Can you trust your cloud hosting provider?

Now that the IT department is outsourced, all of a sudden people are asking the right questions about IT security.
Written by Mike Gault, GuardTime, Contributor
Commentary - Cloud computing is the best thing that has happened to information security in 50 years, because it’s forcing people to address the perimeter issue.

As you move data to the Cloud there are many different challenges. Applications have to be designed differently. Security gets pushed further and further away from perimeter-based approaches. Security threats change when data moves to the Cloud.

Up until the existence of Cloud computing it was acceptable to trust the IT department internally. Now that the IT department is outsourced, all of a sudden people are asking the right questions about IT security. The focus must be on the data itself and not on the perimeter around the data. Cloud computing is forcing IT to ask similar security questions about activities inside the enterprise as well.

With cloud computing coming into its own around 2007, people realized that something fundamentally changed. It basically went from, ‘this data is inside my organization and I’m willing to trust my IT department’ -- to -- ‘this data is outside my organization and I can no longer trust the IT department or outsiders, the people that are now hosting my data.’

Cyber defense and Cloud computing are actually closely related, because it becomes about who can you trust and what do you do if you can no longer trust the people inside your organization or institution.

As people weigh their choices between Cloud vendors like Joyent, Rackspace, or Amazon Web Services, they should look closely at their SLAs to see which ones offer trust and which actually show proof if any data gets compromised. By proof I mean actual mathematical proof.

So what ever happened to PKI [public key infrastructure] as an IT security tool for encryption and data privacy? It has always been good for authentication but as a mechanism to prove the integrity and authenticity of data, it’s a horrible technology. It requires key management and trust authorities, both of which can be compromised and even a hint of a compromise would invalidate all historical records. In the end, it costs more to sign the data than it does to actually store the data. This is one of the reasons why PKI achieved very limited uptake for signing data.

With keyless signing services or keyless signatures, verification does not rely on cryptographic keys. That means that any data in the Cloud can be signed, and the verification of the signature provides mathematical proof that the data has not been tampered with.

The ultimate goal is for keyless signatures to be ubiquitous with data integrity. Data is signed as it is stored in the cloud. That data could be application executables, logs or general data. The result of the signature process is a data signature that is stored either embedded inside the data item, or separately from the data item. To verify a signature you run a series of hash functions using the signature data.

Confidentiality is a major question to ask your Cloud hosting provider. Having the right tools in place to ensure that confidentiality is also being maintained is critical. So, some questions would be: What mechanism do you have to protect and securely deliver logs? What are you actually able to log? What activity are you recording within your Cloud? Can the integrity of those logs be proven regardless of when and where they are sent?

The SIEM providers are looking at technologies to pull together information and leverage the Cloud resources as well. Users of the Cloud have to employ their own security measures based on their risk level and their regulatory requirements.

It’s important that the technologies have been implemented properly when the logs are being created and that they’re being used properly to analyze and correlate the data into different sets of information.

These actions, including the policy definitions and admin changes associated with them, need to be signed. One of the first things that an attacker will do after gaining access to a system, especially if they are an inside attacker, is to go into the logs and remove the entries that show how and where the access was gained and what has been done to modify the environment to leave the back door open.

Nobody can prevent those things from happening, but keyless signatures can prove that those logs are, in fact, intact and haven’t been changed outside of the defined rules.

Mike Gault is co-founder and CEO of GuardTime. He started his career as a scientist holding a Post-Doctoral Fellowship of the European Commission conducting research in Japan on the mathematical modeling of quantum effect devices. He then had a 10-year career in the mathematical modeling and trading of financial derivatives, initially at Credit Suisse Financial Products, then as Managing Director and co-head of trading at Barclays Capital Japan. He is co-founder and Director of Umami Sustainable Seafood, the largest tuna aquaculture company in the world. You can reach him at Mike.Gault@guardtime.com.

Editorial standards