Enhanced trust and data integrity in the public cloud

If you run applications or store data in the public cloud, what assurance do you have that the service provider is maintaining the integrity of your critical assets? How would you know if a security breach ever happened? Now there is a simple solution to verify data integrity in the cloud. It provides absolute verifiable proof that your data, code and logs have not been compromised.

Can you trust the integrity of applications and data in the public cloud? Certainly trust is a crucial factor for the successful use of cloud computing by any organization. If you are going to allow another entity to process and/or store your data, you need to know whether or not someone has intentionally or accidentally compromised that data in any way.

Unfortunately, security breaches from both internal and external threats can happen at multiple levels of technology and in any computing environment. Many breaches go undetected as cyber criminals erase their digital tracks or are unreported as administrators cover up their accidents and misbehavior. As a result, your data and applications can be changed or compromised, and you may never know it.

Now there is a new solution that builds keyless signatures into the public cloud infrastructure to provide enhanced trust and integrity. The solution is jointly delivered by data integrity provider GuardTime and cloud computing provider Joyent. The companies’ partnership enables enterprises to safeguard their most valuable assets in the cloud: code, logs and data. The solution delivers completely auditable and forensic quality logs and proof of data integrity for stored or archived data. In addition, it can prevent unauthorized applications from running.

In the joint solution, GuardTime brings the digital signature technology to the table. GuardTime maintains and operates a global infrastructure similar to DNS. There are multiple nodes around the world and it’s a hierarchical and distributed infrastructure. The lowest level of the GuardTime infrastructure is a GuardTime Gateway which operates on a virtual machine. This means that any data in the cloud can go through a GuardTime Gateway and the gateway can electronically sign the data in the cloud with a keyless signature.

The signature proves three things: the time that the data was signed; that the data has not been changed or tampered with since the time it was signed; and what entity or process signed the data.  Most important is that the process does not use cryptographic keys and that the signature is solely based on mathematical hashing algorithms. Therefore there is no need to trust a third party to manage your keys and no fear of having a third party surreptitiously compromise those keys.

As a hosting provider, Joyent offers customers the use of SmartMachines—virtual private servers that are optimized for software applications. For this particular solution, Joyent provisions a SmartMachine to host an application such as email, backup, e-commerce, and so on. This SmartMachine is GuardTime “signature ready,” where any data, log, or code on the SmartMachine can be signed to provide data integrity.

Each of the signatures for these items is stored with the SmartMachine, either alongside the data or within the data sets. The signatures can be automatically verified via a user interface provisioned by Joyent or via the Integrity Code published in the Financial Times, and the signatures can be mathematically proven to be accurate, thereby proving the data, logs or code have not been changed or tampered with.

It’s a simple solution that can’t be compromised by human error or breached by cyber miscreants. Of course, these keyless signatures don’t eliminate or replace the regular security controls that need to be in place, but the process does prove that irregularities to data, logs, code have not taken place for auditing, forensic, and regulatory purposes. In addition, this solution addresses the fundamental weaknesses associated with PKI and key-based security in the cloud; that is, managing the keys, and assuring that they can be trusted.

Jason Hoffman, chief scientist at Joyent, says the GuardTime technology reduces his company’s liability and simplifies contracts with customers. “GuardTime signatures provide positive proof that we have maintained our clients’ data integrity. This allows us to establish verifiable trust, which is essential in a cloud computing environment.”

Linda Musthaler and Brian Musthaler are co-founders and the principal analysts of Essential Solutions Corp.  You can write to Linda at LMusthaler@essential-iws.com and to Brian at bmusthaler@essential-iws.com.  

About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive.  Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.  

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)