Welcome!

Related Topics: Microservices Expo, Mobile IoT, Containers Expo Blog, Agile Computing, Cloud Security, SDN Journal

Microservices Expo: Article

Securing Mobile Networks with Trustworthy Systems

Public and private organizations should seek out vendors that prioritize continued innovation

In our increasingly connected world, the number of mobile phones will exceed the world's population by 2014. Users expect to be able to run diverse applications on these devices at work, home, and practically anywhere else. We assume secure access to any information we need, with an expectation of seamless mobility and a high-quality user experience.

Security is a primary concern, but at the same time users don't want security to get in the way of their experience. Users want to simply be able to find an application in an app store, and then download and use it without having to be concerned about whether it's a trusted application.

Today, the customer chooses a product based on a vendor's ability to fulfill the customer's need, the price point, and vendor attributes such as viability. The "trust" market transition introduces three other essential criteria: the vendor's trustworthiness and transparency, the product's trustworthiness and integrity, and the vendor's commitment to and understanding of security issues. Taken together, these criteria can help a company determine the most trustworthy system for its mobile network.

The Network Is Square One
Fortunately, it is possible to address the hidden risks of choosing a vendor and to reduce the known risks of operating a mobile infrastructure. This ideal - a "trustworthy system" - can be achieved through vendor inspection, delineation between assumed and verifiable trust and, ultimately, a network security infrastructure more advanced than the one in which we operate today.

Mobile device security begins with the network. Networks should be based on verifiably trustworthy network architectures built on secure software and hardware that are backed by prudent supply chain security practices. These elements enable an intelligent network to engage the service provider's access policies and challenge the trustworthiness of mobile devices attempting to access network resources. In turn, mobile device manufacturers and vendors should focus on building verifiable trustworthiness and transparency with regard to their processes and technologies to allow for the creation of secure mobile networks.

Trusted Environments Within Devices
Fortunately, there are many useful ways to ensure that mobile devices are trustworthy. One particularly effective approach is to build a trusted environment within the devices. This is accomplished by partitioning mobile phones and tablets in a logical and secure way, such that they become, in effect, multitenant devices. This enables:

  • The service provider to provide radio service without fear that the user will tinker with security elements within the device, potentially compromising the network's security.
  • The manufacturer to provide secure booting of the device with an initial signed image that can be upgraded over time.
  • The user to run third-party applications without fear of affecting the other device elements.

Industry collaboration and standardization initiatives will make this vision a reality. For instance, the GlobalPlatform organization is developing secure Trusted Execution Environment specifications for mobile devices. A verifiable root of trust is built sequentially from the time a user boots up the hardware (phone), through the loading of the operating system, to the activation of individual applications within this trusted environment.

GlobalPlatform has been working to get mobile device manufacturers moving in the same direction in terms of standardizing a single trusted architecture for mobile devices. The Trusted Computing Group, another standards organization, has been collaborating with GlobalPlatform and working to bring mobile device manufacturers into alignment along common standards of trustworthiness.

Standards for Success
The network's primary role in the context of mobile security and trustworthiness is in the access-control realm. In support of this role, organizations should ensure that their network infrastructures enforce security-policy compliance on all devices that attempt to gain access to the network. Network administrators should use best practices to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users before they can gain access to the network and its resources.

By using protocols such as device posturing, organizations can classify devices that attempt to gain network access and understand who the user is and what policies should be enforced based on the information that is captured from the device and by the authentication of the user. In order to secure the corporate network, the network needs to understand the level of trustworthiness in mobile devices. The convergence of mobile platforms to a common trusted architecture will make the problem easier for network administrators. Once the network discovers and classifies devices, then it can immediately determine whether the device is compliant to a certain common standard.

Government organizations are helping drive common standards by asking vendors to support standards and move away from proprietary solutions. They are also identifying specific standards and certifications upon which they would like to see mobile devices manufactured. Given this push, there will eventually be a convergence to one standardized, secure and trustworthy ecosystem and architecture. At that point, government agencies and other institutions will be able to verify the trustworthiness of a particular device based on its certificates and then allow or deny access based on its assessment of the device's trustworthiness.

Virtualization's Role
Currently, efforts are being made to extend the concept of virtualization in servers to virtualization in mobile devices through hypervisors, providing a more flexible environment to implement a multiple stakeholder model. Cloud and other forms of virtualization provide extended storage, improve resiliency, increase efficiency, and reduce costs; but they also introduce additional security risks. Managing and mitigating these risks demands a new level of planning, user education, and security procedures to create a trustworthy system for securing mobile networks.

Looking Ahead
The importance of selecting a vendor that can ensure trust throughout the entire mobile system cannot be overstated. Taken together, trustworthy systems combine verifiably trustworthy hardware, software, firmware and, as appropriate, the resulting services built upon them, demonstrating in a provable manner the trust and risk management required for today's standards of security and reliability.

Trust is not guaranteed. It must be proven on a continuous basis. Public and private organizations should seek out vendors that prioritize continued innovation to ensure resiliency in customer networks through visibility and transparency while partnering with customers to prepare for any and all threats.

More Stories By Rafael Mantilla Montalvo

Dr. Rafael Mantilla Montalvo is a Principal Engineer at Cisco Systems. He holds a B. Sc. in Electrical Engineering from the Instituto Politécnico Nacional and an MS and PhD in Electrical Engineering from Stanford University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Latest Stories
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
SYS-CON Events announced today that SD Times | BZ Media has been named “Media Sponsor” of SYS-CON's 20th International Cloud Expo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. BZ Media LLC is a high-tech media company that produces technical conferences and expositions, and publishes a magazine, newsletters and websites in the software development, SharePoint, mobile development and commercial UAV markets.
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...
Historically, some banking activities such as trading have been relying heavily on analytics and cutting edge algorithmic tools. The coming of age of powerful data analytics solutions combined with the development of intelligent algorithms have created new opportunities for financial institutions. In his session at 20th Cloud Expo, Sebastien Meunier, Head of Digital for North America at Chappuis Halder & Co., will discuss how these tools can be leveraged to develop a lasting competitive advanta...
Building custom add-ons does not need to be limited to the ideas you see on a marketplace. In his session at 20th Cloud Expo, Sukhbir Dhillon, CEO and founder of Addteq, will go over some adventures they faced in developing integrations using Atlassian SDK and other technologies/platforms and how it has enabled development teams to experiment with newer paradigms like Serverless and newer features of Atlassian SDKs. In this presentation, you will be taken on a journey of Add-On and Integration ...
Now that the world has connected “things,” we need to build these devices as truly intelligent in order to create instantaneous and precise results. This means you have to do as much of the processing at the point of entry as you can: at the edge. The killer use cases for IoT are becoming manifest through AI engines on edge devices. An autonomous car has this dual edge/cloud analytics model, producing precise, real-time results. In his session at @ThingsExpo, John Crupi, Vice President and Eng...
There are 66 million network cameras capturing terabytes of data. How did factories in Japan improve physical security at the facilities and improve employee productivity? Edge Computing reduces possible kilobytes of data collected per second to only a few kilobytes of data transmitted to the public cloud every day. Data is aggregated and analyzed close to sensors so only intelligent results need to be transmitted to the cloud. Non-essential data is recycled to optimize storage.
"I think that everyone recognizes that for IoT to really realize its full potential and value that it is about creating ecosystems and marketplaces and that no single vendor is able to support what is required," explained Esmeralda Swartz, VP, Marketing Enterprise and Cloud at Ericsson, in this SYS-CON.tv interview at @ThingsExpo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem" ...
As businesses adopt functionalities in cloud computing, it’s imperative that IT operations consistently ensure cloud systems work correctly – all of the time, and to their best capabilities. In his session at @BigDataExpo, Bernd Harzog, CEO and founder of OpsDataStore, will present an industry answer to the common question, “Are you running IT operations as efficiently and as cost effectively as you need to?” He will expound on the industry issues he frequently came up against as an analyst, and...
Why do your mobile transformations need to happen today? Mobile is the strategy that enterprise transformation centers on to drive customer engagement. In his general session at @ThingsExpo, Roger Woods, Director, Mobile Product & Strategy – Adobe Marketing Cloud, covered key IoT and mobile trends that are forcing mobile transformation, key components of a solid mobile strategy and explored how brands are effectively driving mobile change throughout the enterprise.
After more than five years of DevOps, definitions are evolving, boundaries are expanding, ‘unicorns’ are no longer rare, enterprises are on board, and pundits are moving on. Can we now look at an evolution of DevOps? Should we? Is the foundation of DevOps ‘done’, or is there still too much left to do? What is mature, and what is still missing? What does the next 5 years of DevOps look like? In this Power Panel at DevOps Summit, moderated by DevOps Summit Conference Chair Andi Mann, panelists l...
In their Live Hack” presentation at 17th Cloud Expo, Stephen Coty and Paul Fletcher, Chief Security Evangelists at Alert Logic, provided the audience with a chance to see a live demonstration of the common tools cyber attackers use to attack cloud and traditional IT systems. This “Live Hack” used open source attack tools that are free and available for download by anybody. Attendees learned where to find and how to operate these tools for the purpose of testing their own IT infrastructure. The...
Keeping pace with advancements in software delivery processes and tooling is taxing even for the most proficient organizations. Point tools, platforms, open source and the increasing adoption of private and public cloud services requires strong engineering rigor - all in the face of developer demands to use the tools of choice. As Agile has settled in as a mainstream practice, now DevOps has emerged as the next wave to improve software delivery speed and output. To make DevOps work, organization...
My team embarked on building a data lake for our sales and marketing data to better understand customer journeys. This required building a hybrid data pipeline to connect our cloud CRM with the new Hadoop Data Lake. One challenge is that IT was not in a position to provide support until we proved value and marketing did not have the experience, so we embarked on the journey ourselves within the product marketing team for our line of business within Progress. In his session at @BigDataExpo, Sum...