CS406: Information Security

Security Techniques in the Mobile and Cloud Era

As more and more of users' personal information moves online and beyond their physical control, it becomes important to advance and provide technical controls over its access and use. Users' possession and use of powerful mobile devices introduces potential for strong protection capabilities along with risk of new vulnerabilities.

Key Technologies

Secure connections

Cryptographic security protects information from wiretapping in transit, but endpoints can still be vulnerable. A TLS-secured connection isn't sufficient to protect a user's sensitive information if the server at the other end of that connection is impersonating the system the user wants to reach, or if a legitimate system has been hacked.

Mobile-aided authentication

A mobile device can empower its user to authenticate to Web-based services using methods stronger than simple passwords. It can generate one-time passwords for display and entry by its user, or can perform key-based cryptographic operations to demonstrate a user's identity within a protocol.

Federated identity technologies

Federated identity and related protocols, such as SAML, OpenID, and the eXtensible Access Control Markup Language (XACML) can serve new and valuable roles now that mobile devices are powerful enough to operate as service providers in themselves and as users' data is dispersed across numerous cloud-based platforms.

Mobile app protections and permissions

Many mobile apps communicate data back to sites operated by the organizations that provide the apps. The apps can provide valuable services for their users, but may also serve their providers by collecting information. To maintain an individual's security and privacy, especially as mobile devices accumulate apps from multiple sources, it's important to constrain what data each app can access within a device.