security in the cloud
Cloud computing offers many advantages, but also involves security
risks. Fortunately, researchers are devising some ingenious solutions.
CoMPu TINg May SoMe day be organized as a public util- ity, just as the telephone system is a public utility,” Massachusetts Institute of
Technology (MIT) computer science
pioneer John McCarthy noted in 1961.
We aren’t quite there yet, but cloud
computing brings us close. Clouds
are all the rage today, promising convenience, elasticity, transparency,
and economy. But with the many benefits come thorny issues of security
The history of computing since the
1960s can be viewed as a continuous
move toward ever greater specialization and distribution of computing
resources. First we had mainframes,
and security was fairly simple. Then
we added minicomputers and desktop
and laptop computers and client-server
models, and it got more complicated.
These computing paradigms gave way
in turn to n-tier and grid computing
and to various types of virtualization.
As hardware infrastructures grew
more complicated and fragmented,
so did the distribution of software and
data. There seemed no end to the ways
that users could split up their computing resources, and no end to the security problems that arose as a result. Part
of the problem has been one of moving
targets—just as one computing paradigm seemed solid, a new, more attractive one beckoned.
In a sense, cloud computing simplifies security issues for users by outsourcing them to another party, one
that is presumed to be highly skilled
at dealing with them. Cloud users
may think they don’t have to worry
about the security of their software
and data anymore, because they’re in
But such complacency is a mistake,
say researchers at Hewlett-Packard
(HP) Laboratories in Bristol, U.K. They
are prototyping Cells as a Service, by
which they hope to automate secu-
cloud computing simplifies security issues for users by outsourcing them to companies such
as microsoft, which recently opened a $550 million data center in chicago.
rity management in the cloud. A cell,
managed as a single administrative
domain using common security policies, contains a bundle of virtual machines, storage volumes, and networks
running across multiple physical machines. Around the cells HP inserts
various sensors, detectors, and mitigators that look for viruses, intrusions,
and other suspicious behavior. Virtualization enables these agents to be very
close to the action without being part
of it or observed by it, according to HP.
“People often think of virtualization
as adding to security problems, but it
is fundamentally the answer to a lot of
those problems,” says Martin Sadler,
director of HP’s Systems Security Lab.
“You can do all sorts of things you can’t
do when these things are physical ma-
chines.” For example, the sensors can
watch CPU activity, I/O patterns, and
memory usage and, based on models
of past behavior, recognize suspicious
activity. They can also assess the prob-
ability of certain events happening and
take action accordingly. They might,
for instance, throttle back the CPU,
stop all I/O to a virtual machine (VM),
or take a clone of the VM and move it
elsewhere for evaluation. Agents could
be deployed by cloud users, cloud ser-
vice providers, or third parties such as a
virus protection company, Sadler says.
Virtual machine introspection
IBM Research is pursuing a similar
approach called “virtual machine introspection.” It puts security inside
a protected VM running on the same