ORLANDO Fla. --- The burgeoning influx of employee-owned smartphones and tablets in the workplace has added to the complexity of securing cloud-based systems, according to a panel of experts who urged IT security teams to consider setting enforceable mobile policies alongside cloud policies.
There seems to be somewhat of a classic brute-force security approach to address the issues, but if you dumb down devices too much you are going to be impacting the user.William Corrington, consultant, Stony Point Enterprises LLC
The process for setting policies addressing both mobile and cloud is easier said than done, said Tom Kellerman, vice president of Trend Micro Inc. Hybrid cloud policies done in conjunction with mobile security policies should be accomplished with all of the company's data owners, administrators and others who know the business and can find a middle ground, Kellerman said.
"Make a conscious decision policy wise about what the devices are being used for," Kellerman said, adding that security technologies are still emerging to better protect smartphones and tablets. "I think there is a need to make the device context aware." Â
At the 2012 Cloud Security Alliance (CSA) Congress, Kellerman joined William Corrington a consultant at Stony Point Enterprises LLC,  and Jon-Michael Brook a principal  security architect with Symantec's Public Sector Organization,  in discussing mobile security threats and their impact on cloud security. The discussion was set against the backdrop of a report to be released Thursday from the CSA that concludes that while organizations are beginning to implement policies to address mobile security issues, many still wrestle with the challenges of securing corporate data on personally owned devices.
The walled garden maintained by Apple's iOS leaves antivirus vendors out of the equation, but also appears to be keeping out security issues. Meanwhile Google Android devices are a growing security problem because the open architecture attracts malicious applications and an ever increasing amount of mobile malware.
"There seems to be somewhat of a classic brute-force security approach to address the issues, but if you dumb down devices too much you are going to be impacting the user," Corrington said.
Contextual authentication
Adding to the mobile security conundrum are a multitude of cloud environments that are slowing eroding the concept of perimeter away, Corrington said. In a complex ecosystem with multiple players and service providers, organizations need to begin thinking about it from an access control perspective.
"A strong identity ecosystem is really critical," Corrington said. "Authentication and identity management should be bidirectional."
Identity attributes and device attributes in conjunction can be used to infer a trust level and define access to resources based on the trust level, Corrigan said. For example, a device authenticated with two factor would be given a higher trust level and access to more resources.
Segmenting personal and business data is a tough problem that hasn't been fully solved, said Symantec's Brook. Technologies can wrap some apps with IT policies and wall off corporate data on the device. Basic security policies should be enforced. Encryption should be turned on, location services and remote wipe capabilities employed, he said.
"Follow through with what you actually put into policy and put some teeth into it," Brook said. Â Enforcing policies give employees the signal that the company is serious about security.
Security will get better, because technologies are still emerging, said panel moderator Salim Hariri, director of the Autonomic Computing Laboratory (ACL) at The University of Arizona. Hariri said researchers are testing moving target defenses with software behavior encryption, designed to make it more difficult for attackers to root a device. Behavior encryption changes the environment randomly, Hariri said. "With faster processors we might create multiple decoy environments at the same time," he said. "One is active the rest are honeypots."