Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Godfather of Xen: Virtualization holds a key to public-cloud security

Tim Greene | Nov. 4, 2011
While conventional wisdom says virtualized environments and public clouds create massive security headaches, the godfather of Xen, Simon Crosby, says virtualization actually holds a key to better security.

"Intel recently announced its Deep Safe technology with McAfee, a Type 1 hypervisor early load, which has a sole purpose to secure the runtime," Crosby says. "So you start to see the specific use of virtualization security on clients. I think it will eventually be the same on server systems, too. Obviously you've got to get the server hypervisor to learn new things."

He seems to suggest that linking hypervisors to trusted platform modules (TPM) that are integrated within commodity processors could yield security benefits. TMP's features include storage of encryption keys as well as hardware-assisted encryption, which makes it possible to encrypt all data a business entrusts to a public cloud.

"You can encrypt it at wire speed, and there is no excuse ever for the cloud provider to manage the key," Crosby says. "So what should happen is when you run an application in the cloud you should provide it with the key and only in the context of the running application as the data comes off some storage service is it decrypted and goes out re-encrypted on the fly. That way if somebody compromises the cloud provider's interface or if someone walks into the cloud provider and walks off with a hard disk, then you are OK."

By better securing public clouds, businesses can take full advantage of the reduced costs they offer. If trust in public clouds can be established, the need for private clouds and hybrid clouds and the capital costs they imply will go away. Cloud computing will become an operational expense.

Standing in the way is fear that if data is compromised while in the cloud the event will be career-ending for those who authorize it. Also blocking the way are the demands of regulatory auditors that want businesses to be able to physically locate data. "[Y]ou can't really state anything to a regulator in terms of the data if you can't find the hard disk," he says. "So how is the guy supposed to allow the data out of the data center?"

It could be shown instead that data is secure within a public cloud, meeting regulatory concerns without having to physically locate the disk containing it, Crosby says. "They could do it in a heartbeat," he says, "if we could actually secure the regulatory frameworks for it and if we could just get the vendors to do the obvious things in terms of adopting security technologies."

Crosby says Bromium already has a functioning version of its product and will announce it within months. "I think we're on early in the new year," he says. "We're in the stage where we're sending systems to potential early customers for them to kick around and give us feedback on."


Previous Page  1  2 

Sign up for Computerworld eNewsletters.