Click here to close now.




















Welcome!

Related Topics: Microservices Expo, Mobile IoT, Containers Expo Blog, Agile Computing, Cloud Security, SDN Journal

Microservices Expo: Article

Securing Mobile Networks with Trustworthy Systems

Public and private organizations should seek out vendors that prioritize continued innovation

In our increasingly connected world, the number of mobile phones will exceed the world's population by 2014. Users expect to be able to run diverse applications on these devices at work, home, and practically anywhere else. We assume secure access to any information we need, with an expectation of seamless mobility and a high-quality user experience.

Security is a primary concern, but at the same time users don't want security to get in the way of their experience. Users want to simply be able to find an application in an app store, and then download and use it without having to be concerned about whether it's a trusted application.

Today, the customer chooses a product based on a vendor's ability to fulfill the customer's need, the price point, and vendor attributes such as viability. The "trust" market transition introduces three other essential criteria: the vendor's trustworthiness and transparency, the product's trustworthiness and integrity, and the vendor's commitment to and understanding of security issues. Taken together, these criteria can help a company determine the most trustworthy system for its mobile network.

The Network Is Square One
Fortunately, it is possible to address the hidden risks of choosing a vendor and to reduce the known risks of operating a mobile infrastructure. This ideal - a "trustworthy system" - can be achieved through vendor inspection, delineation between assumed and verifiable trust and, ultimately, a network security infrastructure more advanced than the one in which we operate today.

Mobile device security begins with the network. Networks should be based on verifiably trustworthy network architectures built on secure software and hardware that are backed by prudent supply chain security practices. These elements enable an intelligent network to engage the service provider's access policies and challenge the trustworthiness of mobile devices attempting to access network resources. In turn, mobile device manufacturers and vendors should focus on building verifiable trustworthiness and transparency with regard to their processes and technologies to allow for the creation of secure mobile networks.

Trusted Environments Within Devices
Fortunately, there are many useful ways to ensure that mobile devices are trustworthy. One particularly effective approach is to build a trusted environment within the devices. This is accomplished by partitioning mobile phones and tablets in a logical and secure way, such that they become, in effect, multitenant devices. This enables:

  • The service provider to provide radio service without fear that the user will tinker with security elements within the device, potentially compromising the network's security.
  • The manufacturer to provide secure booting of the device with an initial signed image that can be upgraded over time.
  • The user to run third-party applications without fear of affecting the other device elements.

Industry collaboration and standardization initiatives will make this vision a reality. For instance, the GlobalPlatform organization is developing secure Trusted Execution Environment specifications for mobile devices. A verifiable root of trust is built sequentially from the time a user boots up the hardware (phone), through the loading of the operating system, to the activation of individual applications within this trusted environment.

GlobalPlatform has been working to get mobile device manufacturers moving in the same direction in terms of standardizing a single trusted architecture for mobile devices. The Trusted Computing Group, another standards organization, has been collaborating with GlobalPlatform and working to bring mobile device manufacturers into alignment along common standards of trustworthiness.

Standards for Success
The network's primary role in the context of mobile security and trustworthiness is in the access-control realm. In support of this role, organizations should ensure that their network infrastructures enforce security-policy compliance on all devices that attempt to gain access to the network. Network administrators should use best practices to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users before they can gain access to the network and its resources.

By using protocols such as device posturing, organizations can classify devices that attempt to gain network access and understand who the user is and what policies should be enforced based on the information that is captured from the device and by the authentication of the user. In order to secure the corporate network, the network needs to understand the level of trustworthiness in mobile devices. The convergence of mobile platforms to a common trusted architecture will make the problem easier for network administrators. Once the network discovers and classifies devices, then it can immediately determine whether the device is compliant to a certain common standard.

Government organizations are helping drive common standards by asking vendors to support standards and move away from proprietary solutions. They are also identifying specific standards and certifications upon which they would like to see mobile devices manufactured. Given this push, there will eventually be a convergence to one standardized, secure and trustworthy ecosystem and architecture. At that point, government agencies and other institutions will be able to verify the trustworthiness of a particular device based on its certificates and then allow or deny access based on its assessment of the device's trustworthiness.

Virtualization's Role
Currently, efforts are being made to extend the concept of virtualization in servers to virtualization in mobile devices through hypervisors, providing a more flexible environment to implement a multiple stakeholder model. Cloud and other forms of virtualization provide extended storage, improve resiliency, increase efficiency, and reduce costs; but they also introduce additional security risks. Managing and mitigating these risks demands a new level of planning, user education, and security procedures to create a trustworthy system for securing mobile networks.

Looking Ahead
The importance of selecting a vendor that can ensure trust throughout the entire mobile system cannot be overstated. Taken together, trustworthy systems combine verifiably trustworthy hardware, software, firmware and, as appropriate, the resulting services built upon them, demonstrating in a provable manner the trust and risk management required for today's standards of security and reliability.

Trust is not guaranteed. It must be proven on a continuous basis. Public and private organizations should seek out vendors that prioritize continued innovation to ensure resiliency in customer networks through visibility and transparency while partnering with customers to prepare for any and all threats.

More Stories By Rafael Mantilla Montalvo

Dr. Rafael Mantilla Montalvo is a Principal Engineer at Cisco Systems. He holds a B. Sc. in Electrical Engineering from the Instituto Politécnico Nacional and an MS and PhD in Electrical Engineering from Stanford University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Latest Stories
With the proliferation of connected devices underpinning new Internet of Things systems, Brandon Schulz, Director of Luxoft IoT – Retail, will be looking at the transformation of the retail customer experience in brick and mortar stores in his session at @ThingsExpo. Questions he will address include: Will beacons drop to the wayside like QR codes, or be a proximity-based profit driver? How will the customer experience change in stores of all types when everything can be instrumented and a...
It’s been proven time and time again that in tech, diversity drives greater innovation, better team productivity and greater profits and market share. So what can we do in our DevOps teams to embrace diversity and help transform the culture of development and operations into a true “DevOps” team? In her session at DevOps Summit, Stefana Muller, Director, Product Management – Continuous Delivery at CA Technologies, answered that question citing examples, showing how to create opportunities for ...
As more and more data is generated from a variety of connected devices, the need to get insights from this data and predict future behavior and trends is increasingly essential for businesses. Real-time stream processing is needed in a variety of different industries such as Manufacturing, Oil and Gas, Automobile, Finance, Online Retail, Smart Grids, and Healthcare. Azure Stream Analytics is a fully managed distributed stream computation service that provides low latency, scalable processing of ...
Everyone talks about continuous integration and continuous delivery but those are just two ends of the pipeline. In the middle of DevOps is continuous testing (CT), and many organizations are struggling to implement continuous testing effectively. After all, without continuous testing there is no delivery. And Lab-As-A-Service (LaaS) enhances the CT with dynamic on-demand self-serve test topologies. CT together with LAAS make a powerful combination that perfectly serves complex software developm...
Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches. In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, discussed why containers should be paired with new architectural practices such as microservices rathe...
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
Any Ops team trying to support a company in today’s cloud-connected world knows that a new way of thinking is required – one just as dramatic than the shift from Ops to DevOps. The diversity of modern operations requires teams to focus their impact on breadth vs. depth. In his session at DevOps Summit, Adam Serediuk, Director of Operations at xMatters, Inc., will discuss the strategic requirements of evolving from Ops to DevOps, and why modern Operations has begun leveraging the “NoOps” approa...
As more intelligent IoT applications shift into gear, they’re merging into the ever-increasing traffic flow of the Internet. It won’t be long before we experience bottlenecks, as IoT traffic peaks during rush hours. Organizations that are unprepared will find themselves by the side of the road unable to cross back into the fast lane. As billions of new devices begin to communicate and exchange data – will your infrastructure be scalable enough to handle this new interconnected world?
In today's digital world, change is the one constant. Disruptive innovations like cloud, mobility, social media, and the Internet of Things have reshaped the market and set new standards in customer expectations. To remain competitive, businesses must tap the potential of emerging technologies and markets through the rapid release of new products and services. However, the rigid and siloed structures of traditional IT platforms and processes are slowing them down – resulting in lengthy delivery ...
In their Live Hack” presentation at 17th Cloud Expo, Stephen Coty and Paul Fletcher, Chief Security Evangelists at Alert Logic, will provide the audience with a chance to see a live demonstration of the common tools cyber attackers use to attack cloud and traditional IT systems. This “Live Hack” uses open source attack tools that are free and available for download by anybody. Attendees will learn where to find and how to operate these tools for the purpose of testing their own IT infrastructu...
SYS-CON Events announced today that IceWarp will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. IceWarp, the leader of cloud and on-premise messaging, delivers secured email, chat, documents, conferencing and collaboration to today's mobile workforce, all in one unified interface
Whether you like it or not, DevOps is on track for a remarkable alliance with security. The SEC didn’t approve the merger. And your boss hasn’t heard anything about it. Yet, this unruly triumvirate will soon dominate and deliver DevSecOps faster, cheaper, better, and on an unprecedented scale. In his session at DevOps Summit, Frank Bunger, VP of Customer Success at ScriptRock, will discuss how this cathartic moment will propel the DevOps movement from such stuff as dreams are made on to a prac...
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome,” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
Consumer IoT applications provide data about the user that just doesn’t exist in traditional PC or mobile web applications. This rich data, or “context,” enables the highly personalized consumer experiences that characterize many consumer IoT apps. This same data is also providing brands with unprecedented insight into how their connected products are being used, while, at the same time, powering highly targeted engagement and marketing opportunities. In his session at @ThingsExpo, Nathan Trel...
SYS-CON Events announced today that G2G3 will exhibit at SYS-CON's @DevOpsSummit Silicon Valley, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Based on a collective appreciation for user experience, design, and technology, G2G3 is uniquely qualified and motivated to redefine how organizations and people engage in an increasingly digital world.