This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
2. - Best practices, tools for securing your cloud environment: Read more in this section
- Cloud, BYOD double-edged swords for IT security
- How enterprises can self-manage private cloud security
- The truth about open source cloud security
- Weighing Software as a Service encryption options
- Cloud computing security is all about automation
- Security as a Service flips cloud security conversation on its head
- Security as a Service enlists cloud-based service to police IaaS
- A planner's realistic guide to cloud data security
- Securing data with Authentication as a Service
- Best practices for global cloud privacy and security
- Researchers study O-RAM for future of cloud security
- How to use CSA STAR to evaluate cloud provider security
Explore other sections in this guide:
- 1. - Cloud computing security still halts enterprise adoption
- 3. - Aligning with compliance, security standards in the cloud
This article can also be found in the Premium Editorial Download "Modern Infrastructure: As SaaS outsourcing takes away data center tasks, what's left for IT teams?."
Download it now to read this article plus other related content.
Lack of security is often cited as a stumbling block by those businesses hesitant to move data and services to the cloud. That hasn't stopped plenty of enterprises, though.
But current methods of security -- namely encryption -- may not be cutting it. (See this summer's NSA PRISM surveillance program debacle for a prime example.) In general, software-based security isn't to be trusted, according to one MIT researcher, who's been working on designing a hardware component to better secure servers.
"Think of software security as just trusting millions of lines of code," said Srini Devadas, the Edwin Sibley Webster Professor of Electrical Engineering and Computer Science at MIT. "You don't know who wrote it, but it's really convenient to trust the code."
Cloud data security is largely based on various methods of encryption. Encryption can hide the exact data that's accessed or downloaded through websites or cloud-based software or services, but it can't hide that the access is happening, or the fact that a certain site is being accessed. That information -- those memory access patterns -- make it possible to see which sites a user is accessing, and when, regardless of whether encryption is being used. And those patterns can give away important information.
The work Devadas and some of his graduate students are doing (along with researchers from several other universities) focuses on hiding those memory access, or memory at rest, patterns.
The crux of the research project is Oblivious RAM, or O-RAM. In the past, there's been too much overhead associated with O-RAM to consider it for practical use.
"We invented a new kind of O-RAM," Devadas said. "We got the overheard down, and that is the academic contribution. To make this whole thing viable, you can't hide access patterns if every access turns into a million accesses. It would take forever to do any real work."
Cloud data security: From the lab to the data center
Current methods of security aren't enough, Devadas said. "People are not going to the level of doing encryption that they should to protect themselves." But the challenge with hardware security is that development and deployment take much longer than for software counterparts, he said.
And the road from academia to available product is paved with discarded ideas.
"The academic to commercial deployment gap is a really big gap," Devadas said. Some of his projects have simply stayed in the lab, though one started 10 years ago is just now being deployed. In the next year or so, Devadas and his team will focus on building their concept into a real silicon processor.
The MIT research announcement certainly comes at a good time -- or a bad one, from the perspective of software makers. This summer's NSA debacle shed light on the limits of encryption used for cloud security -- and sometimes, timing is everything for a concept to become reality.
"With security, things change quickly," Devadas said. "You never know. It suddenly becomes a problem."