Computing may some day be organized as a public utility, just as the telephone system is a public utility," Massachusetts Institute of Technology (MIT) computer science pioneer John McCarthy noted in 1961.
We aren't quite there yet, but cloud computing brings us close. Clouds are all the rage today, promising convenience, elasticity, transparency, and economy. But with the many benefits come thorny issues of security and privacy.
The history of computing since the 1960s can be viewed as a continuous move toward ever greater specialization and distribution of computing resources. First we had mainframes, and security was fairly simple. Then we added minicomputers and desktop and laptop computers and client-server models, and it got more complicated. These computing paradigms gave way in turn to n-tier and grid computing and to various types of virtualization.
As hardware infrastructures grew more complicated and fragmented, so did the distribution of software and data. There seemed no end to the ways that users could split up their computing resources, and no end to the security problems that arose as a result. Part of the problem has been one of moving targetsjust as one computing paradigm seemed solid, a new, more attractive one beckoned.
In a sense, cloud computing simplifies security issues for users by outsourcing them to another party, one that is presumed to be highly skilled at dealing with them. Cloud users may think they don't have to worry about the security of their software and data anymore, because they're in expert hands.
But such complacency is a mistake, say researchers at Hewlett-Packard (HP) Laboratories in Bristol, U.K. They are prototyping Cells as a Service, by which they hope to automate security management in the cloud. A cell, managed as a single administrative domain using common security policies, contains a bundle of virtual machines, storage volumes, and networks running across multiple physical machines. Around the cells HP inserts various sensors, detectors, and mitigators that look for viruses, intrusions, and other suspicious behavior. Virtualization enables these agents to be very close to the action without being part of it or observed by it, according to HP.
"People often think of virtualization as adding to security problems, but it is fundamentally the answer to a lot of those problems," says Martin Sadler, director of HP's Systems Security Lab. "You can do all sorts of things you can't do when these things are physical machines." For example, the sensors can watch CPU activity, I/O patterns, and memory usage and, based on models of past behavior, recognize suspicious activity. They can also assess the probability of certain events happening and take action accordingly. They might, for instance, throttle back the CPU, stop all I/O to a virtual machine (VM), or take a clone of the VM and move it elsewhere for evaluation. Agents could be deployed by cloud users, cloud service providers, or third parties such as a virus protection company, Sadler says.
But these agents introduce their own management challenges. There might be as many as 30 agents, interacting in various ways and with varying drains on system resources. HP Labs is developing analytic tools that can generate playbooks that script system behavior. These templates, tailorable by users, employ cost/benefit analyses and reflect what is most important to users and what cost they are willing to bear for various types of protection.
IBM Research is pursuing a similar approach called "virtual machine introspection." It puts security inside a protected VM running on the same physical machine as the guest VMs running in the cloud. The security VM employs a number of protective methods, including the whitelisting and blacklisting of guest kernel functions. It can determine the operating system and version of the guest VM and can start monitoring a VM without any beginning assumption of its running state or integrity.
Instead of running 50 virus scanners on a machine with 50 guest VMs, virtual machine introspection uses just one, which is much more efficient, says Matthias Schunter, a researcher at IBM Research's Zurich lab. "Another big advantage is the VM can't do anything against the virus scan since it's not aware it's being scanned," he says.
Another variation, called "lie detection," puts a tiny piece of software inside the VM to look at the list of running processes as seen by the user. Introspection software outside the VM can reliably determine all the processes actually running on the VM; if there is any difference between the two lists, some malware, such as a rootkit, is suspected of running on the VM.
Looking from both within the VM and without, the lie detector can also compare the lists of files on disk, the views of open sockets, the lists of loaded kernel modules, and so on. "Each of these lie tests improves the chances of detecting potential malware, but none of them can prove that no malware exists," says IBM researcher Klaus Julisch.
In a third application, a virtual intrusion detection system runs inside the physical machine to monitor traffic among the guest VMs. The virtual networks hidden inside a physical machine are not visible to conventional detectors because the detectors usually reside in a separate machine, Schunter says.
"People often think of virtualization as adding to security problems, but it is fundamentally the answer to a lot of those problems," says Martin Sadler, director of HP's Systems Security Lab.
Indeed, snooping between VMs inside a machine was shown to be a real possibility by researchers last year. Computer scientists Thomas Ristenpart, Hovav Shacham, and Stefan Savage at the University of California, San Diego and Eran Tromer at MIT proved it was possible for an adversary to get his or her VM co-located with a target's VM on a cloud's physical machine 40% of the time. In a paper, "Hey, You, Get Off of My Cloud," they showed how the adversary could launch a side-channel attack based on the VM's sharing of physical resources such as CPU data caches. The researchers also outlined a number of mitigation steps, but concluded the only practical and foolproof protection is for cloud users to require that their VMs run on dedicated machines, which is potentially a costly solution.
Encryption is sometimes seen as the ultimate security measure, but it also presents difficulties in the cloud. At present, processing encrypted data means downloading it and decrypting it for local use and then possibly uploading the results, which is a cumbersome and costly process.
The ability to process encrypted data in place has been a dream of cryptographers for years, but it is now demonstrating some progress. Last year, Craig Gentry, first at Stanford University and then at IBM Research, proved it is possible to perform certain operations on data without first decrypting it. The technique, called "fully homomorphic encryption," was hailed as a conceptual breakthrough, but is so computationally demanding that practical applications are years away, experts say.
Meanwhile, the more limited ability to search encrypted data is closer to reality. In "Cryptographic Cloud Storage," a paper published earlier this year, researchers Seny Kamara and Kristin Lauter of Microsoft Research described a virtual private storage service that aims to provide the security of a private cloud and the cost savings of a public cloud. Data in the cloud remains encrypted, and hence protected from the cloud provider, court subpoenas, and the like. Users index their data, then upload the data and the index, which are both encrypted, to the cloud. As needed, users can generate tokens and credentials that control who has access to what data.
Given a token for a keyword, an authorized user can retrieve pointers to the encrypted files that contain the keyword, and then search for and download the desired data in encrypted form. Unauthorized observers can't know anything useful about the files or the keywords.
The experimental Microsoft service also offers users "proof of storage," a protocol by which a server can prove to a client that it did not tamper with its encrypted data. The client encodes the data before uploading it and can verify the data's integrity at will.
Not all cloud security risks arise from technology, says Radu Sion, a computer science professor at Stony Brook University. There is scant legal or regulatory framework, and few precedents, to deal with issues of liability among the parties in cloud arrangements, he notes. "What happens when your data is on a server in China but you outsourced to a cloud service in New York?" asks Sion. "Or what if you have the legal resources to fight a subpoena for your data, but they subpoena your cloud provider instead? You will be under scrutiny for moving to the cloud by your shareholders and everyone else."
In "Cryptographic Cloud Storage," Microsoft researchers Seny Kamara and Kristin Lauter describe a virtual private storage service that provides the security of a private cloud and the cost savings of a public cloud.
Nevertheless, Sion says all but the most sophisticated enterprises will be safer putting their computing resources in the expert hands of one of the major cloud providers. "Companies like Google and Amazon and Microsoft have hundreds of people devoted to security," he says. "How many do you have?"
Christodorescu, M., Sailer, R., Schales, D., Sgandurra, D., and Zamboni, D.
Cloud security is not (just) virtualization security, Proceedings of the 2009 ACM Workshop on Cloud Computing Security, Chicago, IL, Nov. 13, 2009.
Fully homomorphic encryption using ideal lattices, Proceedings of the 41st Annual ACM Symposium on Theory of Computing, Bethesda, MD, May 31June 2, 2009.
Kamara, S. and Lauter, K.
Cryptographic cloud storage, Proceedings of Financial Cryptography: Workshop on Real-Life Cryptographic Protocols and Standardization, Tenerife, Canary Islands, Spain, January 2528, 2010.
Ristanpart, T., Tromer, E., Sacham, H., and Savage, S.
Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds, Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, IL, Nov. 913, 2009.
Shi, E., Bethencourt, J., Chan, T-H., Song, D., and Perrig, A.
Multi-dimensional range query over encrypted data, Computer Science Technical Report CMU-CS-06-135R, Carnegie Mellon University, March 2007.
©2010 ACM 0001-0782/10/1100 $10.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2010 ACM, Inc.
No entries found