Cloud computing services, such as Amazon’s EC2 and Google Apps, are booming. But are they secure enough? Friday’s ACM Cloud Computing Security Workshop in Chicago was the first such event devoted specifically to cloud security.
Speakers included Whitfield Diffie, a cryptographer and security researcher who, in 1976, helped solve a fundamental problem of cryptography: how to securely pass along the “keys” that unlock encrypted material for intended recipients.
Diffie, now a visiting professor at Royal Holloway, University of London, was until recently a chief security officer at Sun Microsystems. Prior to that he managed security research at Northern Telecom. He sat down with David Talbot, Technology Review’s chief correspondent.
Technology Review: What are the security implications of the growing move toward cloud computing?
Whitfield Diffie: The effect of the growing dependence on cloud computing is similar to that of our dependence on public transportation, particularly air transportation, which forces us to trust organizations over which we have no control, limits what we can transport, and subjects us to rules and schedules that wouldn’t apply if we were flying our own planes. On the other hand, it is so much more economical that we don’t realistically have any alternative.
TR: The analogy is interesting, but air travel is fairly safe. So how serious are today’s cloud computing security problems, really?
WD: It depends on your viewpoint. From the view of a broad class of potential users it is very much like trusting the telephone company–or Gmail, or even the post office–to keep your communications private. People frequently place confidential information into the hands of common carriers and other commercial enterprises.
There is another class of user who would not use the telephone without taking security precautions beyond trusting the common carrier. If you want to procure storage from the cloud you can do the same thing: never send anything but encrypted data to cloud storage. On the other hand, if you want the cloud to do some actual computing for you, you don’t have that alternative.
TR: What about all of the interesting new research pointing the way to encrypted search and even encrypted computation in the cloud?
WD: The whole point of cloud computing is economy: if someone else can compute it cheaper than you can, it’s more cost effective for you to outsource the computation. It has been shown to be possible in principle for the computation to be done on encrypted data, which would prevent the person doing the computing from using your information to benefit anyone but you. Current techniques would more than undo the economy gained by the outsourcing and show little sign of becoming practical. You can of course encrypt the data between your facility and the elements of the cloud you are using. That will protect you from anyone other than the person doing the computing for you. You will have to choose accountants, for example, whom you trust.
TR: If a full cryptographic solution is far-off, what would a near-term solution look like?
WD: A practical solution will have several properties. It will require an overall improvement in computer security. Much of this would result from care on the part of cloud computing providers–choosing more secure operating systems such as Open BSD and Solaris–and keeping those systems carefully configured. A security-conscious computing services provider would provision each user with its own processors, caches, and memory at any given moment and would clean house between users, reloading the operating system and zeroing all memory.
An important component of security will be the quality of the personnel operating the data centers: good security training and appropriate security vetting. A secure data center might well be administered externally, allowing a very limited group of employees physical access to the computers. The operators should not be able to access any of the customer data, even as they supervise the scheduling and provisioning of computations.
TR: Would any public-policy moves help or hurt the situation?
WD: A serious potential danger will be any laws intended to guarantee the ability of law enforcement to monitor computations that they suspect of supporting criminal activity. Back doors of this sort complicate security arrangements with two devastating consequences. Complexity is the enemy of security. Once Trojan horses are constructed, one can never be sure by whom they will be used.