Security in the Cloud
A while back I blogged on security in the cloud – whose data is it in the cloud. I’ve recently been more interested in this topic and come across an article from the Application Development Trends.
In the article there was –predicted a “trust meltdown” for the security industry if that doesn’t change. “We have complex operations in place in tightly intertwined systems, and the processes are not well understood or analyzed, but they are widely used and trusted. That’s a recipe for disaster.”
But it did not proceed to explain what precisely these vulnerabilities are. I cannot discern whether this is simple fear mongering or if indeed, we are all little “Alices with a key” hoping our data is secure in the cloudy wonderland.
When we speak of the cloud, there are may different services from Software as a Service (SaaS) where you are sharing a common instance of an application and relying on the application or dbms security to prevent unauthorised access. To Virtual Private Servers (vps) in which instances of your own virtual machine builds are hosted in a cloud environment.
Virtual Private Servers (VPS)
When thinking about the cloud, I am usually thinking about extending compute capacity through use of Grid technology. The key concern generally is, the computations we’re sending to the Cloud use confidential data. But not just confidential data, the code or algorithm to be applied in the case of derivative pricing models, are proprietary as well. Furthermore, the nature of these applications requires complete control of the entire software stack from os to business logic layer. So having your own virtual machines is probably the most desirable model.
But is it safe?
I don’t think it is naive to believe that an instance of a hardened machine running amongst other virtual machines in a shared environment is secure. For example, if I have a virtual host with all but ssh disabled, I have ipfilter, etc… and I’ve been careful to manage my private key used to authenticate my ssh session, anything in that virtual machine is secure.
I believe it boils down to how secure a VM is from the other machines and/or the hypervisor or hosting environment is. Can you access the data of a VM other than via connecting to it via normal network protocols?
In Virtualization Security: What You Must Know, a series of steps required to secure your VMWare ESX environments is described. Daniel Petri speaks about a the sorts of vulnerabilities to look out for. My take on this is, VM’s are not automatically secure – like any environment, it’s up to diligence in a number of areas.
Next steps – Turnkey Grid Node
The security of VMs in a VPS environment is certainly interesting and a challenge to address before you go into the cloud. But next thing I’d like to explore with Liraz Siri at Turnkey Linux and see if they wouldn’t want to build us all a grid node appliance.