This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. > Find out more here

 

Cloud data needs to be tracked to ensure security

By Derek du Preez

15 Sep 2011

View Comments
cloud-computing

Cloud service providers should layer their infrastructure to better protect their data and alleviate security concerns, according to Imperial College London lecturer Dr Peter Pietzuch, who was speaking at a Westminster eforum event yesterday.

Pietzuch told delegates at the event, Cloud computing - security, market development and prospects for the g-cloud, that the current security model for the cloud is not transparent enough, meaning software developers that want to deploy their applications in the cloud do not have enough knowledge of that provider's security.

Further reading

You are given certain guarantees in terms of data confidentiality, integrity, secure auditing and resource isolation, but what is not transparent is how cloud providers actually enforce these," he explained.

"Our research at Imperial College aims to provide a cloud platform that can automatically detect security violations caused by either a flaw in the applications or in the cloud platform being used," he added.

"We would like to move to a model where if you deploy a cloud application it comes with a cloud security policy.

"This means there will be a specification around the type of data protection guarantees required and the cloud infrastructure will automatically enforce a standardised set of policies."

Pietzuch argued that service providers should pursue a data-centric approach to security, which would see data being tracked across the different cloud software components.

"If you consider a multi-tenanted cloud environment, where there is a particular application that consists of multiple software components, what the cloud can do is actually track the path of the user data within the cloud infrastructure," said Pietzuch.

"So, now that the cloud understands which components were exposed to sensitive data, it can isolate those components and prevent security problems," he added.

"For example, if there is a flaw in an implementation of a software component that leads to an unauthorised leakage of sensitive data, the cloud infrastructure is able to prevent the flow of this information [essentially locking it down], because it understands that this component has had access to sensitive data."

He said it is "naive" to assume one security method will solve all data protection problems in the cloud, and that there needs to be "multiple layers of defence".

"We should also create individual compartments within the cloud infrastructure, so when there is a security incident we can essentially limit its scope," he explained.

Imperial College has been working with the NHS to use the ideas Pietzuch discussed at the eforum, in the hope of creating secure healthcare applications.

Despite Pietzuch's research and his arguments that security in the cloud could be improved, he also said the industry perception of cloud security is very "skewed".

"A good analogy would be the difference between plane travel and car travel. Objectively, we know plane travel is safer per mile travelled than car travel.

"However, at the same time, more people feel anxious when they board a plane than when they take a car," he said.

"Similarly, we know cloud providers invest a lot of energy on securing the cloud infrastructure.

"They have substantial resources and the type of security mechanisms they can provide are probably better than traditional in-house security solutions," he added.

"At the same time, of course, cloud providers are collecting sensitive data from many different users, so the surface of attack is much larger and there is more incentive for criminals to attack the cloud. A single big security incident could potentially ruin a cloud provider's reputation."

Reader comments

blog comments powered by Disqus

Newsletters

Does Google know too much about you?

Google's linked data policy, which came into effect on March 1, allows the company to collect information about its users across all its products, services and websites and store it in one place. This has been criticised by organisations ranging from CNIL to Microsoft, all of whom have expressed concerns that it's difficult to tell which data Google collects and how it's used. Now the Information Commissioner's Office is investigating whether Google's privacy policy is compliant with UK law. Are you worried that Google knows too much about you?

41 %

5 %

15 %

39 %