A delivery model for enterprise context-aware security as a service in mobile cloud computing / Muaamar Amer Abdulhafedh Al-Kubati

Enterprise Mobile Cloud Computing (MCC) environments have become typical nowadays especially with practices such as Bring Your Own Device (BYOD). These environments are not only highly complex and dynamic but also have an enormous number of users and devices, thus exposing these enterprises to higher security risks with possible confidential enterprise data and information residing in their workers’ personal devices. As opposed to the conventional static environments where devices are less dynamic, protecting enterprise MCC environments requires security approaches that are dynamic and fine-grained, especially approaches that are based on contexts such as the state of devices, users or environment. However, constructing MCC applications in enterprise environments with context-aware security is very complex and costly due to the diverse tasks, scalability and effectiveness issues involved. These issues may impede the adoption of context-aware security among enterprises, which may lead to an inadequate response to security risks. To overcome these issues, this thesis aims to simplify the construction of enterprise context-aware security applications in MCC, especially in BYOD environments, by proposing a model to deliver context-aware security as a service called CASECaaS. Accordingly, the research objectives are to design a model to provide context-aware security as a service, and to evaluate the feasibility and effectiveness of the model. Employing design science methodology for both objectives, the model is first designed to abstract the complexity of constructing context-aware security applications and enable enterprises and developers to seamlessly and easily empower their applications with context-aware security by subscribing to a cloud service. The model is divided into four major components: (i) a context-aware cloud backend that is responsible for context management tasks and acts as the backbone of the model, (ii) an enterprise cloud frontend to enable administrators and developers to easily define security contexts, (iii) a developer API that can be easily integrated with enterprise applications and (iv) a mobile client that reads sensor data from mobile devices and sends it to the cloud backend for analysis. The model is then implemented using scrum agile methodology to demonstrate its feasibility and provide concrete artifacts to evaluate its effectiveness. The model is rigorously evaluated using three complimentary methods; namely performance analysis, simulation and case study. The performance analysis showed an acceptable response time of 1 second for 1000 concurrent users on a scalable group of 10 low-end 1GB servers while the simulat ion results showed that the model is scalable and effective to be used in a multi-tenant environment with a large number of tenants and devices with an average response time of 112.6 milliseconds per request for 1000 tenants, each with 1000 devices and 100 security contexts. Thus, the performance analysis and simulation results revealed that the CASECaaS model is both scalable and effective. The case study in a real-world environment with testers on an existing university enterprise mobile application revealed that the model is feasible and can be realistically effective. The two major contributions of this thesis is delivering context-aware security as a service through the CASECaaS model and the CASECaaS prototype.