Security is one of the most critical challenges for mobile cloud computing. Mobile cloud computing endures a number of security issues, for instance, data access control, data distribution over a distributed infrastructure, data integrity, service availability, secure communication, and application security. In addition, the mobility adds more challenging security issues.

In general, mobile cloud computing can consider security problems from two perspectives: the mobiles (or lightweight embedded devices) and the virtualized resource provisioning system (e.g., Internet clouds or dedicated computing resources closely located to mobiles). The mobiles must be clean from the malicious codes, such as viruses, Trojan horses, and worms. The malicious codes are security threats and can change an application's behavior, which may cause privacy leakage or data corruption. Therefore, to keep mobiles clean from the malicious codes, security monitoring and scanning must be used continuously and regularly. However, secure monitoring and scanning processes of mobile cloud applications is a resource-intensive task, which usually incurs real-time requirements that cannot be easily fulfilled in a mobile and resource-restricted environment.

In [107], seven security risks are outlined for users to consider in the general cloud computing areas:

1.  Privileged user access. Offloading sensitive data to the cloud would mean the loss of direct physical, logical and personnel control over the data.

2.  Regulatory compliance. The cloud service providers should be willing to undergo external audits and security certifications.

3.  Data location. The exact physical location of user's data is not transparent, which may lead to confusion on specific jurisdictions and commitments on local privacy requirements.

4.  Data segregation. Since cloud data is usually stored in a shared space, it is important that each user's data is separated from others with efficient encryption schemes.

5.  Recovery. It is imperative that cloud providers provide proper recovery mechanisms for data and services in case of technological failure or other disaster.

6.  Investigative support. Since logging and data for multiple customers may be colocated, inappropriate or illegal activity, should it occur, may be very hard to investigate.

7.  Long-term viability. Assurance that users' data would be safe and accessible even if the cloud company itself goes out of business.

In mobile cloud computing, all these security risks still exist; however, some of their important points are not prominent compared to Internet clouds. Risks such as recovery, investigative support, and long-term viability become less important due to mobility and real-time requirements of mobile cloud computing applications. These properties of mobile cloud computing require that proactive and preventive security solutions are more appealing than detecting and reactive approaches.

In a mobile cloud, data is mobile, where it can be transferred and cached from one device to another. The traditional data access control models such as Role-Based Access Control (RBAC)¹ are not scalable, where the data storage infrastructure provides access control. RBAC is widely adopted by various information systems (such as Windows/Active Directory) and requires associating capabilities directly to users or their roles, which is often cumbersome to manage and insufficient for capturing real-world access control policies. For example, RBAC usually needs cumbersome management and identity, groups and roles, which are not sufficient in expressing the access control policies in the real world. For example, in a personal health information system, since data is collected from multiple sources with different health care providers, whether a data access request is granted or not is usually decided by the attributes of the requester, selected attributes of the object, and environment conditions that can be globally recognized. At times, access control policy enforcement is performed even without prior knowledge of the specific subjects.

Another significant drawback of RBAC is the lack of mobility when data is moved between different storage services under separated administrative control domains. It is extremely difficult to translate the data access policies from one domain to another. In an ideal situation, access control can be incorporated into the protected data, e.g., using encrypted data with access policy enforcement. In this way, data can be freely moved from one device to another without the need to transfer the access control polices from one service provider to another.

To address the above mentioned drawbacks, here we present a Policy-Based Access Control (PBAC), sometimes referred to as Attribute-Based Access Control (ABAC), which defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together, and we use PBAC and ABAC interchangeably in this book. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc.), unlike RBAC, which employs predefined roles that carry a specific set of privileges associated with them and to which subjects are assigned. The key difference with ABAC is the concept of policies that express a complex Boolean rule set that can evaluate many different attributes without predefined roles. In Chapter 7, we present the foundation of ABAC, particularly, the presentation will focus on using Attribute-Based Encryption (ABE) as the building block to establish ABAC for mobile cloud computing.

The increasing usage of low power consuming and high performance devices in mobile cloud computing environment has brought about a unique set of challenges and opportunities. ARM architecture [239] in particular has evolved to a point where it supports implementations across a wide spectrum of performance points. The enhancements to basic Reduced Instruction Set Computer (RISC) architecture [155] allow ARM to have high performance, small code size, low power consumption, and small silicon area. Because of these enhancements to ARM architecture, mobile phones are exclusively based on ARM, and there is a surge in popularity of ARM based smartphones, tablets, and laptops. Users want their devices to perform many tasks such as read e-mail, play games, and run other online applications also on the fly.

The key factors that contributed to a shift of working mode to mobile working style are mobility, consumerization, and advent of mobile cloud computing. This new work style demands for any device anywhere a kind of setup so that people can do work and personal activities on the same device, and for this they are also willing to pay (e.g., Cisco employees on average pay $600 annually to use such devices [58]). The term Bring Your Own Device (BYOD) [115] has come into being from the demand of such a work setup. This indeed calls for a new research and development direction to create an application running environment through resource and execution isolation approaches on mobile devices. In Chapter 8, we present a resource isolation approach based on ARM architecture-based mobile devices. The prototype is presented in Appendix D.