Software, including operating systems, increases your level of assurance in the environment and can mitigate – if not remediate – most of the exposure from the personnel and physical environment your cloud is operated within.
On top of trustworthy (or sometimes untrustworthy) hardware, a multi-tenancy cloud center should use trusted operating systems like SE-Linux or Solaris 11 with trusted features to mitigate and isolate the information from unintended blending or internal exfiltration between competing organizations and trusted internal administrators (who may likely, as was the case in Wiki Leaks, be the largest threat). The government, academia, and software vendors spent far more money than you would ever want to know building, testing, and certifying trusted operating systems only to see them marginalized in utilization because of perceived issues of complexity and limited trained staffs to properly implement and configure them.
Why a trusted operating system?
Your operating systems have access to every bit that is executed on or against them and in their memory space.
Early on, people like Len Lapadula and David Bell of MITRE (a not-for-profit government research organization) realized that this access presented a target and risk to the information and applications processed on these platforms. A number of models were developed including the Bell-Lapadula model of Non-Interference that became the basis for Multi-Level and Compartmented Mode trusted computing.
By incorporating Mandatory Access Control labels, and other embedded security and trust elements, on everything from memory to semaphores, file systems, and displays, non-interference can be guaranteed. Further, Common Criteria Evaluation and Validation System testing and certification at EAL4+ level of assurance proves that all information and processes are safe and isolated under policy, and at least two-person controls. These are exactly the protections and assurances you need to trust your company jewels within a cloud environment. Your cloud administrator can add all of the people they want or need, but they cannot see or touch anything until your Security Officer grants them rights and privileges.
In a typical cloud environment represented by a server, operating system, and multiple Virtual Memory (VM) images, each VM is launched at a specific level, MAC label, and likely a set of further specifying code-words and caveats. Users are granted access only to what they are cleared and accredited to. In this way, even an administrator cannot access the Virtual Machine or its programs and information unless they also hold the specific entitlements. This is assured by the removal of the Super User identity and capabilities in the system. In multi-user systems, the ability of a trusted Super User has always been an ultimate risk because they could see or do anything and clean up after themselves with enough skills so that they left no evidence. The removal of the Super User, separation of administrative and security roles, and the labeled protections for all resources remove the previous risks.
With all tenants in a multi-tenant cloud environment executing in their own level and access enforced under both MAC and DAC, all of the way down into the system and its operating system, you can truly trust your sensitive information to the cloud provider, your VM and a proven and provable level of trustworthiness for the system it is processed on.
