SAN DIEGO - At the recent HotCloud '09 workshop, the Max Planck Institute for Software Systems (MPI-SWS) presented a paper on protecting data as it travels from an enterprise to be stoed on an IaaS provider. The paper, titled "Towards Trusted Cloud Computing", proposed a design the authors called a Trusted Cloud Computing Platform (TCCP).
In addition to this paper, there were two other presentations on this topic. A Private Virtual Infrastructure (PVI) was proposed to address enterprise concerns about cloud computing security issues and CloudNet was proposed to resolve current enterprise concerns about safe cloud computing. The three presentations offer a look at the content of this workshop that was held the day before the USENIX conference.
Of all the security threats facing digital information, insider attacks are still the biggest problem. And so, the threat of data being compromised by someone working inside an IaaS provider, who could reroute traffic that is being processed from a secure virtual machine to a different, less secure machine, is an area cloud providers are working to minimize.
A Trusted Cloud Computing Platform (TCCP) provides "the abstraction of a closed box execution environment for a customer's VM", according to a presentation by MPI-SWS. It enables the customer to verify, before sending data, that the computation at the service provider will run securely. The TCCP "guarantees the confidentiality and the integrity of a user's VM, and allows a user to determine up front whether or not the IaaS enforces these properties."
This paper, while mostly theoretical in scope, proposed two components that enable the security: A trusted virtual machine monitor (TVMM) and a trusted coordinator (TC). The TVMM hosts the customer's virtual machines and prevents privileged users (at the IaaS) from inspecting or modifying them.
Trusted platform module (TPM) chips, which are now being bundled into commodity hardware and which provide unique identification and a public endorsement key, plus capabilities that are specific to the machine on which the chip has been installed, are components of TCCP. They help assure that the devices being addressed actually are those devices. The use of these chips is an important element that the TVMM uses to manage security.
The TC, whose services can be provided by a third party and doesn't have to be handled by the enterprise customer or the IaaS provider, manages the set of nodes that can run the customer's VMs securely. These nodes, referred to as trusted nodes, are located within the security perimeter and run the TVMM. The trusted coordinator maintains a record of the nodes within the security perimeter.
A complex series of public and private key exchanges between the elements in the TCCP assures that the security concerns of the enterprise customer are addressed. According to the paper, "TCCP guarantees confidential execution of guest VMs, and allows users to attest to the IaaS provider and determine if the service is secure before they launch their VMs."
TCCP is, at this point, more theory than product. The authors report that they are planning to implement a fully functional prototype.
At this time, it is not clear which approach in the papers presented at HotCloud '09 will ultimately provide the key to delivering secure computing services. What is clear, however, is that the interest of enterprise IT in IaaS is growing and academics are working on solving its security issues.