Is Hardware-Based Security The Right Answer to Cloud Security?

This entry was posted on Tuesday, February 5th, 2019.

Without question, today, there is considerable focus on securing the Cloud. This is especially true for virtualization systems, which have played a major role in creating cloud computing. However, the downsides to virtualization involve security challenges.

In this scenario, Docker containers play a big part in virtualization as a way for deploying cloud solutions.  A Docker is described as an open-source system of software containers, and these containers help software to run while being moved from one environment to another. However, like the many and varied aspects of cloud computing, Docker containers are under scrutiny for their security levels.

But when you get down to the essence of security, you’re only as good as the hardware in which you’re executing.  And as has been widely publicized, vulnerabilities like Meltdown, Spectre, and Foreshadow are at the microarchitecture level of today’s popular microprocessors (mPs) and central processing units (CPUs).

It’s virtually impossible to mitigate against these types of vulnerabilities at the virtualization layer, much less even at the host OS layer. In fact, the fundamental execution of a network system, itself, is vulnerable.

For decades, there have been software attacks directed at desktops and servers. However, today, hardware microarchitectural security vulnerabilities are closely being examined at the CPU level. The work being done is directed at finding attack avenues to the Cloud.  These individuals are intent on taking advantage of cloud computing where there are multiple services from multiple tenants, possibly executing on the same server hardware in the Cloud.

Attackers want to use microarchitectural bugs like Spectre or Meltdown to gain access to other processes, other containers or virtual machines that are executing on that system. By doing so, they can exfiltrate data from one system that’s expected to be secure out through another via these microarchitectural bugs.

The industry can be assured that there will be more of these microarchitectural bugs to be found as attackers become even more sophisticated.  Therefore, data may not be as secure as has been previously promised by system vendors. The fact remains that even if all due diligence has been performed, vulnerabilities at the CPU level can still expose data to be exfiltrated.

CPU vendors are working toward resolving these vulnerabilities.  However, what has to be kept in mind is that security is not the first consideration when CPUs are designed.  The primary focus is on complexity and performance.  Security is most often an afterthought, particularly from a computational efficiency perspective.  So, with complexity and performance at the forefront and a lack of a security focus, the door will remain open for future microarchitectural bugs and they’ll be uncovered in future systems.