July 30th, 2010 | Published in Google Research
Thursday, July 29 was the first day of the Google North American Faculty Summit, our sixth annual event bringing together Google engineers and subject matter experts with leading computer science faculty, mostly from North America but some from as far away as Japan and China. This year’s summit is focused on three topics: cloud computing, security and privacy, and social networking. It was these first two areas that we discussed yesterday, in a series of talks by Googlers, informal meetings and small round-table discussions.
After an introduction from Alfred Spector, Google’s VP of Research and Special Initiatives, we dove right into the technical talks, covering the “arms race” of malware detection, privacy and public policy, passwords and authentication, and operations and infrastructure security at large scale. I gave a talk on the changes that cloud computing brings to security, both challenges such as privacy and authentication, as well as opportunities for security improvements, which I wanted to summarize briefly below.
Cloud services have defined a new model for end-user cloud applications that are accessed via single-user devices or browsers. Unlike software on personal computers, or on time-shared servers, cloud applications execute logically on stateless clients accessing a substrate of redundant back-end servers. While a single client may execute multiple applications, those applications are typically isolated and communicate only via the cloud, thus eliminating local dependencies and simplifying device management. As well as being isolated and stateless, clients are also provisioned with software upon use, which makes any client pretty much the same as any other and facilitates transparent access from different locations and devices.
There are many clear security benefits that accrue from this cloud application software model. To start with, it eliminates much of the complex, error-prone management traditionally required for each client. Also, because clients and servers are replicated or stateless, security policies can be enforced using simple, conservative fail-stop mechanisms. Cloud applications are also highly dynamic, with new software versions easily deployed through client restart or rolling server upgrades. Not only does this greatly simplify deploying fixes to software vulnerabilities, it also allows for the possibility of deploying specialized software versions, with custom security aspects, to different clients and servers. Such software instrumentation could be used for many diverse security purposes, especially when combined with randomization: these include artificially-induced heterogeneity as well as the large-scale construction and enforcement of models for appropriate software behavior. In short, cloud applications help with basic, but hard-to-answer security questions such as: Am I running the right software? Or, is it known to be bad? Is it behaving maliciously, and can I recover if it is?
Following my talk, faculty attendees had a variety of insightful questions—as they did for all the presenters today. Roy Campbell, from University of Illinois at Urbana-Champaign, raised the issue of zero-day attacks, and how they might be handled and prevented. My response was that while it might be impossible to eliminate all security bugs, it is possible to get strong guarantees and higher assurance about fundamental software aspects. As an example, I mentioned the Native Client open source Google project that establishes strong, verifiable guarantees about the safety of low-level software. Another question raised was whether Multics-like protection rings were relevant to today's cloud computing applications. Although the mechanisms may not be the same as in Multics, my reply was that layered security and defense in depth are more important than ever, since cloud computing by necessity makes use of deep software stacks that extend from the client through multiple, nested back-end services.
On Friday’s agenda: the technical possibilities of the social web. We’ll be back with more highlights from the summit soon—stay tuned.