Saying that others are wrong doesn’t make a mobile OS secure

30.11.2011 by Martin Kuppinger

Recently, Chris DiBona published a comment (or blog or whatever it is) at Google+ bashing at a lot of companies and people in the industry. He starts with “people claiming that open source is inherently insecure and that android is festooned with viruses because of that and because we do not exert apple like controls over the app market.” Further down he claims that no major cell phone has a virus problem like Windows or Mac machines. There are some other harsh statements in the article, especially about vendors in the security space being charlatans and scammers.

Not surprising that there has been a flood of press releases and other types of responses by vendors of anti-virus, anti-malware, and other types of security tools.

If you look at the facts, then from my opinion some things are evident:

  • Every type of software is potentially insecure – that includes closed source and open source
  • There are better and worse approaches to deal with security flaws – and that doesn’t relate to software being open source or not
  • There is malware attacking Android devices and the number of known issues is growing
  • There are different approaches to marketplaces¬†like the ones for Android and iOS – however even open marketplaces could use independent test and certification approaches increasing security
  • Yes, vendors are trying to earn money with security solutions for mobile devices and there is marketing in

However, the essential point is: There are security risks and instead of bashing on others the goal should be to mitigate risks. That needs to be done before the security issues become too big. Saying that “If you read a report from a vendor that trys to sell you something based on protecting android, rim or ios from viruses they are also likely as not to be scammers and charlatans.”, to quote again Chris DiBona, is absolutely misleading. The problem might not be as big as some marketeers try to tell today – but there is an malware problem and there is a need to deal with it. Not saying that anti-malware on mobile devices is the best choice to solve the problem… And yes, Chris DiBona isn’t correct in saying that these usually aren’t viruses but other types of malware. That’s splitting hairs! So, instead of playing down things, it’s about understanding current and upcoming risks, security needs, and then acting on that – regardless of providing open source or closed source.

I personally believe that its worse to play down security issues than trying to identify and address the issues. And if someone uses the wrong term (like “virus” for something that isn’t a virus), OK – that happens and virus is sort of a term used commonly wrong. But it doesn’t change the fundamental facts: There are security risks for mobile devices. Thus users have to react. Oh, and by the way: I thought we ended these religious “open source or not” discussions at least five or ten years ago. There is no value in these discussions. There is only value in providing better software.

And when talking about Android, looking at the way it uses information I just can state that it is not the best example for “fair information practice” (carefully spoken). Information security is not only about malware and the likes, it is about the way systems deal with information overall. With respect to the way Android deals with GPS locations, SSIDs of available WLANs, and other information, just have a look here¬†(to give you just one example, there is more to be found at YouTube). So again, Google: Do your homework first before you start bashing at others.


A totally unsurprising proposal for European cloud initiatives

23.11.2011 by Martin Kuppinger

Today I received a press release of SAP talking about a new study of Roland Berger (a large consulting firm) and SAP with the title “Cloud Computing brings new growth opportunities to – Europe’s IT and communications industry”. It ends with a program consisting of five points, the proposal of Roland Berger and SAP. The points are

  • Define a European legal framework for data protection and data security
  • Define a “European Cloud Gold Standard” as sort of certificate for cloud providers
  • Spend EU money for research and development around innovations in the cloud
  • Support Cloud Computing for medium-sized businesses (based on the already existing programs)
  • Public services and governments should procure cloud services, showing their trust into the cloud offerings (and thus drive others to procure such services as well)

There were some other well-known findings like the fact that IaaS is dominated by some large US companies like Amazon and Microsoft, that the Cloud Computing market will grow, and so on.

But, to be honest: All this is self-evident or already existing. And some aspects are questionnable. Yes, there are growth potentials in the cloud. For all IT providers in all regions worldwide. We all know that for years. There is an existing European legal framework for data protection, at least to some extent. There is room for improvement, but it isn’t missing (and the report claims that EU standards for data protection are missing, which is just wrong). A worldwide accepted standard for cloud services is required – good and strong certifications. But the question isn’t about that we need it but about how this could look like and how this could be granular enough for quick and efficient procurement processes. Innovation: Great thing. The EU is investing in that for years. And yes, it helps, but innovation comes from a lot of different sources.

When looking at the last two points, the medium-sized businesses and the government procuring cloud services, this shows a fundamental misunderstanding: Cloud Computing is just another deployment model. The reason to move to a cloud service is that this might be the most appropriate way to procure a service (instead of on-premise production). But there is no reason for the government to move to the cloud as long as these services aren’t better than on-premise services – better in a complex sense, taking all factors like functionality, price, risk ratings, security, availability, and so on into account. The same is true for medium-sized businesses.

At the end of the day it is about providing services to the customer which are good enough. Certifications, standards, and legal frameworks will help. But the main point still is about providing the better service, not about complaining about the limiting factors. By the way: It would also have been worth to mention that the EC Privacy Directive will undergo significant changes next year, beyond what it provides today around data protection.


SAML, SCIM – and what about authorization?

16.11.2011 by Martin Kuppinger

Cloud Computing is just another delivery model for IT services. However, due to the specifics of cloud services like multi-tenancy and many others, requirements sometimes are even higher than for on-premise services. One of these requirements in well-architected IT environments and for well-architected applications is the ability to externalize security. That includes relying on external directories for administering and authenticating users, e.g. on Identity Providers. It might include the capability of “cloud provisioning”, e.g. receiving changes of users – even while I clearly favor federation as loosely coupled approach over provisioning. It should include the support for external logs, event monitoring, and so on – unfortunately that appears to be a topic where noone is really working on.

And it should include the capability of managing authorizations in cloud services based on centrally (on-premise or using a cloud service – but centrally and not per cloud service!) managed policies. There is limited value in federating users and than doing all the administration work per cloud service using the cloud service’s proprietary management GUIs or APIs. However, authorization is where the problem really starts.

There is a standard for distributed, dynamic¬†authorization management out there: XACML, the eXtensible Access Control Markup Language. It allows to describe the rules. It allows to work with different repositories for identity information (PIPs, Policy Information Points) and other information required for authorizations, it provides interfaces to custom and standard applications, and so on. However, I haven’t seen XACML in the cloud until now. Unfortunately, I also haven’t seen any real alternative to XACML.

Some might claim that SAML might do that job. There is the SAML Authorization Decision Query as part of the SAML 2.0 standard. But that leads pretty quickly to SAML/XACML interoperability and things like the SAML 2.0 profile of XACML. In fact, if it is about having a consistent set of policies expressed in a common standard, XACML is what we need. We need to define and manage these policies consistently per organization, not per service. Services should request authorization decisions – at least in an ideal world. However, when looking at the cloud, there comes another aspect into play: Performance. Performance is a general issue when externalizing authorization decisions. For cloud services which have to ask many different authorization “engines”, it is an even bigger issue. And there is the issue of latency, which is a factor in cloud environments due to the geographical distances you might find there.

Thus, while XACML is fine for defining policies, the interesting question is: Should cloud services ask external authorization engines per authorization decision? Or is it the better way to update the relevant XACML policies at the cloud service and do authorization decisions there? However, then we will still need a way for efficiently accessing the PIPs for other attributes required to perform the authorization decision.

I don’t have the full answer. However I’m convinced that XACML is a key element for authorization in the cloud, given that it is the standard for externalizing authorization decisions. But it might need some enhancements to optimally work for cloud security as well. It definitely will need improved security architectures for cloud services themselves to externalize authorization decisions and to rely on centrally managed policies. And it definitely needs some thinking about the overall security architecture for cloud services. So I’m looking forward to comments on this post – maybe I’ve missed something and everything is there; maybe this initiates some enhancements to standards. I don’t know but I’m really curious.


Services
© 2014 Martin Kuppinger, KuppingerCole