Trusted Computing Group

Every client survey shows that security is the single biggest concern about moving to Cloud Computing. But at the same time, PricewaterhouseCoopers worries that companies don't give security enough consideration. "How do we make sure that people who are considering moving into the Cloud give the right level of importance to security? This article was first published by, and is reprinted here with kind permission of, Raconteur (Enterprise Cloud Computing, the Times, 20 July 2010). For more information on special reports in The Times Newspaper, call Dominic Rodgers on +44 207 033 2106.That's an area that concerns us greatly," says William Beer, Director of PcW's OneSecurity. On first consideration it seems very strange that we are not adequately concerned about what we all agree is our greatest concern. How can this be?

One possible reason for this apparent anomaly is that people believe they already understand the security issues and simply need to translate their current defences to the cloud. Our worry is not about the security per se, but that we have to trust the security of the service provider; and that's a difficult thing to do. In doing this, Beer believes we are missing a vital aspect. "When we ask difficult questions about the legal and regulatory issues, both clients and also the providers struggle to provide the right level of answers, because some of these issues haven't ever been dealt with before."

So, the real issue about Cloud Computing is not simple security. "When it comes to security in the cloud," agrees Rashmi Tarbatt, RSA's chief security architect EMEA, "it's not anything new; it's not security that we don't know; the main concern is compliance." The secret to being secure in the cloud is, then, combining the security we understand with legal and regulatory requirements we have never faced before. This is what we need to address.

Compliance is all about protecting personally identifiable information, commonly known as PII, from unauthorised people. In its simplest form, this means encryption; and American courts will probably accept that adequately encrypted PII cannot be deemed lost, wherever it is, and even if it is physically or logically ‘lost'. This is complicated by EU regulations which say that PII mustn't simply be safe, it must not be stored at (or even pass through) geographic locations that do not have similar data protection requirements to the EU itself. In other words, to really comply with EU regulations, PII data must be both encrypted and kept within the EU.

Now we can begin to see PcW's concerns. How can we ensure the geographic location of data that is stored for us by a third-party on virtual machines somewhere in the cloud? It gets worse. "If you don't know where your data is, you have no basis for concluding that it is safe," says Jay Heiser, a research vice president at Gartner. So even the technology we thought we understood is not good enough on its own.

Encryption can certainly go some way to solving the compliance issues, "however," agrees Beer, "it also introduces a whole series of new problems - such as latency, interoperability, and administration of the keys."

"And if the platform gets pwned," adds Heiser (and remember we're talking about a virtual platform on a remote computer you don't own and can't geographically locate), "you've lost the keys; so encryption can't work if you don't have a way to securely control access to the keys. You have to find some way so that you can trust the platform. When encryption shines, it really shines - but it doesn't always shine." Especially in the cloud.

These are the really difficult questions posed by compliance in the cloud: controlling the geographic location of the data, and ensuring trust in encryption. "So the trick," adds Beer, "is to get the balance right between recognising that there are some new challenges from a legal and regulatory aspect, and trying to understand which technologies can help mitigate those potential new risks."

There are indeed two emerging technologies that can solve this problem. The first is data tagging. "You have to make the data itself intelligent so that it knows where it can and cannot go," says Beer. The second is what is sometimes called the ‘hardware root-of-trust'. "You have to find some way so that you can trust the platform," says Heiser. "And that's what the hardware root-of-trust is all about."

The former is being provided now by EMC. The latter is rapidly evolving from the specifications of the Trusted Computing Group. This involves the use of special secure chips, such as Intel's Trusted Execution Technology, being embedded within the servers. These hold a trusted profile for the server, and they examine, measure and compare all of the processing components of the server with that trusted profile whenever the server is turned on or reset. Put simply, if your cloud provider is using such a system, there is nowhere on the server for malware to hide; and Jay Heiser's concern about the platform being ‘owned' by hackers is solved.

But this is just the beginning. Encryption key management can be built into this secure hardware layer, and geographic rules and policies for tagged data can be stored, going a long way to solving the dual problem of secure encryption and location storage that is necessary for EU regulatory compliance. RSA's Rashmi Tarbatt points out that Archer Technologies, Intel, RSA and VMware have already developed a proof-of-concept for a measured chain of trust, which demonstrates how to improve infrastructure-layer transparency and simplify security enforcement and compliance reporting for both internal clouds and private clouds. This chain of trust concept will move into the public cloud as providers adopt the technology to solve the problems of cloud security.

Neither PricewaterhouseCoopers nor Gartner are convinced that such technology is yet adequate, but both confirm that it is the way forward. So as you move into the cloud, be sure that you choose a methodology compatible with adopting intelligent data tagging for all PII data while it is en route to a service provider that can offer a platform with a built-in hardware root-of-trust that includes the best possible encryption and key management solutions possible. That way you will be able to achieve greater security in the cloud than most people currently have in their computer room.

Kevin Townsend, a freelance journalist and writer with more than 10 years experience in writing about security issues. He can be contacted via e-mail here.

"How to Achieve Greater Security in the Cloud Than Most People Have in the Computer Room", published by Raconteur Media, can be found here.