Most cloud solutions are built on hypervisor and virtual machine technologies. There are few cloud providers who offer bare metal servers instead of virtual machines but they are more of an exception. In general the cloud provider, in this case an Infrastructure as a Service (IaaS) provider, builds their services on top of a hypervisor to pool together physical resources that can then be virtualized. The benefit is, that it allows the abstraction of the underlying hardware and the control of vast number of virtual servers with relative ease.
The cloud provider runs the hypervisor and the customer subscribes or rents virtual servers provisioned on top of the hypervisor. When a customer subscribes to a virtual machine the expectation typically is that no one else has access to it. Not even the cloud provider. If you lose the access keys to the virtual machine the cloud provider cannot help you.
When we store money in the bank we certainly hope that the bank knows at any given time how much of money we have deposited in which currency on which account. The cloud is similar; we hand over our data for someone else’s safekeeping but now the expectation towards the cloud provider is different. We assume that the cloud provider has no insight into the data we store with them. They shouldn’t know what workloads we run in the cloud and what data gets processed.
This hopefully is the case, as most cloud providers tell us it’s the case. However, with a technology called Virtual Machine Introspection and few other software packages it is trivially easy to potentially gain full access to any virtual machine running on the hypervisor. Tamas K. Lengyel has shown (https://tklengyel.github.io/drakvuf/) in his research that with the help of software that he and several others have developed not only can the hypervisor owner monitor each and every process on the virtual machine, but retrieve files that are only stored in the memory of the virtual machine and inject code from the hypervisor to execute any program on the virtual machine itself. The code does not require to know the user ID or password of the virtual machine. With this approach every single virtual server is open to the owner of the hypervisor and the customer running the virtual machines would not even know about it.
This is not to suggest that any of the cloud providers have actually implemented this type of functionality but since it’s so easy, we as users of these cloud services should very carefully evaluate which cloud provider we put our trust in as potentially the cloud providers do not even need the proverbial keys to access everything we do on our servers.
Speak to the cloud computing experts at Cloud Comrade
At Cloud Comrade, we specialise in providing our clients in Singapore and South East Asia with best in class cloud technology solutions that put them ahead of their competitors and which keep their critical data highly accessible and secure. Ready to take your business forward? So are we: www.cloudcomrade.com/