Mobility Control Paradigm Shift in the Cloud Computing Era

Wednesday, February 3rd, 2010 Karen Ambrose Hickey, Editor

According to CIO Insight,  ”cloud computing and new mobility technologies gain focus for 2010 as IT executives look beyond cost-cutting to new productivity and growth opportunities.”

The concept of cloud computing is not new, but while the economic viability of this model  is quite compelling for many enterprises, concerns around security and relinquishing control over sensitive corporate data have been stalling its adoption in the last couple of years. It is now becoming clear however that the cloud computing era is approaching fast… please allow me to explain why.

Past experience has taught us that economic viability is a strong driver for innovation, and that it is very likely to prevail over technical challenges. An example would be the shift from mainframe computing paradigm which dominated the marketplace in the 80s, to the client-server paradigm which prevailed in the 90s. The mainframe generation was characterized by silos of data and voice communications. In this generation, dumb terminals used to connect to proprietary mainframes for specific and limited-in-scope computing applications, with voice, video and data running on completely segregated networks.

Although the mainframe paradigm was simple and secure, with enterprises being fully in control of access privileges to data and applications, the economic benefits of unifying voice, video, and data applications on a single converged network prevailed.

You also know the rest of the story. The client-server paradigm galvanized the adoption of TCP/IP worldwide, which in turn spurred the development of the internet and unified communications. I believe that the same concepts are applicable to the cloud computing industry, and that the economic viability of pay-as-you-go for virtually unlimited, elastic computing resources, required for fast and efficient implementation of IT projects, will prevail over the security concerns.

The fact that existing cloud computing vendors are prospering and that major new players are entering the cloud computing market, is yet another indication that this industry is beginning to emerge successfully across the chasm. It is also an indication that the adoption of the technology is shifting from the early adaptors, who are visionary in nature, to the pragmatic early majority.

With Amazon’s Elastic Compute Cloud and S3 service growing substantially and the company’s stock price appreciating over 175% from Jan 2009, with Google Apps Engine challenging the Microsoft domination of the office applications, and with Salesforce.com‘s stock price appreciating over 180% in the last year, it becomes clear that cloud computing is gaining momentum. There are also new major players who are entering this market, including IBM with Blue Cloud and AT&T with Synaptic Hosting, and the expectation is that other major Service Providers will be adding cloud services to their portfolio in 2010.

Independent of whether your corporation is an early adaptor or an early majority company, if you will be adopting cloud computing technologies in the foreseeable future an interesting question to ponder would be “How would the adoption of cloud computing and SaaS applications impact the enforcement of corporate security policies for mobile users?”

The traditional approach to enforcing corporate access security is to require mobile users accessing the corporate LAN to launch either SSL VPN or IPSec VPN clients. With these technologies, tunnels are established at the application or network layer respectively to ensure confidentiality of data traversing these VPNs. The challenge of this approach is that mobile users who use their corporate remote access devices to access the internet either don’t launch their VPN clients, or their sessions are routed directly to the internet through a split tunnel connection provisioned on access routers.

When remote users are accessing the corporate LAN through VPN, they are protected by firewalls with UTM (Unified Threat Management) functionality. This is not the case however when the users connect directly to the internet. In this case, they are exposed to multitude of risks, including viruses, phishing, and spyware.

A practical example of this risk would be the following scenario. Consider that you are using your corporate laptop to log from your home into the Dolphin Stadium and the Miami Dolphins team website to purchase tickets for this Sunday’s Super Bowl football game. What if (based on a real a scenario*), this web site has been hacked into and you don’t know that and a malicious code downloads and installs on your laptop. This code acts as a Trojan and is capable of installing a keylogger code and disabling the anti-virus application on your laptop. After sucessfully purchasing the tickets to the Super Bowl, you decide it’s time to balance leisure time with work and log into your Google Apps. Unfortunately, your password to Google Apps is captured by the keylogger and compromised at that time. This scenario could have been avoided with a mobile connection manager blocking the remote access to Google Apps after detecting that the Antivirus application is disabled.

As the control point in the cloud computing era is shifting from VPN to internet connection, the connection manager will be required to enforce corporate policies for endpoint security. The recently announced iPass Open Mobile Platform has been designed with this paradigm shift in mind. The Open Mobile Client is always running on the mobile device, which enables it to become the ultimate control point for all mobility purposes regardless of whether the accessed applications reside in the cloud or on the corporate LAN.  The client in most cases is transparent to the end users, enforcing policies in the background. Policies may include optimal network selection, launching and passing on user credentials to VPN clients, and performing end-point integrity checks and remediation.  The ECA (Event Condition Action) functionality on the Open Mobile Client empowers IT administrators to enforce corporate endpoint security policies. ECA is used to enforce both pre- and post-connect policies and spans across all integrated technologies (e.g. VPNs) and application (e.g. UTM apps running on the mobile device).

* Based on a real hacking scenario, please refer to the following web site for additional details.

http://www.pcworld.com/article/128750/super_bowlrelated_web_sites_hacked.html

Tags: enterprise mobility, Security, vpn