Friday, April 17, 2009
We've not been doing this for 25 years
Bruce Schneier had a piece on cloud security which I came across via Linkedin's CSA group. To summarize, cloud security issues are not new, but transparency is now even more important. All good advice, what bothered me about this was recalling a conversation I had with Richard Reiner at Enomaly about cloud-jacking. The core of the conversation was focused on, "in a virtualised world where I don't control the physical substrate", as the virtual machine I can't tell the difference between a good virtualisation platform and a malicious one. This leaves my virtual machine open to manipulation by it's host - remember that hypervisors are designed to isolate the guest from the host, not protect guest from the host. With the virtual machine thinking it's talking to a real CPU and writing to its own protected memory, how would it know that someone had tampered with memory content or took a peek at a secret value? Not saying this is a reason not to live the cloud dream, but that even with all the transparency in the world, there are some security issues that are very new and we need to get a handle on them.