these devices becomes all the more important. However traditional security solutions (anti-virus, real-time malware detection etc.) are bulky and CPU intensive - and the technology is not suitable for these smaller devices. Given that the cloud represents the ultimate network computer - with the endpoint becoming the thin client, is it possible to offload the security and admission control functionality to the cloud? I am interested to hear your thoughts on this matter.

Balaji
--

Bette Davis  - "Brought up to respect the conventions, love had to end in marriage. I'm afraid it did."

[Homa]

Yes, the cloud is geting larger and denser and finally will be
covering all the devices to make up a really big network and complex
connections.
I personally think the security is one thing on the top of the TODO
list, according to some Berkeley study on coloud computing, they say
"security" is one of the big barriers and concerns for people moving
to cloud.
First of all, there must be sophisticated authentication/
authorization controling system amoing this cloud. Mobile as the
thinclient it will be able to connect and work only under its own
restrictions.
The channel between the mobile and the target must be secured, SSL
channel like usual, or some other Telcom owned technology must make
sure this.
The phone itself make take some credential from the user to avoid
the case that someone picks up a lost phone and does something bad,
user/pass would be the simplist case, but there also could be voice/
face matching, finger-print is possible if someday the mobile vender
realized the security for phones is big.
Audit is another thing to make sure the things are in normal.

Anyway, if this is something new, we could borrow ideas from the old
scenarios for sure.

On May 27, 7:01 am, Balaji Prasad <bprasa...@gmail.com> wrote:
> With the increasing proliferation of mobile apps and their ever-rising
> popularity as a viable gateway into the enterprise or the cloud - enforcing
> security on these devices becomes all the more important. However
> traditional security solutions (anti-virus, real-time malware detection
> etc.) are bulky and CPU intensive - and the technology is not suitable for
> these smaller devices. Given that the cloud represents the ultimate network
> computer - with the endpoint becoming the thin client, is it possible to
> offload the security and admission control functionality to the cloud? I am
> interested to hear your thoughts on this matter.
>
> Balaji
> --
>

> Bette Davis <http://www.brainyquote.com/quotes/authors/b/bette_davis.html>

[Chandra Shekhar Tekwani]

There is also the issue that mobile access is based on IMSI value and not on IP address so security policies placed inside the network using traditional firewalls with IP 5-tuples will not be valid any more.

[Rao Dronamraju]

Folks,

Can someone who has tried setting up either Eucalyptus and/or Open Nebula
based Clouds confirm whether the following procedure works?

1) Ubuntu 9.04 (Jaunty Jack lope) says they have Eucalyptus and Open Nebula
included in the release and also Xen 3.X hypervisor but NOT Dom0
2) So you install and boot Ubuntu 9.04 on a server
3) You download Dom0 from wherever (Dabian) and install it.
4) Configure Grub to point to Xen 3.X hypervisor that is included in Ubuntu
and Dom0 immediately after that.
5) Reboot and you should boot into the hypervisor and Dom0
6) Next you boot DomU through Dom0.
7) Has Unbuntu 9.04 been PVized to run as DomU guest?...if so you can use
9.04 as your DomU guest.
8) Repeat the procedure for all the nodes in the cloud
9) At this point you can configure your virtual network etc.
10) Here you should be able to configure the Cloud Manager, Cluster Manager
and the Instance Manager. Same with Open Nebula.

From the documentation I also get the impression that all the dependencies
of Xen, Eucalyptus and Open Nebula are all included in Ubuntu 9.04.

Did anyone try the above procedure and did it work?...

Thanks in advance
Rao

[John Pugh]

On 05/27/2009 10:36 PM, Rao Dronamraju wrote:
>
> Folks,
>
> Can someone who has tried setting up either Eucalyptus and/or Open Nebula
> based Clouds confirm whether the following procedure works?
>
> 1) Ubuntu 9.04 (Jaunty Jack lope) says they have Eucalyptus and Open Nebula
> included in the release and also Xen 3.X hypervisor but NOT Dom0
> 2) So you install and boot Ubuntu 9.04 on a server
>

Then install opennebula and eucalyptus parts

> 3) You download Dom0 from wherever (Dabian) and install it.
>

Why? No need to do that on Ubuntu Enterprise cloud - KVM is preferred

> 4) Configure Grub to point to Xen 3.X hypervisor that is included in Ubuntu
> and Dom0 immediately after that.
>

For??

> 5) Reboot and you should boot into the hypervisor and Dom0
> 6) Next you boot DomU through Dom0.
> 7) Has Unbuntu 9.04 been PVized to run as DomU guest?...if so you can use
> 9.04 as your DomU guest.
>

Yes 9.04 uses the PV extensions

> 8) Repeat the procedure for all the nodes in the cloud
> 9) At this point you can configure your virtual network etc.
> 10) Here you should be able to configure the Cloud Manager, Cluster Manager
> and the Instance Manager. Same with Open Nebula.
>
> From the documentation I also get the impression that all the dependencies
> of Xen, Eucalyptus and Open Nebula are all included in Ubuntu 9.04.
>

There is no need to use XEN on a UEC "cloud". If you want to move the
eucalyptus images to EC2 simply copy it up as EC2 will ignore the kernel
and use it's own to boot the image.

> Did anyone try the above procedure and did it work?...
>

Way too complicated and unnecessary.
use http://doc.ubuntu.com/ubuntu/serverguide/C/eucalyptus.html for
eucalyptus
and
http://doc.ubuntu.com/ubuntu/serverguide/C/opennebula.html for opennebula
> Thanks in advance
> Rao
>
>
>
>
> >
>

[John Zantey]

Balaji,
this is a brilliant topic. Being in the mobility space myself,
security is always a -HUGE- conversation point, and critical learning
for most our clients, even the telco's (small AND large)!!!

As Chandra stated, there is the IMSI and the IMEI number and a Device
ID. How this comes about is kind of dependent on the device
manufacturer (not always what you expect, even though it is meant to
be a standard).

There is now mobile capability to have policy configurations. Current
WM devices (6.1 pro) and MS remote mobile management suite can give
some extra bells and whistle. there are a number of 'products' that do
this sort of stuff, although, so can development to a 'standard'.

One thing to bear in mind is that mobile devices are single user
oriented and are also stack based devices (ie: threading is not real,
it is more time sharing on threads).

This does give some leniency for device security, but the key to the
security, as is always, is protecting the data. From experience this
would be in the case where a device may be lost/stolen and people know
that the 'new found' device can be used in a malicious manner.

This is where IMSI/IMEI, DeviceID and credentials are important. There
is a company we are partnered with which has quite a 'strict' security
mode, where there is a two factor authentication mechanism. As much as
"Company A" can do it's own authentication verification, sometimes to
have an external aspect to re-verify this, on a challenge routine at a
request-by-request basis... thank modern capability for fast mobile
networks!!!

Nothing stopping anyone to use SSL, 3DES, SHA and so forth (we use
them by default), even on that request-by-request process... can take
it even further and generate a 'virtual' token purely for the request-
to-acknowledgment, and within that something like a 'transationID' for
each aspect, can wrap PGP/MD5 around all this too! This 'virtual'
token would only be known to the 'methods' invoking/accepting calls
to<-- -->from eachother!

Any way.. My 2¢ worth!

I am by far not a security expert, but sharing my experience from what
my day-to-day mobility work sometimes entails!!!

How it applies to the cloud, I would assume would be in a similar
fashion, except each node would have a role and responsibility :- by
person & signature for when the steaming heap hits the fan there is
somewhere to turn to!!! I too am getting to speed with CC though, and
am darn interested in this particular topic!

On May 27, 9:01 am, Balaji Prasad <bprasa...@gmail.com> wrote:
> With the increasing proliferation of mobile apps and their ever-rising
> popularity as a viable gateway into the enterprise or the cloud - enforcing
> security on these devices becomes all the more important. However
> traditional security solutions (anti-virus, real-time malware detection
> etc.) are bulky and CPU intensive - and the technology is not suitable for
> these smaller devices. Given that the cloud represents the ultimate network
> computer - with the endpoint becoming the thin client, is it possible to
> offload the security and admission control functionality to the cloud? I am
> interested to hear your thoughts on this matter.
>
> Balaji
> --
>

> Bette Davis <http://www.brainyquote.com/quotes/authors/b/bette_davis.html>

[Rao Dronamraju]

Jim,

Thanks for the info.

Unfortunately KVM needs a HW assisted virtualization machine for it to work.
I have both some with I-VT and some without. For those systems without I-VT
I have to use Xen. And Xen is also a great virtualization platform.

Rgrds,
Rao

[Jan Klincewicz]

You're talking about Open Source Xen, of course.  The Citrix flavor, XenSERVER does, in fact, need procs capable of hardware-assist (AMD "Pacifica" or Intel "VT".    Pretty mucxh any server less thgan six years old will have this ... anything dual-core ...

--
Cheers,
Jan

[Chandra Shekhar Tekwani]

Agree on  John's thought process below.

The first difference is IMSI/IMEI/DeviceID based.

The second difference between mobile phone access to cloud services vs fixed PC access is based on location. The security policy applicable would depend on location of the device. This is again different from how modern day firewalls from internet world work. Internet is location independent but mobile networks are location dependent!

[Rao Dronamraju]

Yes. I am using both old and new machines and open source Xen….

 

---

[John Pugh]

On 05/27/2009 10:36 PM, Rao Dronamraju wrote:
>

In theory this works as described. However XEN Dom0 kernels are
unsupported currently. Obviously from my first post KVM is preferred due
to a number of factors.
XEN was largely abandoned (or appeared to be) after Citrix purchased
XENSource, however that seems to be starting to change a bit with new
activity levels rising on XEN.
> Thanks in advance
> Rao
>
>
>
>
> >
>

[Balaji Prasad]

I understand the need to tie the endpoint credentials to something static like an IMSI or IMEI. However it still does not obviate the problem of vetting the mobile endpoint (or phone) in realtime based on the authentication credentials of the user. 
 This is where the cloud can come in ... by providing dynamic endpoint evaluation (think Security As A Service) based on identity based policies.  Limiting the footprint of this solution and keeping it light on CPU/power consumption will be the challenge on the client side, and as John mentions the fact that most mobile phones are in some ways singlethreaded is also a constraint.

--

Groucho Marx  - "A hospital bed is a parked taxi with the meter running."

[Chandra Shekhar Tekwani]

This is an interesting concept in 4G wireless.

In 3G and older, there is a concept of HLR and HSS which has a APN value which provides this dynamic service access authentication for the phone based on IMSI/IMEI.

However, in 4G wireless, this could be an interesting cloud functionality!

This needs some discussion.

Sent via BlackBerry by AT&T

---

From: Balaji Prasad
Date: Fri, 29 May 2009 13:01:22 -0700
To: <cloud-c...@googlegroups.com>
Subject: [ Cloud Computing ] Re: mobile endpoint security and the cloud

[John Zantey]

Chandra,

Hit the nail on the head :) It is the APN Value which DOES allow this
to be more available towards Security as a Service. Not quite there
yet, as far as I currently understand, but close.

From what I understand, it comes down to how security is provisioned
and mediated for a device, for a process, for a solution and for a
system! (I am trying to get from the atomic aspect to the
'nebulous' :- mobility being a mesh of events makes it a little
harder).

The way I think of it, would be more of a service provided by the
endpoint provider, be it direct for a solution, or outsourced to other
3rd parties to provide.

The way this is provisioned and mediated to my mind would need to be a
very carefully co-ordinated implementation. The PoC (Proof of concept)
is always good to get going as showcasing, but getting buy in by those
paranoid security Nazi's isn't always the easiest. This is where I was
eluding in another thread that having a 'standard' to point to, that
at least one-or-more person can understand, which may make the pitch
to implement easier (ie: the go ahead to get it done).

Currently I am seeing this with various companies partnering with
larger/established security providers to smooth the waters somewhat,
and yes, it is a good solution. Far from out of the woods, but the
ball is set in motion, and soon will 'hopefully' become a common
aspect.

CC -DEFINATELY- offers something here, but again, security is one of
those things on mobile computing that goes through SO many hoops to
get a tick for a go-ahead by many companies and organisations.