Establishing Trust in Public Clouds

Abstract

Virtualization technology enables a cloud to deliver cost-effective and scalable public services, making the cloud attractive especially to small and medium enterprises (SMEs). Securing trustworthiness in these environments is a non-trivial task and poses significant security threats for users' data and/or applications; the most critical threat being the malicious insider's threat, the primary reason for lack of trust between a cloud provider and its customers. The benefits of clouds are realized through resource sharing. The basic idea is to share large pools of resources like compute cycles or virtual CPUs (VCPUs), storage, software services etc. This very idea of resource sharing gives rise to significant security concerns for a user, especially with respect to his/her data and/or applications which are hosted in the cloud provider's data centers. This security and privacy issue becomes grave in case of the IaaS deployment model which allows a user to set up their virtual infrastructure in clouds (3). IaaS has the lowest abstraction level and allows a user to create their virtual infrastructure by choosing the desirable configuration in terms of OS, storage space, number of VCPU's, RAM size etc. A cloud provider is only responsible up to the hypervisor level, for security and maintenance of the infrastructure. We consider only the IaaS model for analysis in this paper as it has the least abstraction amongst all the cloud offerings and allows a user to choose or employ security mechanisms as per their desired levels. There are significant security risks for sensitive data and/or applications hosted in clouds (4). The rest of the paper is organized as follows: Section 2 discusses related work done in the context of cloud security esp. those dealing with threats related to the virtualized software stack and insider's attacks. Section 3 describes our views on the definition of trust in cloud computing.