DeepSec 2014 Talk: Trusting Your Cloud Provider – Protecting Private Virtual Machines
The „Cloud“ technology has been in the news recently. No matter if you use „The Cloud™“ or any other technology for outsourcing data, processes and computing, you probably don’t want to forget about trust issues. Scattering all your documents across the Internet doesn’t require a „Cloud“ provider (you only need to click on that email with the lottery winnings). Outsourcing any part of your information technology sadly requires a trust relationship. How do you solve this problem? Armin Simma of the Vorarlberg University of Applied Sciences has some ideas and will present them at DeepSec 2014.
Th presentation shows a combination of technologies on how to make clouds trustworthy. One of the top inhibitors for not moving (virtual machines) to the cloud is security. Cloud customers do not fully trust cloud providers. The problem with sending virtual machines to the cloud is that „traditional“ encryption is no solution because encrypted data (equal to code in our case) can not be executed. Taking a closer look at the numerous surveys about cloud adoption (and at inhibitors for not moving to the cloud) it can be seen that insider attacks are ranked in the top critical attacks. The insider in our scenario is the administrator (or a user with high/elevated privileges).
The key point is: the cloud customer is not trusting the administrator of the cloud provider’s system.
The solution to this problem is based on
Mandatory Access Control is used to prevent the administrator – who must be able to administer and thus access the host system – from accessing Virtual Machines running on top of the cloud provider’s system(s). Our system is able to log all activities of users. Users (including the administrator himself/herself) are not able to manipulate this log.
The former technology – Trusted Computing – is used as a mechanism for giving the cloud customer a proof that the system hosting his Virtual Machines (= the cloud provider’s infrastructure) was not manipulated. The proof is hardware-based: it prevents several kinds of attacks e.g. rootkits or other BIOS-manipulating attacks. The proof is based on measuring all systems (system parts) which were executed since boot time of the physical machine. Each part is measured before execution. This „measurement chain“ is called Trusted Boot. A standardised tamper-resistant hardware (the TPM) plus a standardized protocol allows for the proof to the customer. The proof is called attestation.
A second technology used for securing the cloud is Trusted Computing’s sealing mechanism. Sealing is an extension of asymmetric encryption: the decryption is done within the hardware (TPM) but only if the current measurement values are equal to predefined reference values. The reference values are defined by the cloud customer and specify a known good system plus system configuration . These techniques (Trusted Boot, Attestation, Sealing) allow the cloud customer to be sure that a specific (trustworthy) system is running on the provider’s site.
Armin’s talk is of interested to implementers and users of „Cloud“ infrastructure alike. In case you are playing with Trusted Computing, you should attend his talk as well.