Microsoft Research thinks Haven might be the answer to cloud storage security problems
Storing your data in the cloud requires you to place trust in a company and its service. Whether you're talking about Dropbox, Google Drive or an enterprise level solution, security is of paramount importance. There have been numerous high profile cases in recent months in which data breaches have occurred and private data has been accessed by unauthorized people -- including the NSA et al. It's little wonder that many people are wary of moving entirely to the cloud.
But Microsoft Research may have a solution. A small team of researchers came up with the idea of Haven, a cloud system that introduces the idea of shielded execution. This is a platform designed not just for storing data, but also to securely run cloud-based applications, including those based on legacy code.
Andrew Baumann, Marcus Peinado, and Galen Hunt revealed details of Haven back in October, but today Microsoft research has released a few more details in a rather more accessible form. The beauty of the platform is that it provides in-house levels of security for data and services that are stored and run off-site. It "could allow users to run existing software and data in the cloud with equivalent trust in the privacy and integrity of the data as if it were on-site or in a secure co-location facility".
The trio of researchers are actually part of the operating systems group of Microsoft Research and Haven came about as a result of combining two technologies. Intel SGX had already been developed to run security-centric aspects of applications in encrypted, ring-fenced environments, while Microsoft Research's Drawbridge improved the efficiency of virtualized systems. By merging the two, the team came up with the idea of running Drawbridge within Intel SGX and it was a natural progression to move this to the cloud.
This is not just a technology that will appeal to businesses who are eager to keep their data secure, but also individuals who are keen to protect themselves from surveillance. Andrew Baumann says:
"The cloud provider only ever sees encrypted data, and the only thing the cloud provider could give to the government or some law enforcement body would be encrypted data. There's no way for them to see the raw data".
What's so appealing about the system is that it is very easy to transition existing code to take advantage of the new security features.
"We can take unmodified applications like a SQL database that people already run on their own machines outside the cloud and move them into a secure environment in the cloud. Yes, there's a lot more code in the trusted computing base, but, practically, you end up with a more secure system than if you didn't have it".
As the move to the cloud continues apace, Haven could be the security boost that's needed to improve levels of trust and increase peace of mind.