Project: TruSIP for Clouds

What is the cloud?

Public cloud computing is where a third party organisation brings together vast computing power in a location with fast Internet connections and leases access to these resources on a pay-as-you-go basis.  In private cloud computing one part of an organisation provides and maintains the computing resources which can be accessed by the other parts

The cloud is the future

According to the Cloud Security Alliance, "Cloud Computing represents one of the most significant shifts in information technology many of us are likely to see in our lifetimes".  Why?  Information computer technology (ICT) enables and supports our modern way of life, as fundamental and essential as water and electricity.  Currently most ICT users must buy and manage their own ICT resources.  However,  with the ‘cloud’, computing resources can become another public utility.   ICT users can access the computing resources they need, when they want them, ‘on-demand’ and without the overheads.   Just like the electricity company delivers power to you, the cloud service provider delivers computing power to you.  They take care of the infrastructure and supply issues, you can focus on exploiting the utility for your own purposes.

Experts predict the cloud will boost job creation and add billions in productivity 

Andrew Moloney, a director at EMC, says: "We believe cloud computing will impact to tune of 177 billion euros (a year) by 2015."   According to the report, 70 percent of the time in IT departments is spent on keeping the lights on as opposed to innovating and driving new business models. "Cloud computing is unlocking that capability, whether it's large enterprises using private cloud infrastructures or SMEs using more public cloud infrastructures."  The study found that while cloud computing would result in cost savings, it would lead to the creation of 446,000 net new jobs a year by 2015 from the creation of new small businesses.

Researchers based the analysis on the assumption that 100 percent of business workloads would move to the cloud (public and private clouds) by 2014 because of the cost savings and increased productivity.  This represents an increase from about 20 percent today.

Study reports that baseline security needs in IT systems are rising

By 2020, the IDC report predicts that almost 50% of the information in the Digital Universe will require a level of IT-based security beyond a baseline level of virus protection and physical protection. That’s up from about 30% from 2010. And while the portion of that part of the Digital Universe that needs the highest level of security is small – in gigabytes and total files – that portion will grow by a factor of 100.  

The report goes on to say that "if you look at the information in the Digital Universe that needs to be protected by number of containers or “files” (rather than by number of bytes), the percentage needing protection is more than 90%. And the amount of unprotected data will grow by a factor of 90 between now and 2020." ... "In fact, Probably EVERY byte in the Digital Universe could use some security and privacy protection. But we will never know because we can never know exactly what all those files and gigabytes actually contain."

TruSIP ^4clouds intended to comprehensively address rising security needs

The Trustworthy Resilient Universal Secure Infrastructure Platform for Clouds ( TruSIP ^4clouds ) is intended to comprehensively address the increased security needs for organisations that go beyond simple virus protection and physical protection.

At the deeper level, we are all clearly advised that today's systems are not trustworthy or dependable.  To quote Debora Plunkett, a Director in the U.S. National Security Agency:

"There's no such thing as 'secure' anymore" ... "We have to build our systems on the assumption that adversaries will get in." ... "We have to, again, assume that all the components of our system are not safe, and make sure we're adjusting accordingly." (Dec 2010).

The TruSIP platform (on it's own or in combination with other ICT Gozo Malta projects) is intended to address 6 of the 8 current hardest and most critical challenges (Global-scale IdM, Insider Threat, Availability of Time-Critical Systems, Building Scalable Secure Systems, Situational Understanding, Security with Privacy) identified by the United States Department of Homeland Security in their November 2009 Cyber Security Roadmap.  The DHS report says these core challenges must be addressed if trustworthy systems envisioned by the U.S. Government are to be built.

Security problems prevent widespread adoption of public clouds

Today’s public and private cloud computing models use standard computer architectures which are highly vulnerable to today's conventional cyber attacks. Typically the same technologies used to protect Enterprise environments (Firewalls, antivirus, ...) are also used to protect the Cloud.

Government and industry studies have identified that the cloud has additional security threats and these are the main barrier to the wide spread adoption of public cloud computing services.  These unresolved security threats challenge cloud viability for both the cloud service providers and the public end users.

Major security studies in 2009/10 (such as those by European Network and Information Security Agency ENISA, the US National Institute of Standards and Technology NIST and the Cloud Security Alliance CSA) have identified a short-list of top threats / open problems. The common themes found in these studies are:

• A cloud user's or user organization's loss of governance:
  • Ceding security controls of data to cloud provider
  • Insufficient assurances of data security controls
• Data leakage or destruction:
  • Malicious insider attacks by cloud provider
  • Malicious insider attacks by managed security providers
  • Inherent vulnerabilities and malicious back-doors present in the cloud's software & hardware platforms
  • Malicious client attacks that exploit isolation failure between virtual machines in the cloud (cloud-bursting)
  • Client does not know what the risk profile of the cloud provider is, and so cannot mitigate those risks
• Account or service hijacking

What cloud service providers and clients need

To attract customers and to also ensure their own business continuity, cloud service providers need to be able to demonstrate and assure their customers that their new public utility ('on demand computing') will be adequately reliable and secure.

The public requires assurances that the business operations they run from the cloud (e.g. a public web server) will be reliable and available, even in the face of malicious cyber attacks.  With regard to processing sensitive data, the client needs assurances that adequate security controls are in place to protect against data breaches.  The issue of maintaining a satisfactory level of secrecy (confidentiality) is particularly difficult as the client must cede control to the cloud provider, the cloud provider's trusted staff, and ultimately to the vendors who supply software and hardware to the cloud provider. This implies that certain privileged technical staff outside of the client's organisation could access the client's sensitive (and regulation controlled) data if it is supplied to the cloud.  It is this issue, regarding confidentiality and trust, that is the current hardest open problem limiting the uptake of public cloud computing.

TruSIP ^4clouds  - Satisfying both service provider and client needs

The TruSIP ^4clouds initiative addresses security threats and confidentiality and trust issues from both the cloud service provider and end user perspectives, even in the case where an unknown malware is present.  The benefits of this project will also flow to private cloud systems, making them also more resilient, for example against a wide range of insider attacks (attacks originating inside the hardware, operating systems, trusted staff and administrators).

end faq

Synaptic Labs' secure cloud vision

The creation of a universally trustworthy and dependable computing platform suitable for hosting mission critical operations.  This platform should deliver unprecedented confidentiality, integrity, availability, reliability, safety and authenticity assurances for all stakeholders against continuous and evolving insider and outsider attacks (i.e. all malicious actors), in a way that is credible and can be audited.  Furthermore this platform should facilitate business continuity in the face of natural or man made physical disasters.

Achieving this vision

We have taken a clean-slate approach to secure cloud-computing.

Synaptic Labs' solution synergistically combines high-availability techniques found in aerospace, safety techniques found in critical infrastructure, survivability techniques employed by biological systems and modern information security techniques in a cost-effective design intended to leverage economies of scale.

We achieve secure cloud-computing for all stakeholders:

• using commercial off the shelf (COTS) hardware and operating systems often found in public and private cloud infrastructure, where each component is managed in a particular way; and
• by enabling programs running in the cloud computers to exploit Synaptic Labs' infrastructure and management design.

Our unique-value-propositions

Synaptic Labs' trustworthy cloud compute platform:

• has been designed from the ground up as a cryptographic project
• addresses identity management and access controls from the onset by integrating with Synaptic Labs' IdM-CKM project
• an intrusion and malware resistant design:
  • offers unprecedented assurances for all stakeholders with regard to confidentiality, integrity and availability against broad classes of both insider and outsider attacks, even when the attack (known or unknown) successfully compromises one component - 
  • comprehensively addresses the currently hard problems of ensuring client data confidentiality in public clouds, even in the face of a dormant and currently undetected compromise of a component (malware injection, inbuilt backdoors, ...)
  • addresses covert storage channel and covert timing channel attacks
  • addresses many side-channel attacks, including cache-timing attacks
  • provides the client the option to to protect their software against attacks mounted by a rogue software developer when the application is hosted on the cloud platform
• the system, taken as a whole, delivers assurance of critical data controls for clients (Governance) in cloud environments that cannot be achieved today by other cloud offerings.

With regard to insider attacks we explicitly address a wide range of attacks that can be mounted by the public cloud provider or its trusted staff or suppliers including in the software and hardware used to provision services by that cloud provider.  Stated in another way, we believe Synaptic Labs' intrusion resistant designs are capable of preventing sensitive client information entrusted to the cloud from being leaked as a result of weakness, malware or back-doors in any software or hardware component used server-side.

Instead of creating targeted defences against single threats (such as a specific virus) the TruSIP ^4clouds will be designed to address whole classes of security attacks (e.g. all viruses) at the design level.  It will be designed to remain operational in the face of Unpredictable, Unobserved or Unobservable Risks (UUUR).  TruSIP ^4clouds will employ survival strategies at the system level that find alternative methods for completing all transactions and by automatically repairing resources corrupted by attack.  A distinctive feature of TruSIP ^4clouds is that it will be generally capable of preventing sensitive information being leaked as a result of malware or a wide range of insider attack.  This makes it particularly suitable for financial transaction processing, medical and health systems, cryptographic key management and any application where sensitive information is entrusted to computing systems.

The TruSIP ^4clouds can be built using commercial-off-the-shelf hardware, operating systems and programming languages.  In principle, the TruSIP ^4clouds can host applications written in any programming language.

Elements in the design

The trustworthy cloud compute platform provides a secure platform for running applications remotely installed by a client.

The design addresses the architecture level, requiring only the use of commercial off the shelf (COTS) hardware and a small amount of proprietary software, all organized in an innovative configuration that provides greater confidentiality, integrity and availability to all cloud stakeholders. Synaptic Labs' proposal includes specific strategies for managing the hardware and software on the server side. Clients will use two-factor authentication methods to access the cloud to prevent account and service hijacking.

Applications remotely installed by the client will be adapted to exploit our architecture model.

Phase 1: TruSIP in Software - Support for Smart cards and HSM

Implement all the essential functions of Synaptic Labs' Trustworthy Resilient Universal Secure Infrastructure Platform (TruSIP) for running in smart cards and hardware security modules. This phase will focus on the critical security and integrity features of the platform. TruSIP on smart cards will be used to enable two factor identification and authentication tokens.

Phase 1: TruSIP in FPGA - Boutique services for ICT + ICS

Implement all the essential functions of Synaptic Labs' Trustworthy Resilient Universal Secure Infrastructure Platform (TruSIP) for running a boutique range of programs and services on Field Programable Gate Array (FPGA) chips. This phase will focus on the critical security and integrity features of the platform.

Example end-user applications that can run on the phase 1 platform will include Synaptic Labs' IdM-CKM project and Synaptic Labs' bank-card transaction platform.

Drawing on the work done in Synaptic Labs' Type 0 hypervisor, TruSIP will also be able to host general purpose web applications written in Java.  Examples include Oracle's Java Web Application Archive standard and the Google App Engine, a Java based cloud platform offered by Google.  The objective is to enable existing applications that run on those platforms to run on and gain the security benefits of Synaptic Labs' Trustworthy Resilient Universal Secure Infrastructure Platform (TruSIP).

Phase 2: TruSIP in ASIC (3-D IC) - Mass commodity markets ready

Enhance the Phase 1 platform and implement in high performance 3-D integrated circuits.  This will reduce the cost of each device and result in dramatic improvements in computing power.  We will initially target two types of chip: 1) a general purpose computing chip suitable for most markets including workstations, and private + public clouds, and 2) a specialised low cost chip for use in embedded micro and industrial control markets.

In this phase we will work towards enabling end-to-end security by creating secure client workstations that adapt QNX Neutrino Operating System to run on TruSIP, and adapting TruSIP hardware to drive a desktop monitor.  

Enhanced availability and survivability

Phases 1 and 2 focus on achieving the critical security and integrity features of the platform with support for some standard availability and survivability features.  During any phase, when desired, the project scope can be expanded to comprehensively address 'availability' (maintaining service delivery in the face of arbitrary component failure) and 'survivability' (adapting the platform real-time to remove exposure to currently active attacks).  We anticipate that programs originally written to achieve the security and integrity features will also be able to exploit the enhanced availability and survivability features with little to no modifications.

end faq

Resources:

• ENISA || Cloud Computing Risk Assessment Report (2009)
• Cloud Security Alliance || CSA 2010 Top Threats Report
• NIST || Cloud Computing Program (2010)