February 03, 2010, 1:27 PM — I've been thinking a lot about public cloud security lately. Not simply mulling the theoretical question of "is cloud more or less secure than my own infrastructure", but looking at practical approaches to cloud security. At Nemertes Research we have been "sipping our own champagne" (like eating dogfood, only less disgusting) by using cloud computing extensively. For several years we used the cloud for test and development and in mid-2009 we moved production servers into the cloud.
The risks in cloud computing can be quite different from on-premises computing. We have to secure our systems against at least three different angles of attack: those from the Internet; those from other "tenants"; and those from the cloud computing provider's staff.
The last point specifically can be the most challenging. No matter how well the provider has trained and vetted their staff, there is always the risk of an insider attack.
All of this brings us to the issue of trust. In security, trust is an intransitive relation with a specific hierarchy. What that means is that trust flows down a chain until it reaches the root of trust -- the foundation on which I have built my little tower of trust. I trust a door because I trust the lock because I trust the key because it is in my pocket. If I lose the key, the chain of trust unravels and I no longer trust the door.
In the cloud, I can set up layers upon layers of security, but the root cannot be within the cloud itself. Or by example, to trust the cloud, I have to pocket the key -- I cannot leave it under the doormat. This makes cloud security especially difficult. A simple example is SSL security. If I want to protect the data transported between the cloud and users, I could install an SSL certificate on the cloud server. But if the SSL certificate is on the server's files ystem, what would stop someone from stealing it? So now I have to encrypt the SSL certificate's private key. Where do I store the private key's passphrase? If I store it on the server I'm back at square one.
In fact, every cloud security problem can be peeled like an onion in this fashion. To secure X, I use Y; to secure Y, I use Z and so on. The problem is that no matter how deep I layer the onion, the root of the trust will still be on an untrusted system. The only way to solve this problem is by rooting the trust outside the cloud, introducing some kind of bootstrapping process where an external agent has to reach in and provide the root of trust (this doesn't solve the problem entirely, but that's a whole other article).