In a previous post I discussed AES as the only encryption scheme that protects data from snoops. In this post I want to report on a possible security hole in the virtual machinery of cloud computing.
Let's first recall that scads of user data are in the warehouses hooked up to those clouds. Personal information kept in files of the common media types—text, pictures, audio, video—that 10 years ago might have been sitting on desktops in removable storage now form the Big Data sitting out in expanding bit-cumuli.
Why that shift?
Online services that promote social interactions spur us to accumulate our data in their warehouses. Those photo streams on Flickr, videos on YouTube, random stuff dropped into DropBox, tweets on Twitter, blogs on Blogger, timelines of FaceBook activity are all parts of a Social Web for which cloud computing became an infrastructural answer. And free hosting, content tagging, RSS feeds and other technologies that remove the burden of cost and expertise from the media-making user help drive a spiral of online social activity.
Virtualization is the scaling technology that makes cloud computing cost-effective for businesses of the Social Web. With many instances of the same operating system software tied to the same hardware resources, businesses are able to contain the cost of indefinitely holding user data as advertising and other revenue grows.
While it’s great for scaling data-intensive online services, virtualization raises the stakes of securing different user data during runtime sharing of the same hardware. Users like the ease of online socializing as much as they dislike the possibility that their data is vulnerable to snooping, misuse, and theft.
And that is why the results of a recent RSA experiment—if not proof of a credible threat to the security of data within a cloud—could stoke public worry.
Using a side-channel attack, and executing priority requests for processor time with obnoxious frequency, researchers were able to gain access to data shared in memory by applications working for users on another virtual machine, ultimately deciphering encryption codes by watching calculations involved in handshakes. In short, software running under a user in one virtual machine was able to discover the secret key that protected the data of a user in a different virtual machine.
Yes, it’s possible that such an attack could be shut-down with the Unix nice program or other operating system equivalents. However, proving the concept of a possible exploit casts a big shadow when data security is the issue. Hackers certainly will be interested in the results.
In the meantime, as we’re waiting for the next shoe to drop, from a VMware performance monitoring perspective, you can look for signs of irregularities in resource use within your cloud with appropriate virtualization monitoring tools for your VMware monitoring.