Friday, May 14, 2010

Cloud security

Some people say that cloud security comes down to this simple question:

Do you have 24/7 unrestricted access to the PHYSICAL machine where your data is stored?

If no, then your DATA IS NOT SECURE.

This line of questioning goes to the heart of most security problems, and not just in cloud security terms.

To further an example, rather than requiring a key to open a door (metaphorically, to access a data file), more secure systems would require 2, 3 or N keys such that a subset of M keys (for example, 3 out of 5, where N=5 and M=3) would be required to open the door. So, even if you lose the key in your pocket, or someone takes it from you under gun threat, you still have security within M of N. This is usually called a "security quorum" or "threshold system".

Useful as a threshold system may be for cloud security, is there still room for improvement?

A major improvement would be to eliminate the root of trust (i.e., that which you rely upon to assure that the threshold system and keys work as intended) [1] so that there is no target to attack. The principle is that no one can attack what does not exist. Not only a security quorum would not be needed (which can improve usability and prevent a denial of service attack) but also complexity would be reduced.

This solution, which is implemented in NMA ZSentry [2], effectively shifts the information security solution space from the yet-unsolved security problem of protecting servers and clients against penetration attacks to a connection reliability problem that is easily solved today.

Thus, in terms of cloud security, you can set up layers upon layers of security, but this is all for naught if the root of trust lies within the cloud itself. You solve this problem by eliminating the root of trust inside the cloud, as done by ZSentry, which is available free for tests and personal use [2].

This is important not only for health care records for HIPAA compliance, and privacy regulatory compliance in general, but also for individuals. Email, SMS and IM are the psychological equivalent of a voice conversation. People often forget, however, that a text message or an email conversation in cloud storage (such as in gmail, yahoo, hotmail) can be replayed even many years later, often without the authorization of any of the parties, and often with undesired consequences.

In perspective, while it may not be reasonable (or cost-effective) to assure that you have 24/7 unrestricted access to the PHYSICAL machine where your data is stored, you can use methods that deny the existence of the root of trust within the cloud itself. The cloud should only be used to store de-identified, encrypted data, and without the keys that would allow the data to be unraveled.

[1] For the formal definition of trust, that applies to both computers and humans, see