Handing sensitive data over to a cloud computing provider makes many companies skittish. But new software, called HomeAlone, could help them come to terms with using such services.
Cloud computing can save companies money by providing inexpensive, flexible storage and processing resources that are managed for them. All the same, many companies remain hesitant to turn their data over to a third party.
Cloud computing platforms provide a single point of entry for large amounts of company data, and providers often host customers’ data in virtual environments that span many different machines. Researchers say this architecture could be exploited to gain access to private data.
Some organizations, such as NASA, demand that cloud providers store their data on machines that no one else uses. But even that is not enough of a guarantee for some. Until now, it’s been almost impossible to verify that sensitive data is indeed isolated.
HomeAlone, which will be presented in May at the IEEE Symposium on Security and Privacy, takes a first step toward assuring companies that their data is secure. The software lets companies that ask for their data to be stored in physical isolation to verify that it is, in fact, alone on a server.
Michael Reiter, a professor of computer science at the University of North Carolina who was involved with the work, says he and his collaborators chose to support the most extreme case—where data and processing are so sensitive they must be separated from everyone else’s.
Cloud computing companies use virtual machines so that software can run on any piece of hardware. Multiple virtual machines can run on the same server, but it’s hard for a customer to know when this is occurring. So cloud customers have been unable to tell whether their data is at risk or may have been compromised.
“People now trust the cloud provider to configure the computing environment correctly based on the service-level agreement, but there’s no way to verify that,” says Alina Oprea, a research scientist at RSA Laboratories who was involved with the work. HomeAlone can confirm that data is alone on a server without requiring cooperation from the cloud provider. It detects the presence of any unexpected virtual machines on the server, whether those are attackers trying to steal data or simply virtual machines that have ended up there by mistake.