When a company decides to store its data in the cloud, one of the choices it must make is whether to store the information on physical resources devoted solely to its data and computing services, or share those resources with other entities who are using the same cloud provider’s services. At the risk of oversimplifying, an analogy is deciding whether to rent a house or rent a unit in a multi-tenant building. The latter option is often less expensive and, as a result, seemingly more attractive, but it may raise more security concerns because you share the same space with other renters.
A recent study entitled, “Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds,” suggests there may be certain risks associated with the multi-tenant or “multiplexing physical infrastructure environment” when it comes to cloud computing. The study explains how it may be possible for an attacker to place a malicious virtual machine (“VM”) in the multi-tenant environment cloud server and then extract confidential information via a cross-VM attack. The study concludes that, “there exist tangible dangers when deploying sensitive tasks to third-party compute clouds.”
What does this mean for a company looking to store confidential information in the cloud? At a minimum, an inquiry should be made to determine whether and to what extent the company will be sharing infrastructure with other entities using the same cloud provider. If there will be a sharing of infrastructure, the study suggests a few approaches for mitigating the risks associated with such sharing. First, the cloud provider can adjust the internal structure of their services to complicate an attacker’s ability to place the VM on the same machine as its target. Also, the provider can put into place blinding techniques that minimize the amount of information that can be leaked. The only “foolproof solution,” however, is to “insist on using physical machines populated only with their own VMs and, in exchange, bear the opportunity costs of leaving some of these machines under-utilized.”
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.