Let’s give a simple analogy: if your company’s data is money, then earlier the physical server on which they were stored was a protected safe: a closed piece of iron with a password, located behind three locks and under protection. But with the transition to the cloud, the server is more like an ATM: it is located in a public place, anyone can approach it, check the balance on the map, withdraw money, kick it with a foot or a hammer, what’s there to trifle - even take it with you, as has happened… You do not care about the security problems of the ATM for only one reason: the contents of the ATM - is the property of the Bank, and if there will steal money - you will not be affected. But in the case of information, it’s different. Yes, today most of the data is stored in the clouds, not “in safes”, but in “ATMs”, on servers used by other customers. When you enter into a service agreement, you often do not even know where the server is physically located, do not know the identity of its administrators and the security measures that are carried out by the cloud provider. Yes, you have an SLA, but your losses in case of information theft may not be covered by the responsibility of the cloud provider.
Test bench configuration:
- AMD EPYC 7551p
- Cooling: Noctua NH-U9 TR4-SP3
- Motherboard: ASRock Rack EPYC8D-2T
- RAM: 48 Gb Transcend DDR4-2400
- SSD: Team Group MP34
Today, when conventional cloud systems are transformed into hybrid clouds, it is necessary to provide the same level of security both on the local server, which is under three locks of the company’s office, and on the remote virtual, which may be not known anything except the virtual configuration. At the same time, the number of vulnerabilities in enterprise software related to virtualization is growing every year, and the overall dynamics of the number of new vulnerabilities according to NIST (https://www.nist.gov/) grows exponentially:
We see double growth in 2017-2018, and the trend continues in the first half of 2019. I heard that when renting a virtual machine manager told to the client about respectable and intelligent neighbors on the server - and I still do not know whether this was true or not, because there are types of attacks in which the owner of the virtual machine will be able to access the data of all virtual machines on the same server.
Such attacks associated with increased access rights can use not only software errors in the OS code, but also hardware bugs in the processor architecture, which is confirmed by the sad experience of Intel, which is forced to close the vulnerabilities in it’s Xeon’s at the cost of reduced performance. Even in test our servers based on Intel Xeon processor runs an operating system in the state of autumn of 2018 (until Meltdown/Spectre), because the security patches are so slow down the car that it already interferes with the normal testing.