"If we do it right we could be in security heaven, but if we do it wrong..."
Security risks to information stored and processed in the cloud are demanding new approaches to protecting data, according to a security researcher.
Cloud computing - which allows data to be stored and processed on the internet rather than on an organisation's own infrastructure - holds out the promise of cheaper and more efficient corporate IT. However, some industry watchers are still concerned about the security and regulatory implications of allowing data outside the traditional confines of the business.
Dr Ari Juels, the director of the RSA security laboratory, told the EMC World 2010 conference in Boston that - in certain circumstances - when multiple virtual machines are running on a single physical server, information being processed in one virtual server could be accessed by other virtual machines using the same cloud computing platform.
"There are dangers," he said, "Virtual machines can extract data such as passwords and cryptographic keys when running on the same platforms.
"This is through side channels, which are not explicitly designed into the architecture but can be exploited through clever probing of the infrastructure."
Juels said that it is important that cloud computing providers make sure they build in safeguards to "insulate" virtual machine from these kinds of data breaches.
Another important security hurdle that remains for cloud computing is that it is not yet possible to tell exactly where data is being processed or stored, Juels said.
The uncertainty over the location of data in the cloud prevents public cloud platforms from being used to handle data that comes with regulatory restrictions on where it can be processed.
Juels said that technologies are being developed to enable cloud operators to link the hardware and its physical location to the data it is processing or storing.
"That is a problem that the research community is exploring as it becomes important in terms of the jurisdictional issue and to ensure appropriate geographical distribution data to ensure survivability," he said.
To help guard against security threats on cloud platforms, RSA is developing a suite of tools that allow cloud computing users to carry out remote checks on how their data is being handled.
These would carry out tasks such as checking that sensitive data is not being processed using a virtual machine that is hosted on the same platform as another client's virtual machines.
Other checks being developed by RSA would enable cloud computer users to check that files stored in the cloud have not been corrupted or deleted, and that files are backed-up to multiple locations.
President of RSA Art Coviello said that as the cloud becomes the main place where computing is carried out there is an opportunity to build security into the software and hardware that will underpin future cloud computing platforms.
"We could embed security into the virtualisation tech within cloud computing. If we do it right we could be in security heaven, but if we do it wrong we could be in security hell," he said.
Such a bottom-up approach to security would require building security protocols into the hypervisor, the virtualisation platform that allow multiple OSes to run on one machine, in order to protect the OS, applications and data being handled by the virtual machine.