Futurice logo

Towards Trustworthy Services from Cloud Provider Impartiality

28-10-2020Technology

Tom Larkworthy

Senior Cloud Architect

End users cannot know whether to trust a web service. The service provider might say they use the highest possible security controls, but it's a black box. The user cannot verify. There is no proof that the provider keeps their word or that they do not inadvertently introduce a security hole. However, there is hope! Thanks to new source deployed cloud infrastructure, it becomes feasible for a service provider to allow end users to inspect their infrastructure through the disinterested cloud provider's APIs. In effect, moving the required trust from the service provider, to the cloud provider.

This is possible because cloud providers now offer granular access control to deployed source. If the service provider offers auditable access to the infrastructure, end users can inspect the infrastructure to verify the security controls themselves. This can be achieved without exposing user data or all business logic.

Concretely, on Google Cloud, the public† can be granted the permission cloudfunctions.functions.sourceCodeGet which allows the deployed code to be viewed. If the function is bound to a http handler, It is then traceable, from the end user's perspective, the journey of data from browser to cloud processing. And it is also transparent how exactly that data is handled within the scope of the function. The user only needs to trust that Google Cloud's access controls are implemented soundly. († For AWS and Azure, tokens can be issues to allow users to access an auditing account)

So now the user only has to trust the Cloud Provider is not doing something malicious or stupid in its implementation of the computing fabric, and generally these are large companies incentivied todo things to a high standard and in a compliant manner. They are also disincentivized to do malicious backroom deals, as it would irreparably damage their hosting brand. Thus, finally, the end user can see for themselves what the service provider is doing, and can have confidence they are auditing what is actually deployed at any point in time.

More tangibly, in a business context, I see a future where the outer edge is a verifiable bidirectional privacy proxy. In the inbound direction, the proxy exchanges personal information (e.g. email) for a random id, before allowing data to pass to opaque backend services that implement trade secret logic. On the outbound direction (e.g. to an email service), necessary personal information is injected into traffic. Thus, the backends are unable to leak private information, as it's provable they were never in possession of such information in the first place. End users are able to inspect the implementation of the proxy proxy at any time. Trade secrets remain secret, and users can gain trust in how their personal data is processed. VPNs would be a good first demonstration.

Thank you Antti Pitkänen, Phil Laszkowicz for their critique and feedback on this post

Related Blogs
  • About
  • Services
  • Work
  • Blog
  • Contact
  • Join us

Contact

© 2020 Futurice. All Rights Reserved | Legal disclaimer | Impressum

Futurice logo

Future. Co-created.