machine on a server from gleaning information by monitoring the use of shared cache memory by another virtual machine on the same server, something that the San Diego and MIT researchers suggested was possible. And researchers at IBM have proposed a new kind of security mechanism that would, in essence, frisk new virtual machines as they entered the cloud. Software would monitor each one to see how it operates and ensure its integrity, in part by exploring its code. Such technologies could be ready for market within two or three years.
Traditional IT is complex to deploy and carries high overhead costs …
Sources: Merrill Lynch
But fully ensuring the security of cloud computing will inevitably fall to the field of cryptography. Of course, cloud users can already encrypt data to protect it from being leaked, stolen, or–perhaps above all–released by a cloud provider facing a subpoena. This approach can be problematic, though. Encrypted documents stored in a cloud can’t easily be searched or retrieved, and it’s hard to perform calculations on encrypted data. Right now, users can get around these problems by leaving their information in the cloud unencrypted (“in the clear”) or pulling the encrypted material back out to the safety of their own secure computers and decrypting it when they want to work with it. As a practical matter, this limits the usefulness of clouds. “If you have to actually download everything and move it back to its original place before you can use that data, that is unacceptable at the scale we face today,” says Kristin Lauter, who heads the cryptography research group at Microsoft Research.
Emerging encryption technologies, however, could protect data in clouds even as users search it, retrieve it, and perform calculations on it. And this could make cloud computing far more attractive to industries such as banking and health care, which need security for sensitive client and patient data. For starters, several research groups have developed ways of using hierarchical encryption to provide different levels of access to encrypted cloud data.
… but cloud computing services are highly efficient, which is one reason they’re growing fast.
Worldwide IT Spending Projections, In Billions
A patient, for example, could hold a master key to his or her own electronic medical records; physicians, insurers, and others could be granted subkeys providing access to certain parts of that information.
Ideally, we’d make it more practical to work with sensitive data that needs to be encrypted, such as medical records, so that unintended viewers couldn’t see it if it were exposed by a hack or a glitch at the cloud provider. “The general theme of cloud computing is that you want to be able to outsource all kinds of functionality but you don’t want to give away your privacy–and you need very versatile cryptography to do that,” says Craig Gentry, a cryptography researcher at IBM’s Watson Research Center in Yorktown, NY. “It will involve cryptography that is more complicated than we use today.”
Until questions about privacy and security are dealt with, however, companies will continue to reserve cloud services for the least sensitive tasks.
How Public Cloud Services Are Used
Sources: 451 Group
To find and retrieve encrypted documents, groups at Carnegie Mellon University, the University of California, Berkeley, and elsewhere are working on new search strategies that start by tagging encrypted cloud-based files with encrypted metadata. To perform a search, the user encrypts search strings using mathematical functions that enable strings to find matches in the encrypted metadata. No one in the cloud can see the document or even the search term that was used. Microsoft Research recently introduced a theoretical architecture that would stitch together several crytographic technologies to make the encrypted cloud more searchable.
The problem of how to manipulate encrypted data without decrypting it, meanwhile, stumped researchers for decades until Gentry made a breakthrough early in 2009. While the underlying math is a bit thick, Gentry’s technique involves performing calculations on the encrypted data with the aid of a mathematical object called an “ideal lattice.” In his scheme, any type of calculation can be performed on data that’s securely encrypted inside the cloud. The cloud then releases the computed answers–in encrypted form, of course–for users to decode outside the cloud. The downside: the process eats up huge amounts of computational power, making it impractical for clouds right now. “I think one has to recognize it for what it is,” says Josyula Rao, senior manager for security at IBM Research. “It’s like the first flight that the Wright Brothers demonstrated.” But, Rao says, groups at IBM and elsewhere are working to make Gentry’s new algorithms more efficient.
Risks and Benefits
If cloud computing does become secure enough to
Hear more from IBM at EmTech 2014.