The Project Silver Manifesto
Cloud computing has emerged as a dominant platform for computing for the foreseeable future, resulting in an ongoing disruption to the way we build and deploy software. This disruption offers a rare opportunity to integrate new approaches to computer security.
We advocate for new cloud services that take as a primary goal the security of cloud tenants. The consolidation of massive resources and myriad activities in the cloud places cloud operators in a unique position to introduce new services to help tenants better manage their security (or to manage it for them outright)—and indeed to solve some of security’s “holy grail” problems. We believe that service providers enjoy a strategic position in four key regards:
- Deeper specialization: A recurring obstacle to operational security in practice is a dearth of professionals with relevant expertise. Cloud-based security services allow many organizations to benefit from the deeper specialization of a few large cloud providers and security service providers.
- Provider introspection: Cloud providers have the unique ability to introspect on tenants, which we will argue helps facilitate outsourced security management. One (well known) challenge to taking advantage of introspection is the semantic gap between the provider’s observations and the significance of observed behaviors in tenant environments, which may be highly customized. Another challenge is the reluctance of cloud providers to access tenant data, due to confidentiality concerns stemming from the sensitivity of tenant data and from regulatory requirements around data sharing. But even lightweight introspection could yield big rewards in terms of improved security.
- A broad view: Cloud services attract a large number of customers, enabling cloud providers to obtain a broad view of security-relevant information. Aggregating this information could lead to deeper insights than those obtainable by smaller organizations in isolation — a form of “herd immunity” to threats.
- Massive compute resources: Security analysis of the information knowable to cloud operators may require massive compute and storage resources. But large cloud providers have access to these resources.