1
National Science Foundation
Secure and Trustworthy Cyberspace (SaTC)
Social, Behavioral, and Economic (SBE) Science Research
High Assurance Cloud: Maintaining Trust
Barbara Endicott-Popovsky, Director
Center for Information Assurance and Cyber Security
University of Washington, Seattle, WA 98195
Jan Whittington, Assistant Professor
Urban Design and Planning Department
College of Built Environments
University of Washington, Seattle, WA 98195
Sam Chung, Associate Professor
Computing & Software Systems
Institute of Technology
University of Washington, Tacoma, WA 98402
The advent of cloud computing allows many organizations to significantly reduce capital
expense for IT infrastructure. The obvious financial advantage from cloud computing of trading
in capital costs for operational costs has lured many small or startup businesses and non-profit
organizations to the cloud1.
We can reasonably expect the top cloud computing vendors to lock their doors and secure
their infrastructure but customers regularly leave their application doors unguarded, and the
combined challenges of security, privacy, and trust in computing intersect with legal and
economic concerns that bring in many other forms of organizations with many different interests.
High information assurance in the cloud is a significant and growing concern. Mike Howard,
Principal Security Program Manager at Microsoft, notes that due to ever evolving code and the
constant vigilance of hackers, “security is a never ending battle” and stresses the importance of
providing ongoing training in secure programming.2 Kirk Bailey, a founding leader of a regional
association of information systems security professionals called Agora, mentioned during a PBS
interview that technology cannot be secured, we should instead think of it as “risk-managed.”3
The development of high assurance clouds – cloud services with high levels of assurance that
information will be secure, often associated with the extreme demands of defense, health, finance,
and other critical functions [cites] – will only be possible when vulnerabilities within and across
technologies, service providers, and users are addressed in a systematic way. A systematic
1
2
3
Hofman, P., Woods, D., Cloud Computing: The Limits of Public Clouds for Business Applications, IEEE Internet Computing, Nov./Dec. 2010,
p. 90-93
Howard, Michael. “Lessons Learned from Five Years of Building More Secure Software”. MSDN Magazine. November 2007.
http://msdn.microsoft.com/en-us/magazine/cc163310.aspx
Bailey, Kirk, PBS Interview, http://www.pbs.org/wgbh/pages/frontline/shows/hackers/interviews/bailey.html
2
understanding recognizes interdependencies between elements in the system and establishes
mechanisms of feedback that identify vulnerabilities, assess the risks that may accrue from
vulnerabilities, and bring about effective action in response. Effective actions constitute
safeguards against existing and future risks, effective when they reduce the incidence and scope
of vulnerabilities. As the weakest links in the system are shored up, every user benefits from
higher levels of information assurance. These aims are met when the system meets the
management or business needs of the most extremely sensitive forms of information. [cites]
Approaching the Problem from a Systems Perspective
Figure 1 presents a generalized schematic overview of cloud systems. The use of the cloud is
contingent upon the flow of data between service providers and users of those services, which
exist in an ecosystem of firms, organizations, and individuals producing and providing services
to users of their applications. This collection of users increasingly includes the organizations that
operate the other forms of critical infrastructures, such as health, energy, transport, water, food,
and other means of communication. Cloud services, like the critical infrastructure systems on
which all of our economies and societies depend, are a global phenomenon, leading and
following users across the jurisdictional boundaries of nation-states, and thus through the full
range of variation in the contexts that are possible for understanding, using, and protecting
information. The demands placed on this system from extreme security needs are evident in the
features that define the interdependencies of the elements with each other, yet form the most
striking contrasts in terms of technologies and models of operations.
Figure 1: High Assurance Clouds: Demands of the System
3
Some demands of the system are part of the regular business activities of cloud providers, as
members in the CSA, for instance, or as service providers in the marketplace.


Jurisdictional Boundaries: With a business model dependent on operations across
jurisdictional boundaries, cloud services depend on the formation of standards and
effective enforcement for compliance with those standards. Cloud systems demand
standards and compliance because this is an efficient way to provide a basis for users
– the people and organizations who comprise the market for cloud services – to
determine the reputation of providers, within the social and economic contexts set, in
part, by nation-states.
Data Flows: Similarly, though the flow of data must pass obvious thresholds for
performance in service level agreements, the willingness of parties such as users to
engage in voluntary agreements for services from cloud providers depends on the
mechanisms of governance for that exchange and the ability of either party to audit at
will – thus revealing the provenance of data and giving parties the means to separate
trustworthy from questionable data at its origin.
Another set of demands are raised by the customers or users of the cloud.



Cloud Users with App Services: Cloud users, when in the business of developing or
providing services through software applications, create substantial vulnerabilities for
the multi-tenancy architectures of cloud service providers if the applications they
develop do not embed security into their source code. Attacks to or through
applications may be destined for either neighboring cloud tenants or fellow
application users. Until applications contain engines acting in real time, with accurate
and meaningful responses to attacks, this vulnerability brings risks for all parties to
the system. Users of applications, whether they are individuals or organizations,
increase the demand for security through the drive toward increasingly convenient –
and widely varied – devices for generating, accessing, transmitting, and transforming
data.
App Users: At the same time, the identity of each user is perhaps the smallest, yet
single-most important unit of analysis for determining whether or not any given cloud
sits in a trustworthy computing system. Despite the dramatically public nature of
massive amounts of personal information, people and organizations desire and
deserve the protection of this information from misuse and abuse. To disregard this
fundamental component of the market for cloud services is to risk losing the trust of
the sources of finance that keep the entire system afloat.
Critical Infrastructures; And last but not least, those responsible for operating the
systems of infrastructure that made modern industry possible, such as our health,
energy, transport, water, food, and communication systems, are rapidly deploying
technologies up to the cloud with questionable influence on the efficiency and
security of these legacy systems. Each infrastructure has its own deep structures of
policies, business, operations, maintenance, and capital, some with technologies that
have remained in place for over a century. Trustworthy cloud computing for critical
infrastructures is entirely dependent upon the context created by these aged systems.
4