I'm beginning to think that fears about cloud security are overblown. The reason: an intellectual framework is already in place for protecting data, applications and connections. It's called encryption. What's evolving now, and isn't anywhere near fully baked, is a set of agreed-upon implementations and best practices. Today's post talks about some relevant and interesting work from Trend Micro and from IBM.
Along with the leadership we're seeing from Trend Micro and IBM, it's only fair to add that most of the security vendors and cloud-service providers themselves are researching this stuff. (I'll cover those efforts in future posts.) One impediment in writing about cloud security is that people tend to be closed-mouth, because of the seriousness of security, as per the old phrase: "If I tell you, then I'd have to kill you."
From my perspective, as I've started blogging about cloud security -- see "Cloud Security In Focus Amid Data Theft Fears" -- I've begun to see up close this reluctance of experts to provide deep data dumps. (A corollary is that those who don't know tend to be voluble.)
Quite apart from the fact that chatter is antithetical to the security and intelligence-community ethos (not always, though), there's so much disparate activity it's hard to get a holistic understanding of where things are headed. Thus, my funneling everything into the encryption bucket is an attempt to summarize and make some sense of where the nexus of activity lies.
So, while I've been hoping to pull together comprehensive posts, I can see what I'm going to have to do is offer up incomplete bits and pieces, blogging about this stuff as I get wind of it. Accordingly, here are three interesting, albeit very loosely connected, items:
Encryption is already being used
First, here's a heads up I got from one reader (as a comment to my earlier post), about his use of encryption to secure his cloud connections:
"I can only speak from experience using Amazon Web Services since early 2006, but all the tools are there if only they are used. For instance you can have rotating keys and my favorite is private VPNs. If you have a good working security structure in place you can now use a private VPN from within your existing system to scale cloud resources without opening your system to the outside.
These are a lot of the same issues we faced when we hooked up those pesky LANs to the transactional mainframe systems via SNA gateways in the early 80's."
Improved cloud encryption techniques are being researched
My contacts at Trend Micro have hinted at some conceptual work they're doing, for future delivery at an unspecific date (i.e., I want to make clear that they're not yet talking productization) about an encryption scheme for public cloud computing. The work is based on technology acquired from Identum Ltd., a British started incubated at Bristol University, which Trend Micro acquired in 2008. Identum's work has formed the basis for the e-mail encryption solutions currently offered by Trend.
Indentum's encryption expertise is now in play in this cloud research. The basic, and very powerful, idea is to apply encryption agents to every virtual computing instance. Thus, every VM would have its own resident manager to ensure the proper application of encryption security resources.
The big win here is you'd have, in essence, automated application of security policies everywhere. Thus, you'd have cryptographic key management built into the process and also no worry about unprotected VM instances among your computing resources.
The key issue
As a transition between the Trend Micro item and this one on IBM, I should mention that management of cryptographic keys is by no means a trivial thing. When you think about it, all of your cloud security rests on being able to generate and hand out those keys, while keeping them out of the hands of bad guys. Hackers aren't going to be able to break your keys; what they'll do to breach your security is to steal them instead.
Which leads into the IBM research on homomorphic encryption. (See the press release, IBM Researcher Solves Longstanding Cryptographic Challenge, from July.) This is very arcane stuff, but as best as I can reduce it, this IBM breakthrough would allow you to send encrypted data throughout the cloud, manipulate it any way you want, and then at the end of the day, you'd still be able to decrypt it.
Currently, there are severe limitations on the operations you can perform on encrypted data, because some of the manipulations will muck it up so that it's no longer decryptable.
Why is this a problem? Well, you want to be work on encrypted data as long as possible without having to render it back into its plainly visible form. That way, you don't have to mess around with keys, or, more to the point, provide those keys to users you're not sure you trust.
The thing with this IBM research is it's not really clear that they've solved the problem. The always authoritative Bruce Schneier says that the work is theoretically impressive but completely impractical. Regardless, IBM gets props for pushing things forward.
In closing, I'd like to point you to a good post from George Reese over at O'Reilly Community: Twenty Rules for Amazon Cloud Security. The basic thrust of his advice is "encrypt everything" and only allow your decrypt key to surface for the very brief instances you're using it.
Follow me on Twitter: @awolfe58