Mobile security

Surprise! The Cloud Has Security Advantages

Security is a major concern for mobile operators, but it's not the main issue that has held carriers back from the cloud. And -- perhaps counter-intuitively -- data may actually be better protected in a cloud environment because of greater network visibility and greater control over data access.

Those were two of the primary theories put forth by participants at the recent Light Reading Mobile Network Security Strategies event in New York. Speaking on a session entitled "Telco Cloud: New Opportunities & Threats for Mobile Security," panelists didn't downplay concerns about data security in the cloud, but they were careful to note that the issue isn't as simple as it appears.

Moderating the panel, Heavy Reading Chief Analyst Patrick Donegan suggested to participants that possibly mobile carriers haven't had the same motivation to move toward the cloud and network virtualization as their wireline brethren. However, F5 Networks Inc. (Nasdaq: FFIV)'s' Head of Product and Solution Marketing Peter Margaris only partially agreed with the sentiment, noting that mobile operators are under pressure to shift business models, thanks to competitive over-the-top services. It's the effort to maintain profitability while making changes that's likely a big reason behind their cautious approach.

Symantec Corp. (Nasdaq: SYMC) Distinguished Systems Engineer Doward Wilkinson agreed that business issues have played a major role in mobile operators' timeline. According to Wilkinson, wireless carriers were behind the game initially in transitioning to cloud services, but they're starting to catch up quickly. And the acceleration isn't because the security landscape has changed, but because there's an incentive to maintain competitive advantage. "I don't think that security was the only thing holding them back," he said.

Panel participants also highlighted the notion that the cloud and virtualization offer some significant security advantages. As Ericsson AB (Nasdaq: ERIC) Head of Cloud System and Platforms Jason Hoffman explained it, the whole point of SDN is to centralize control. Once you do that, you can manage all of the metadata from a distributed system in one place and more easily run security audits to ensure system integrity. You can also limit interaction with the network in an entirely programmatic way. If a user doesn't meet certain programmed criteria, there's no access allowed.

In theory, a centralized command and control tier could be more vulnerable than a distributed control system because it creates a more focused target for attack. However, there are very logical ways to keep that command and control tier protected. For example, the controller shouldn't live on a public network. It should be on an out-of-band network and physically separate from the rest of the system.

"You've just got to use good sense," added Wilkinson.

While panel participants agreed on most of the security issues they discussed, Hoffman did introduce two controversial notes. First, he suggested that network firewalls -- even those designed to protect micro-perimeters around different functions in the network -- are lazy. Hoffman decided not to elaborate on the point, but his argument directly countered AT&T Inc. (NYSE: T) Chief Security Officer Ed Amoroso, who spoke earlier in the day about creating firewalls around micro domains representing specific network assets. (See AT&T Adds Virtual Layer of Security.)

Second, Hoffman contended that it pays for operators to go with a single end-to-end vendor when choosing a cloud platform. While admitting that the argument sounded self-serving, Hoffman explained that if a security breach occurs, it's difficult for any one vendor to test system integrity if the parts all come from different companies. If something goes wrong, it's also difficult to decide just who should foot the bill.

— Mari Silbey, special to Light Reading

MikeP688 12/28/2014 | 5:13:45 PM
It is nice to see such optimism.... ...unless you've actually been hit!!!    This past month saw me receive stuff from "supposedly" PayPal (which I escalated to them) and then be part of the 48 Million who are subject to a hack of the US Office of Personnel Management and its' subcontractor.  They say they took "steps" to implement what US-CERT did.  US-CERT does great work and I read their bulletins dilligently and implement them within my own start-up network and the organizations I work with--but there needs to be a profound need to go beyond such "happy talk" that we're sometimes privy to :-)

Happy New Year!! :-) 
Sign In