Improving the Security of Cloud Computing
Solutions emerge to guard against attacks and data loss in the cloud.
On-demand cloud computing and data storage can save companies money, but many businesses—particularly in finance and health care—are wary of handing data to third parties, fearing hacking, accidental data loss, or theft by rogue employees of cloud providers.
New security solutions are appearing: One verifies cloud providers’ claims that your data is safely lodged on its own server. Another protects your cloud-based data by using a math function to divide it into 16 segments, any 10 of which can be used to re-create the entire original set.
The first of these solutions responds to recent demonstrations that hacking within clouds—using one set of rented computers or “virtual machines” to attack another—is theoretically possible. In 2009, computer scientists at the University of California, San Diego and MIT showed how an attacker using Amazon’s Elastic Compute Cloud could land on the same physical server as his intended victim. (In one method, they forced a hypothetical victim to hire more virtual machines by bombarding his website with traffic and then created attacking virtual machines at the same time. This put the two sets of machines on the same cloud server 40 percent of the time.)
The researchers also pointed out that attackers who sat on the same servers as victims could do things like monitor usage of shared physical resources, such as the server’s central processing unit (CPU), to infer information such as what kinds of programs the victim was running and how much Web traffic the victim was handling. These actions are known as “side-channel” attacks.
Amazon, in a move similar to ones made by other cloud providers, now offers a virtual private cloud service in which a customer is promised his own isolated server. Because customers are likely to want to confirm that they’re getting what they paid for, a group of researchers at RSA Laboratories, in Cambridge, Massachusetts, and the University of North Carolina at Chapel Hill has developed a verification method that involves monitoring a piece of shared server hardware called the CPU cache, which allows quick access to frequently tapped memory resources. The prototype technology lets a client monitor whether the CPU cache on its cloud server is doing anything beyond what would be expected by the client’s own computation. Such a discovery would suggest that someone else is sharing the server. “This allows you to check on your situation in the cloud,” says Thomas Ristenpart, a computer scientist at the University of Wisconsin, Madison, and a coauthor of the paper that described the Amazon weakness. “It’s a way of doing detection on when you actually have a physical server to yourself.”
The tool worked 85 percent of the time in tests and is being refined before commercialization or licensing, says Alina Oprea, a research scientist at RSA Labs, who cowrote the software. “The tenant can run this protocol without the help of the cloud provider. This would give them stronger guarantees,” she says. Similar approaches under development could monitor other shared hardware elements, such as hard drives, she adds.
Companies also want to ensure that their remotely stored information won’t be corrupted, lost, or stolen. Encrypting data before storing it can help, but this requires keeping track of encryption keys and monitoring new technologies for their potential to break the encryption. (On the plus side, a future system might allow you to actually compute with encrypted data, infeasible with current technology.)
These downsides of encryption can be avoided with a newly commercialized technology that provides a mathematical way of slicing your data into 16 parts before storing it. It employs a fancier version of algebraic equations (in which knowing two parts of an equation lets you solve for the third) to let you reconstitute your full data set from any 10 of those 16 slices.
This process does increase the amount of data you need to store by between 30 percent and 60 percent, but that’s more efficient than some encryption methods. And if you distribute your 16 slices among different storage providers, “you can build systems where you don’t have to trust the service providers,” says Chris Gladwin, CEO of Cleversafe, the Chicago company that launched the software late last year. “They can tamper, lose, or steal it and it doesn’t matter if they steal below a threshold.”
Other technologies are in the works to make cloud computing more secure, because no one doubts that as data moves to clouds, so will hackers and criminals. “Anyone can use Amazon,” Ristenpart says, “so criminals have access to it as well.”