– Brad Sollar, Senior Solution Architect, ORock Technologies –
Remember a few years back when Spectre and Meltdown was leading everyone to believe that it was the end for the public cloud and no processor was safe? Well, we patched and moved on, but the architecture that made these vulnerabilities possible still remains –shared hardware between virtual instances.
Three years later, researchers are seeing old vulnerabilities coming back to life 😱.
So, what are side-channel attacks? This is a serious security vulnerability that can happen in multitenant environments when a virtual machine (VM) located on the same machine targets shared hardware between the two VMs, things like memory and central process unit (CPU), to steal sensitive data. Organizations look to architectures like dedicated hosts or bare-metal to help mitigate these attacks, as patching has not been 100% effective. Additionally, these attacks are rearing their heads again as researchers have just discovered fresh vulnerabilities for Spectre and Meltdown. Like an army of termites hidden in the walls of your home, these side-channel attacks remain ever-present in the public cloud as long as VMs are sharing hardware resources.
The noisy neighbor effect is another obstacle for anyone who hopes to get steady and reliable performance in their cloud computing environment. In a typical scenario, you will find multiple users are collocated on the same hypervisor and one or more virtual machines will consume more than its fair share of resources. This can cause contention for CPU, memory, network, and storage, degrading the performance of your VM running on that system. An organization typically deals with this issue by buying a bigger instance size and adds more CPU and memory to run the workload.
If that does not solve the performance issues, the next step is to get a dedicated instance (this is like buying your own private server in the public cloud), a costly upgrade. Then there is bare-metal, but this is an expensive option and can add a lot of overhead with the managing physical servers, possible infrastructure over-commit as well as poor resource utilization. Quality of Service (QoS) is something the public cloud providers tell you to architect for, meaning scale out or up, since they typically can’t guarantee performance due to noisy neighbors.
At ORock, we are solving these problems with a solution called ORockCloud with Lockheed Martin Hardened Security for Intel Processors and we have partnered with Lockheed Martin and Intel to bring this joint solution to market. This new hypervisor technology introduces a new model to securely provision VMs by allocating dedicated resources for a VM at the hardware level. This means the VM gets its own CPU, cache, VPU, memory and storage allocated at the hardware level.
This solution is vastly different from the way traditional virtualization works. Traditional virtualization works by time-sharing the server hardware between multiple VMs. This is where noisy neighbor quality of service issues can occur and data can get compromised. ORockCloud with Lockheed Martin Hardened Security for Intel Processors dedicates the hardware to the VM, so there aren’t any interruptions from noisy neighbors and the security is increased by having dedicated hardware vs. shared, stopping an entire class of side-channel attacks.
The solution helps organizations to appropriately size and allocate resources for workloads. When you can be guaranteed the amount of computing for your resources and not worry about noisy neighbors, you can more accurately match application workloads to instance type. Having deterministic performance and QoS ensures that organizations can stop over-subscribing their workloads with larger instance types.
ORockCloud with Lockheed Martin Hardened Security for Intel Processors provides a reasonable cost option for organizations looking to secure workloads in multitenant environments when compared to public cloud dedicated hosts or going to bare-metal. This solution provides a bare-metal-like experience but not with the high cost.
I think one of the best features of this solution is that it’s available now in the ORock Cloud built on OpenStack, the most widely deployed open-source cloud software in the world. ORock uses OpenStack as the infrastructure base for building highly scalable and secure systems in a cloud-native fashion.
In part two of this post, I will take a closer look at this solution’s capabilities and its security features.