By Sramana Mitra and guest author Siddharth Garg
Sramana Mitra: OK, let’s look closer at encryption in the cloud. Would you help me understand what kind of data are you talking about, with some use cases as examples?
Chris Burchett: Yes. One example might be that I want to run some of the servers, and instead of buying equipment and running the servers in my environment, I want to rent somebody else’s infrastructure, run the servers there, and perform computing operations. Say I am a drug research company and I want to run algorithms that are important for the development of the new pharmaceutical line. I want to run those algorithms in the infrastructure that is out in the public cloud; I don’t have to buy hundreds of machines.
If do that, what I am putting out there is a virtual machine. It’s running code, and that code is my intellectual property, first of all. I don’t want to expose my intellectual property to somebody else.
The other thing is that the data is my intellectual property, so what I would like to do is make sure that: a) things like the swap space in the virtual machine are encrypted because there have been examples of attacks on virtual machines, inside of Amazon AC2 where the attacker was able to set up a target in a virtual machine and get an attacker’s virtual machine on the same physical machine. This crashed the target and grabbed the memory of the image and saw what was inside it.
One thing you might want to do to protect your intellectual property, your source code, is that you might want to make sure your paging files are encrypted. The other thing you might want to do is that each time program writes something to disk, that is attached to this virtual machine, and you want to make sure that all that data is encrypted as well.
SM: Basically, the disk is sitting on the cloud infrastructure provider’s site, but you are in charge of encrypting the data so that even if somebody attacks that machine that person would not have access to the data. Is that right?
CB: Exactly. Think of it like this – there is a virtual machine there, and there is an agent inside that virtual machine that is managed by the enterprise. That agent enforces policies that encrypt the files as they are read and written to the disk. It also encrypts the virtual machine image memory so that if there is a crash, nothing is disclosed.
SM: How do you protect the source code and the algorithms? I understand the data part.
CB: We protect them in a couple of different ways. When they are running in memory, they are in a swap file. If the swap file is encrypted, you are sure that the algorithm’s data in the swap file is not exposed, in case, say, the virtual machine crashes for some reason. The other way is because our agent encrypts all the files on the machine; we can actually encrypt the images of the algorithms that are sitting there in the virtual machine image, in the binaries.
SM: OK, got it! You said that the people who were trying to run highly proprietary functions, I guess tasks on a public cloud infrastructure, came to you with their problems.
CB: Well …
SM: Were you going to comment on that? Did I say something that is not entirely correct?
CB: We basically keep in touch with the customers. And as we do this all the time, we were talking with them about the problems that they were encountering. This was a definite problem.
SM: Yes, so, how did you come up with the solution?
CB: It’s actually very similar to the solution we already have. We already have an agent that runs in memory on an endpoint. It runs on a Windows or a Mac [computer], for example and when it is running, it provides encryption. Everything that is written to the disk it is encrypted, so that capability already existed. We also encrypt the swap file, so everything that is written to the paging file will be encrypted as well.