Microservices Expo Authors: Gordon Haff, Elizabeth White, John Katrick, Mehdi Daoudi, Pat Romanski

Related Topics: Microservices Expo, Mobile IoT, Containers Expo Blog, Agile Computing, Cloud Security, SDN Journal

Microservices Expo: Article

Securing Mobile Networks with Trustworthy Systems

Public and private organizations should seek out vendors that prioritize continued innovation

In our increasingly connected world, the number of mobile phones will exceed the world's population by 2014. Users expect to be able to run diverse applications on these devices at work, home, and practically anywhere else. We assume secure access to any information we need, with an expectation of seamless mobility and a high-quality user experience.

Security is a primary concern, but at the same time users don't want security to get in the way of their experience. Users want to simply be able to find an application in an app store, and then download and use it without having to be concerned about whether it's a trusted application.

Today, the customer chooses a product based on a vendor's ability to fulfill the customer's need, the price point, and vendor attributes such as viability. The "trust" market transition introduces three other essential criteria: the vendor's trustworthiness and transparency, the product's trustworthiness and integrity, and the vendor's commitment to and understanding of security issues. Taken together, these criteria can help a company determine the most trustworthy system for its mobile network.

The Network Is Square One
Fortunately, it is possible to address the hidden risks of choosing a vendor and to reduce the known risks of operating a mobile infrastructure. This ideal - a "trustworthy system" - can be achieved through vendor inspection, delineation between assumed and verifiable trust and, ultimately, a network security infrastructure more advanced than the one in which we operate today.

Mobile device security begins with the network. Networks should be based on verifiably trustworthy network architectures built on secure software and hardware that are backed by prudent supply chain security practices. These elements enable an intelligent network to engage the service provider's access policies and challenge the trustworthiness of mobile devices attempting to access network resources. In turn, mobile device manufacturers and vendors should focus on building verifiable trustworthiness and transparency with regard to their processes and technologies to allow for the creation of secure mobile networks.

Trusted Environments Within Devices
Fortunately, there are many useful ways to ensure that mobile devices are trustworthy. One particularly effective approach is to build a trusted environment within the devices. This is accomplished by partitioning mobile phones and tablets in a logical and secure way, such that they become, in effect, multitenant devices. This enables:

  • The service provider to provide radio service without fear that the user will tinker with security elements within the device, potentially compromising the network's security.
  • The manufacturer to provide secure booting of the device with an initial signed image that can be upgraded over time.
  • The user to run third-party applications without fear of affecting the other device elements.

Industry collaboration and standardization initiatives will make this vision a reality. For instance, the GlobalPlatform organization is developing secure Trusted Execution Environment specifications for mobile devices. A verifiable root of trust is built sequentially from the time a user boots up the hardware (phone), through the loading of the operating system, to the activation of individual applications within this trusted environment.

GlobalPlatform has been working to get mobile device manufacturers moving in the same direction in terms of standardizing a single trusted architecture for mobile devices. The Trusted Computing Group, another standards organization, has been collaborating with GlobalPlatform and working to bring mobile device manufacturers into alignment along common standards of trustworthiness.

Standards for Success
The network's primary role in the context of mobile security and trustworthiness is in the access-control realm. In support of this role, organizations should ensure that their network infrastructures enforce security-policy compliance on all devices that attempt to gain access to the network. Network administrators should use best practices to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users before they can gain access to the network and its resources.

By using protocols such as device posturing, organizations can classify devices that attempt to gain network access and understand who the user is and what policies should be enforced based on the information that is captured from the device and by the authentication of the user. In order to secure the corporate network, the network needs to understand the level of trustworthiness in mobile devices. The convergence of mobile platforms to a common trusted architecture will make the problem easier for network administrators. Once the network discovers and classifies devices, then it can immediately determine whether the device is compliant to a certain common standard.

Government organizations are helping drive common standards by asking vendors to support standards and move away from proprietary solutions. They are also identifying specific standards and certifications upon which they would like to see mobile devices manufactured. Given this push, there will eventually be a convergence to one standardized, secure and trustworthy ecosystem and architecture. At that point, government agencies and other institutions will be able to verify the trustworthiness of a particular device based on its certificates and then allow or deny access based on its assessment of the device's trustworthiness.

Virtualization's Role
Currently, efforts are being made to extend the concept of virtualization in servers to virtualization in mobile devices through hypervisors, providing a more flexible environment to implement a multiple stakeholder model. Cloud and other forms of virtualization provide extended storage, improve resiliency, increase efficiency, and reduce costs; but they also introduce additional security risks. Managing and mitigating these risks demands a new level of planning, user education, and security procedures to create a trustworthy system for securing mobile networks.

Looking Ahead
The importance of selecting a vendor that can ensure trust throughout the entire mobile system cannot be overstated. Taken together, trustworthy systems combine verifiably trustworthy hardware, software, firmware and, as appropriate, the resulting services built upon them, demonstrating in a provable manner the trust and risk management required for today's standards of security and reliability.

Trust is not guaranteed. It must be proven on a continuous basis. Public and private organizations should seek out vendors that prioritize continued innovation to ensure resiliency in customer networks through visibility and transparency while partnering with customers to prepare for any and all threats.

More Stories By Rafael Mantilla Montalvo

Dr. Rafael Mantilla Montalvo is a Principal Engineer at Cisco Systems. He holds a B. Sc. in Electrical Engineering from the Instituto Politécnico Nacional and an MS and PhD in Electrical Engineering from Stanford University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@MicroservicesExpo Stories
We call it DevOps but much of the time there’s a lot more discussion about the needs and concerns of developers than there is about other groups. There’s a focus on improved and less isolated developer workflows. There are many discussions around collaboration, continuous integration and delivery, issue tracking, source code control, code review, IDEs, and xPaaS – and all the tools that enable those things. Changes in developer practices may come up – such as developers taking ownership of code ...
The dynamic nature of the cloud means that change is a constant when it comes to modern cloud-based infrastructure. Delivering modern applications to end users, therefore, is a constantly shifting challenge. Delivery automation helps IT Ops teams ensure that apps are providing an optimal end user experience over hybrid-cloud and multi-cloud environments, no matter what the current state of the infrastructure is. To employ a delivery automation strategy that reflects your business rules, making r...
"We started a Master of Science in business analytics - that's the hot topic. We serve the business community around San Francisco so we educate the working professionals and this is where they all want to be," explained Judy Lee, Associate Professor and Department Chair at Golden Gate University, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Cloud Governance means many things to many people. Heck, just the word cloud means different things depending on who you are talking to. While definitions can vary, controlling access to cloud resources is invariably a central piece of any governance program. Enterprise cloud computing has transformed IT. Cloud computing decreases time-to-market, improves agility by allowing businesses to adapt quickly to changing market demands, and, ultimately, drives down costs.
For over a decade, Application Programming Interface or APIs have been used to exchange data between multiple platforms. From social media to news and media sites, most websites depend on APIs to provide a dynamic and real-time digital experience. APIs have made its way into almost every device and service available today and it continues to spur innovations in every field of technology. There are multiple programming languages used to build and run applications in the online world. And just li...
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
The general concepts of DevOps have played a central role advancing the modern software delivery industry. With the library of DevOps best practices, tips and guides expanding quickly, it can be difficult to track down the best and most accurate resources and information. In order to help the software development community, and to further our own learning, we reached out to leading industry analysts and asked them about an increasingly popular tenet of a DevOps transformation: collaboration.
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
How is DevOps going within your organization? If you need some help measuring just how well it is going, we have prepared a list of some key DevOps metrics to track. These metrics can help you understand how your team is doing over time. The word DevOps means different things to different people. Some say it a culture and every vendor in the industry claims that their tools help with DevOps. Depending on how you define DevOps, some of these metrics may matter more or less to you and your team.
"CA has been doing a lot of things in the area of DevOps. Now we have a complete set of tool sets in order to enable customers to go all the way from planning to development to testing down to release into the operations," explained Aruna Ravichandran, Vice President of Global Marketing and Strategy at CA Technologies, in this SYS-CON.tv interview at DevOps Summit at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"We are an integrator of carrier ethernet and bandwidth to get people to connect to the cloud, to the SaaS providers, and the IaaS providers all on ethernet," explained Paul Mako, CEO & CTO of Massive Networks, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Grape Up leverages Cloud Native technologies and helps companies build software using microservices, and work the DevOps agile way. We've been doing digital innovation for the last 12 years," explained Daniel Heckman, of Grape Up in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"NetApp's vision is how we help organizations manage data - delivering the right data in the right place, in the right time, to the people who need it, and doing it agnostic to what the platform is," explained Josh Atwell, Developer Advocate for NetApp, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"Outscale was founded in 2010, is based in France, is a strategic partner to Dassault Systémes and has done quite a bit of work with divisions of Dassault," explained Jackie Funk, Digital Marketing exec at Outscale, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis tool. It is an extremely lightweight tool that can integrate with pretty much any build process right now," explained Andrew Siegmund, Application Migration Specialist for CAST, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Let's do a visualization exercise. Imagine it's December 31, 2018, and you're ringing in the New Year with your friends and family. You think back on everything that you accomplished in the last year: your company's revenue is through the roof thanks to the success of your product, and you were promoted to Lead Developer. 2019 is poised to be an even bigger year for your company because you have the tools and insight to scale as quickly as demand requires. You're a happy human, and it's not just...
The enterprise data storage marketplace is poised to become a battlefield. No longer the quiet backwater of cloud computing services, the focus of this global transition is now going from compute to storage. An overview of recent storage market history is needed to understand why this transition is important. Before 2007 and the birth of the cloud computing market we are witnessing today, the on-premise model hosted in large local data centers dominated enterprise storage. Key marketplace play...
Cavirin Systems has just announced C2, a SaaS offering designed to bring continuous security assessment and remediation to hybrid environments, containers, and data centers. Cavirin C2 is deployed within Amazon Web Services (AWS) and features a flexible licensing model for easy scalability and clear pay-as-you-go pricing. Although native to AWS, it also supports assessment and remediation of virtual or container instances within Microsoft Azure, Google Cloud Platform (GCP), or on-premise. By dr...
With continuous delivery (CD) almost always in the spotlight, continuous integration (CI) is often left out in the cold. Indeed, it's been in use for so long and so widely, we often take the model for granted. So what is CI and how can you make the most of it? This blog is intended to answer those questions. Before we step into examining CI, we need to look back. Software developers often work in small teams and modularity, and need to integrate their changes with the rest of the project code b...
Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Kubernetes was originally built by Google, leveraging years of experience with managing container workloads, and is now a Cloud Native Compute Foundation (CNCF) project. Kubernetes has been widely adopted by the community, supported on all major public and private cloud providers, and is gaining rapid adoption in enterprises. However, Kubernetes may seem intimidating and complex ...