On-demand cloud computing and data storage can save companies money, but many businesses—particularly in finance and health care—are wary of handing data to third parties, fearing hacking, accidental data loss, or theft by rogue employees of cloud providers.
New security solutions are appearing: One verifies cloud providers’ claims that your data is safely lodged on its own server. Another protects your cloud-based data by using a math function to divide it into 16 segments, any 10 of which can be used to re-create the entire original set.
The first of these solutions responds to recent demonstrations that hacking within clouds—using one set of rented computers or “virtual machines” to attack another—is theoretically possible. In 2009, computer scientists at the University of California, San Diego and MIT showed how an attacker using Amazon’s Elastic Compute Cloud could land on the same physical server as his intended victim. (In one method, they forced a hypothetical victim to hire more virtual machines by bombarding his website with traffic and then created attacking virtual machines at the same time. This put the two sets of machines on the same cloud server 40 percent of the time.)
The researchers also pointed out that attackers who sat on the same servers as victims could do things like monitor usage of shared physical resources, such as the server’s central processing unit (CPU), to infer information such as what kinds of programs the victim was running and how much Web traffic the victim was handling. These actions are known as “side-channel” attacks.
Amazon, in a move similar to ones made by other cloud providers, now offers a virtual private cloud service in which a customer is promised his own isolated server. Because customers are likely to want to confirm that they’re getting what they paid for, a group of researchers at RSA Laboratories, in Cambridge, Massachusetts, and the University of North Carolina at Chapel Hill has developed a verification method that involves monitoring a piece of shared server hardware called the CPU cache, which allows quick access to frequently tapped memory resources. The prototype technology lets a client monitor whether the CPU cache on its cloud server is doing anything beyond what would be expected by the client’s own computation. Such a discovery would suggest that someone else is sharing the server. “This allows you to check on your situation in the cloud,” says Thomas Ristenpart, a computer scientist at the University of Wisconsin, Madison, and a coauthor of the paper that described the Amazon weakness. “It’s a way of doing detection on when you actually have a physical server to yourself.”