A Risk management framework for the BYOD environment

Computer networks in organisations today have different layers of connections, which are either domain connections or external connections. The hybrid network contains the standard domain connections, cloud base connections, “bring your own device” (BYOD) connections, together with the devices and network connections of the Internet of Things (IoT). All these technologies will need to be incorporated in the Oman Vision 2040 strategy, which will involve changing several cities to smart cities. To implement this strategy artificial intelligence, cloud computing, BYOD and IoT will be adopted. This research will focus on the adoption of BYOD in the Oman context. It will have advantages for organisations, such as increasing productivity and reducing costs. However, these benefits come with security risks and privacy concerns, the users being the main contributors of these risks. The aim of this research is to develop a risk management and security framework for the BYOD environment to minimise these risks. The proposed framework is designed to detect and predict the risks by the use of MDM event logs and function logs. The chosen methodology is a combination of both qualitative and quantitative approaches, known as a mixed-methods approach. The approach adopted in this research will identify the latest threats and risks experienced in BYOD environments. This research also investigates the level of user-awareness of BYOD security methods. The proposed framework will enhance the current techniques for risk management by improving risk detection and prediction of threats, as well as, enabling BYOD risk management systems to generate notifications and recommendations of possible preventive/mitigation actions to deal with them

New Container Architectures for Mobile, Drone, and Cloud Computing

Containers are increasingly used across many different types of computing to isolate and control apps while efficiently sharing computing resources. By using lightweight operating system virtualization, they can provide apps with a virtual computing abstraction while imposing minimal hardware requirements and a small footprint. My thesis is that new container architectures can provide additional functionality, better resource utilization, and stronger security for mobile, drone, and cloud computing. To demonstrate this, we introduce three new container architectures that enable new mobile app migration functionality, a new notion of virtual drones and efficient utilization of drone hardware, and stronger security for cloud computing by protecting containers against untrusted operating systems. First, we introduce Flux to support multi-surface apps, apps that seamlessly run across multiple user devices, through app migration. Flux introduces two key mechanisms to overcome device heterogeneity and residual dependencies associated with app migration to enable app migration. Selective Record/Adaptive Replay to record just those device-agnostic app calls that lead to the generation of app-specific device-dependent state in services and replay them on the target. Checkpoint/Restore in Android (CRIA) to transition an app into a state in which device-specific information the app contains can be safely discarded before checkpointing and restoring the app within a containerized environment on the new device. Second, we introduce AnDrone, a drone-as-a-service solution that makes drones accessible in the cloud. AnDrone provides a drone virtualization architecture to leverage the fact that computational costs are cheap compared to the operational and energy costs of putting a drone in the air. This enables multiple virtual drones to run simultaneously on the same physical drone at very little additional cost. To enable multiple virtual drones to run in an isolated and secure manner, each virtual drone runs its own containerized operating system instance. AnDrone introduces a new device container architecture, providing virtual drones with secure access to a full range of drone hardware devices, including sensors such as cameras and geofenced flight control. Finally, we introduce BlackBox, a new container architecture that provides fine-grain protection of application data confidentiality and integrity without the need to trust the operating system. BlackBox introduces a container security monitor, a small trusted computing base that creates separate and independent physical address spaces for each container, such that there is no direct information flow from container to operating system or other container physical address spaces. Containerized apps do not need to be modified, can still make full use of operating system services via system calls, yet their CPU and memory state are isolated and protected from other containers and the operating system

Holistic security 4.0

The future computer climate will represent an ever more aligned world of integrating technologies, affecting consumer, business and industry sectors. The vision was first outlined in the Industry 4.0 conception. The elements which comprise smart systems or embedded devices have been investigated to determine the technological climate. The emerging technologies revolve around core concepts, and specifically in this project, the uses of Internet of Things (IoT), Industrial Internet of Things (IIoT) and Internet of Everything (IoE). The application of bare metal and logical technology qualities are put under the microscope to provide an effective blue print of the technological field. The systems and governance surrounding smart systems are also examined. Such an approach helps to explain the beneficial or negative elements of smart devices. Consequently, this ensures a comprehensive review of standards, laws, policy and guidance to enable security and cybersecurity of the 4.0 systems

REMOTE MOBILE SCREEN (RMS): AN APPROACH FOR SECURE BYOD ENVIRONMENTS

Bring Your Own Device (BYOD) is a policy where employees use their own personal mobile devices to perform work-related tasks. Enterprises reduce their costs since they do not have to purchase and provide support for the mobile devices. BYOD increases job satisfaction and productivity in the employees, as they can choose which device to use and do not need to carry two or more devices. However, BYOD policies create an insecure environment, as the corporate network is extended and it becomes harder to protect it from attacks. In this scenario, the corporate information can be leaked, personal and corporate spaces are not separated, it becomes difficult to enforce security policies on the devices, and employees are worried about their privacy. Consequently, a secure BYOD environment must achieve the following goals: space isolation, corporate data protection, security policy enforcement, true space isolation, non-intrusiveness, and low resource consumption. We found that none of the currently available solutions achieve all of these goals. We developed Remote Mobile Screen (RMS), a framework that meets all the goals for a secure BYOD environment. To achieve this, the enterprise provides the employee with a Virtual Machine (VM) running a mobile operating system, which is located in the enterprise network and to which the employee connects using the mobile device. We provide an implementation of RMS using commonly available software for an x86 architecture. We address RMS challenges related to compatibility, scalability and latency. For the first challenge, we show that at least 90.2% of the productivity applications from Google Play can be installed on an x86 architecture, while at least 80.4% run normally. For the second challenge, we deployed our implementation on a high-performance server and run up to 596 VMs using 256 GB of RAM. Further, we show that the number of VMs is proportional to the available RAM. For the third challenge, we used our implementation on GENI and conclude that an application latency of 150 milliseconds can be achieved. Adviser: Byrav Ramamurth

Differences in Perceived Information Sensitivity During Smartphones Use Among UK University Graduates

The level of sensitivity with which smartphone users perceive information influences their privacy decisions. Information sensitivity is complex to understand due to the multiple factors influencing it. Adding to this complexity is the intimate nature of smartphone usage that produces personal information about various aspects of users’ lives. Users’ perceive information differently and this plays an important role in determining responses to privacy risk. The different levels of perceived sensitivity in turn point out how users could be uniquely supported through information cues that will enhance their privacy. However, several studies have tried to explain information sensitivity and privacy decisions by focusing on single-factor analysis. The current research adopts a different approach by exploring the influences of the disclosure context (smartphone ecosystem), three critical factors (economic status, location tracking, apps permission requests) and privacy attributes (privacy guardian, pragmatist, and privacy unconcerned) for a more encompassing understanding of how smartphone user-categories in the UK perceive information. The analysis of multiple factors unearths deep complexities and provides nuanced understanding of how information sensitivity varies across categories of smartphone users. Understanding how user-categories perceive information enables tailored privacy. Tailored privacy moves from “one-size-fits-all” to tailoring support to users and their context. The present research applied the Struassian grounded theory to analyse the qualitative interview data collected from 47 UK university graduates who are smartphone users. The empirical research findings show that smartphone users can be characterised into eight categories. However, the category a user belongs depends on the influencing factor or the information (identity or financial) involved and the privacy concern category of the user. This study proposes a middle-range theory for understanding smartphone users’ perception of information sensitivity. Middle-range theories are testable propositions resulting from in-depth focus on a specific subject matter by looking at the attributes of individuals. The propositions shows that an effective privacy support model for smartphone users should consider the varying levels of information sensitivity. Therefore, the study argues that users who perceive information as highly sensitive require privacy assurance to strengthen privacy, whereas users who perceive information as less sensitive require appropriate risk awareness to mitigate privacy risks. The proposition provides the insight that could support tailored privacy for smartphone users

A framework for privacy aware design in future mobile applications

Mobile communications and applications play an important role in connecting people ubiquitously across different domain spaces due to their portable nature and easy accessibility. Mobile applications have drastically changed the way businesses are run by bringing them closer to their customers. Businesses today are connected to cloud based-tools, which makes it easier to start and run a business. Furthermore, mobile applications have changed the way we communicate with each other in our daily lives. They have increasingly been deployed by companies to help with, among other things, the management of business efficiency, ease in accessing information, simplifying communication and the provision of user-friendly applications. The number of mobile devices is increasing exponentially, it is estimated that 1.5 billion devices are available to the public worldwide. In addition, there is a multitude of operating systems running on these devices, all running on different architectures and configurations. The diversity of the different versions of applications that need to be constantly updated as they become outdated makes mobile applications highly susceptible to security and privacy flaws. Until recently, privacy has not been the main centre of interest within the design of mobile applications. Although, a number of privacy preserving solutions have been developed to improve privacy, existing research solutions adopt static design models which are not suitable for mobile applications. There is a significant gap between having common practices for designing and implementing privacy-preserving methods due to the cross-disciplinary nature of mobile applications. Most importantly, personal data are constantly collected and shared with unknown recipients. This is a challenging problem as users are not aware of how their data is used and shared without their consent. Furthermore, existing privacy policies are not stringently implemented during application development. Application designers do not comply with regulations envisaged by data protection regulation bodies. To investigate the problem domain, this thesis takes a bottom-up approach and contributes by analyzing current mobile applications to determine the integration of privacy mechanisms and privacy policies at the application level. We should however note that, the focus of this work contributes to the knowledge related to designing of holistic privacy preserving mobile applications and not the implementation aspect. Furthermore, this thesis introduces a novel privacy trade-off analysis framework that enables the design of privacy-aware applications. A privacy trade-off analysis generates a design solution that best suits an application's privacy goals and requirements. To demonstrate the privacy-aware framework, TRANK, two prototypes in the eHealth domain and the V2X Telematics domain, that integrate privacy-preserving technologies in modern mobile applications have been implemented and tested. Our implementation takes into consideration the trade-off between privacy, functionality and performance to provide a better privacy-aware application. The resulting system enables users to choose which data are to be collected about them. In this way, users can easily opt in and out of the application without having to give up all their personally identifiable information whenever they choose to, thus, enhance their overall privacy preservation. To the best of our knowledge our framework and the results in this thesis out perform the existing state of-the-art privacy preserving solutions. The privacy-enhancing technologies employed and the privacy-by-design mechanisms introduced at the initial stages of development thus, aid the improvement of privacy in mobile applications

How WEIRD is Usable Privacy and Security Research? (Extended Version)

In human factor fields such as human-computer interaction (HCI) and psychology, researchers have been concerned that participants mostly come from WEIRD (Western, Educated, Industrialized, Rich, and Democratic) countries. This WEIRD skew may hinder understanding of diverse populations and their cultural differences. The usable privacy and security (UPS) field has inherited many research methodologies from research on human factor fields. We conducted a literature review to understand the extent to which participant samples in UPS papers were from WEIRD countries and the characteristics of the methodologies and research topics in each user study recruiting Western or non-Western participants. We found that the skew toward WEIRD countries in UPS is greater than that in HCI. Geographic and linguistic barriers in the study methods and recruitment methods may cause researchers to conduct user studies locally. In addition, many papers did not report participant demographics, which could hinder the replication of the reported studies, leading to low reproducibility. To improve geographic diversity, we provide the suggestions including facilitate replication studies, address geographic and linguistic issues of study/recruitment methods, and facilitate research on the topics for non-WEIRD populations.Comment: This paper is the extended version of the paper presented at USENIX SECURITY 202

Computer-Mediated Communication

This book is an anthology of present research trends in Computer-mediated Communications (CMC) from the point of view of different application scenarios. Four different scenarios are considered: telecommunication networks, smart health, education, and human-computer interaction. The possibilities of interaction introduced by CMC provide a powerful environment for collaborative human-to-human, computer-mediated interaction across the globe

Secure portable execution and storage environments: A capability to improve security for remote working

Remote working is a practice that provides economic benefits to both the employing organisation and the individual. However, evidence suggests that organisations implementing remote working have limited appreciation of the security risks, particularly those impacting upon the confidentiality and integrity of information and also on the integrity and availability of the remote worker’s computing environment. Other research suggests that an organisation that does appreciate these risks may veto remote working, resulting in a loss of economic benefits. With the implementation of high speed broadband, remote working is forecast to grow and therefore it is appropriate that improved approaches to managing security risks are researched. This research explores the use of secure portable execution and storage environments (secure PESEs) to improve information security for the remote work categories of telework, and mobile and deployed working. This thesis with publication makes an original contribution to improving remote work information security through the development of a body of knowledge (consisting of design models and design instantiations) and the assertion of a nascent design theory. The research was conducted using design science research (DSR), a paradigm where the research philosophies are grounded in design and construction. Following an assessment of both the remote work information security issues and threats, and preparation of a set of functional requirements, a secure PESE concept was defined. The concept is represented by a set of attributes that encompass the security properties of preserving the confidentiality, integrity and availability of the computing environment and data. A computing environment that conforms to the concept is considered to be a secure PESE, the implementation of which consists of a highly portable device utilising secure storage and an up-loadable (on to a PC) secure execution environment. The secure storage and execution environment combine to address the information security risks in the remote work location. A research gap was identified as no existing ‘secure PESE like’ device fully conformed to the concept, enabling a research problem and objectives to be defined. Novel secure storage and execution environments were developed and used to construct a secure PESE suitable for commercial remote work and a high assurance secure PESE suitable for security critical remote work. The commercial secure PESE was trialled with an existing telework team looking to improve security and the high assurance secure PESE was trialled within an organisation that had previously vetoed remote working due to the sensitivity of the data it processed. An evaluation of the research findings found that the objectives had been satisfied. Using DSR evaluation frameworks it was determined that the body of knowledge had improved an area of study with sufficient evidence generated to assert a nascent design theory for secure PESEs. The thesis highlights the limitations of the research while opportunities for future work are also identified. This thesis presents ten published papers coupled with additional doctoral research (that was not published) which postulates the research argument that ‘secure PESEs can be used to manage information security risks within the remote work environment’