Cloud computing risk: ensuring virtual secret key security

When it comes to the physical control and/or ownership of others, it is likely to be the case that the security of the virtual machine is the key to the cloud.

Key management is still a daunting challenge in the best of circumstances. At the same time the key can access control of the data, poor key management and storage can lead to harm. When third parties control physical and logical access to your infrastructure, additional risk is added, and it becomes more difficult to secure key security. The main reason is key management and key storage related. It's like you rented a bank safe to keep the keys. Authorize your key so that your provider can access your data.

Provider bad practices, such as fragile key generation, storage, and management practices, can easily reveal keys. Sloppy password practices have led to recent security problems with Twitter. Bad employees will add a backdoor to your machine to access the key or they will access your machine through an unencrypted link in its operation and dynamic migration. In this case, I think it is better to undo the key and encrypt the data with a new key.

Backup leads to another problem with key management because it is difficult to track your provider's archive media. For long-term archival storage, I recommend that you encrypt your data and then send it to a cloud data store vendor. This way you can hold and control the password keyword. This key management isolation from the cloud provider's managed data also creates a separation constraint that protects the cloud provider and yourself in the event of regulatory compliance issues. Password shredding is also a very effective technique for migrating cloud computing risks. That is, the provider destroys copies of all the keys, ensures that any data outside of your physical control is inaccessible, and if you manage your own keys, password shredding is also an important part of your strategy,

Cloud computing also introduces other risks to key management. Vulnerabilities are found in all virtualization software that can be exploited through specific security restrictions or granted upgrade privileges. In addition, the new technology means that we cannot assume that existing processes are still secure. Security researcher Stamos, Becherer and Wilcox have recently argued that virtual machines do not necessarily have access to the random numbers that are needed to encrypt data. This is because they have fewer encryption sources than conventional machines, and conventional machines can create cryptographic pools using mouse movements and keyboard typing to generate random encrypted passwords. It is easier to generate a speculative cryptographic key in this case. This is not an immediate threat, but it warns us that there are a lot of security issues to learn about cloud computing and virtualization computing.

The main area of concern for

is how strong your provider's security strategy is and how well you implement it. Do they apply to the key management lifecycle, how many keys to build, how much to use, how much to store, how much to back up, how much to recover, how many to delete? When they are no longer needed, what data cleanup practices do they use when destroying keying material? The contract with your provider should contain "non-keystore (no key storage) "The clause declares:" Any key provided for use will no longer be retained, which is essential. This provision is the only thing that has been done before. Payment Card Industry Data Security Standard statement merchants are not allowed to store credit card CVS numbers, even if they are used for authentication purposes. If in the end, you are still not satisfied with the contract or blown by the cloud manufacturer, do not use it.