Over the last decade, cloud computing has become both the bedrock upon which most modern tech is built and a potential security hazard as more and more sensitive applications and data are moved to the cloud. One group particularly interested in trying to fix potential security problems on the cloud is the US Defense Advanced Research Projects Agency (DARPA). In the last 5 years, DARPA’s Mission-oriented Resilient Clouds (MRC) program has been working to research and develop methods to increase the security and reliability of the cloud.
For the uninitiated, the cloud computing refers to the practice of using a distributed network of computers to perform various types of computation such as hosting websites, calculation, and financial transactions. What we refer to as “the cloud” is actually a network of millions of specialized computers housed together in buildings known as server farms. Groups can then purchase a certain amount of storage space or computing power from the owners of these server farms. It is important to note, however, that users of the cloud are not given the use of a specific machine as is the case with a traditional remote server. Rather, applications and processes are frequently run between multiple different machines. DARPA is concerned about the security risks in moving more and more government and particularly the Department of Defense applications and networks onto cloud-based systems. They claim that the diversity of applications running on the cloud, the homogeneity of the machines running cloud applications in server farms, and high degree of interconnectivity on cloud networks compared to traditional network have the potential to increase the danger of extremely debilitating cyberattacks (1). Such setups make it possible for attackers to breach a poorly secured application and then propagate an attack throughout the cloud at extremely high speeds (1). DARPA’s response has been the MRC program, which seeks to fund research to increase the security of the cloud. A number of research entities have conducted research and created software using the MRC project’s funding.
Two groups at Cornell and Johns Hopkins University have created several pieces of software with DARPA funding that seek to increase the security of the cloud. The first system, Vsync (previously known as Isis2), is a system developed by Cornell researcher Ken Birman intended to be an all-purpose tool for developing cloud applications (2). One particularly noteworthy thing about Vsync is that it was built to allow the movement and copying of large amounts of data between machines securely (2). This could help increase security by preventing hackers from corrupting data en route from one machine to another. By contrast, the ShadowDB system proposed by another group of Cornell researchers seeks to ensure that the contamination of a single machine on the cloud does not bring down the entire system by running redundant processes on different machines and checking the results for correctness while also checking code for correctness (3). Researchers at Johns Hopkins, meanwhile, have taken a different approach with Spine and Prime, which seek to securely transfer data between servers and use random number generators to create variants of the processes running on the machine (4). The process variation is particularly interesting, as it would mean that breaking a Prime routine on one server would not enable an attacker to break all the routines on all machines as each would run slightly differently.
Overall, the projects supported by DARPA do have the potential to improve the security of the cloud. Introducing redundancies to the system to ensure proper computation and creating variants of processes on servers will hopefully make life harder for any hackers trying to penetrate distributed systems. However, the effect of the MRC program will ultimately be measured by how broadly adopted its software ends up as well and its actual utility when exposed to the strains of real world use. It would not be unreasonable to expect big things from research coming out of DARPA, who previously helped lay the groundwork for computer networks and graphical user interfaces.
(1) Birman, Ken. "Vsync: Consistent Data Replication for Cloud Computing." CodePlex. December 22, 2015. Accessed July 7, 2016. http://vsync.codeplex.com/.
(2) Schiper, Nicholas, Vincent Rahli, Robert Van Renesse, Mark Bickford, and Robert L. Constable. ShadowDB: A Replicated Database on a Synthesized Consensus Core. Technical paper. Department of Computer Science, Cornell Univesity.
(3) Amir, Yair, Emily Wagner, and Amy Babay. "The Spines Messaging System." The Spines Messaging System. January 1, 2012. Accessed July 7, 2016. http://www.spines.org/.
(4) Amir, Yair, Jonathan Kirsch, and John Lanee. "Prime: Byzantine Replication Under Attack." Prime: Byzantine Replication Under Attack. May 4, 2010. Accessed July 7, 2016. http://www.spines.org/.
Image: © Pumai Vittayanukorn | Dreamstime.com - <a href="https://www.dreamstime.com/stock-photo-data-protection-cloud-computing-security-concept-image43928193#res14972580">Data protection, Cloud computing security concept</a>