Private Virtual Infrastructure proposed to address cloud security issues

Article

Private Virtual Infrastructure proposed to address cloud security issues

Mark Brownstein, Contributor
SAN DIEGO - The issue of the security of a company's data when communicating over a cloud was a major topic addressed in a number of papers presented at the HotCloud '09 workshop held at the recent USENIX conference. A paper entitled "Private Virtual Infrastructure for Cloud Computing", presented by F. John Krautheim from the University of Maryland, Baltimore County, presented an approach that proposed what the author calls a Private Virtual Infrastructure.

The privacy and security issues that concern enterprises, schools and organizations wanting to take advantage of cloud computing were addressed in other papers given at the workshop, a few of which are further discussed here (

    Requires Free Membership to View

    Login

    When you register, my team of editors will also send you alerts about public, private and hybrid cloud computing as well as other related technologies.

    Cathleen A. Gagne, Senior Editorial Director

    By submitting your registration information to SearchCloudComputing.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchCloudComputing.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

CloudNet and Trusted Cloud Computing).

The approach presented by Krautheim implements what he calls a Private Virtual Infrastructure (PVI). A PVI is described as a "virtual datacenter [sic] over the existing cloud infrastructure." The data center is "under the control of the information owner" the paper says, while the fabric is under the control of the operator (of the cloud service).

Both the client and the service provider are required to share certain types of security information, and service level agreements (SLAs) can further define the roles and responsibilities of all parties in the agreement. The paper proposed that every service in the cloud must be able to report security properties, and that the properties must be cryptographically bound and signed.

Five basic tenets are described as essential to cloud security:

  • A trusted foundation on which to build a PVI must exist.
  • A 'secure factory' must be provided to provision the PVI. This 'factory' will also serve as a policy decision point and root authority for PVI.
  • A measurement mechanism should be provided to validate the security of the fabric before provisioning the PVI. Krautheim refers to this as a secure factory.
  • A measurement mechanism to validate the security of the fabric should be in place before provisioning PVI.
  • Secure methods for shutdown and destruction of virtual devices in a PVI should be in place to prevent object reuse attacks.
  • The PVI should be continuously be monitored both from within and from out side of the PVI, using intrusion detection and other devices.

The paper goes into detail regarding each of the five tenets listed above. Krautheim argues that service providers who offer a transparent view of their infrastructures so that customers can understand the vendor's security posture will have a competitive advantage over vendors who obscure their security structure's inner workings.

"In the end, cooperation between vendor and customer will result in increased security while lowering the overall cost of ownership for IT infrastructure," the paper concludes.