Dec 29, 2010

Cloud and Security

Here are some thoughts on security in the "Cloud" - another hyped word of recent few years. We try to name some of the most interesting challenges. The  bottom line is that instead of a secure tunnel between a client and a server, one has to create a secure "bubble" that only the client can access.

Category: General
Posted by: dc352

Cloud computing has emerged recently as a new, more economic and possibly more reliable way of running applications that process huge volumes of data (that is one of scenarios). The basic paradigm involves large numbers of computers and virtualisation techniques allowing distribution of applications across as many computers as needed.

Service providers offer memory space, computational power and applications so that their clients need only simple terminals to access the virtualised cloud. The virtualisation features mean that the data can be physically anywhere within the providers’ infrastructure. This brings in the question of legal and regulatory requirements that will probably prevent use of cloud computing in regulated industries.

This scenario can be described, in terms of information security, as trusted applications on un-trusted platforms. This is nothing new as the industry has developed various evaluation and certification methods for assessing security of un-trusted platforms. However with cloud computing, it is not possible to use any administrative or physical security mechanisms nor access controls any more (at least from the data owners' point of view).

Applications in the cloud run in virtual machines on top of operating systems and in unknown hardware platforms. Compromise of any of these layers would result in insecurity of the processed data. The only effective approach ensuring security of the data is use of cryptography with all keys staying in the clients’, trusted, computers.

Encrypted data is hard to process. There are techniques allowing search in encrypted data but they are computationally expensive and still subject to research. An alternative can be to implement a part of the cloud internally so that the platform will become trusted or semi-trusted. For example, the cloud may provide collection of encrypted logged data (offering availability and necessary storage capacity), while the trusted part of the cloud would be used to decrypt and audit the data.

Cloud computing tends to use open source software and it also requires open standards for communication protocols due to a separation of infrastructure and user interfacing parts. Open standards promise more thorough security and cryptographic analysis and better security against external adversaries. Threats of data to get compromised when being stored or processed in the back-end infrastructure will be the most important ones.

The concepts of cloud computing are intrinsic for peer-to-peer networks and some on-line games (e.g., Second Life) make use of cloud computing to meet demands of hundreds of thousands players inhabiting the same virtual world. Trustworthiness of back-end systems will be crucial for a widespread use of cloud computing for business applications.