Welcome!

@CloudExpo Authors: Liz McMillan, Harry Trott, Ashish Nanjiani, Moshe Kranc, Elizabeth White

Related Topics: @CloudExpo

@CloudExpo: Article

In Cloud We Trust?

Exclusive Q&A with Mike Gault, CEO of GuardTime

‘In God we trust,’ yet the currency of the Cloud is at odds with trust. Is it possible to trust applications that reside in a Cloud that seems so porous? Cloud Computing Journal's Jeremy Geelan sat down with GuardTime CEO Mike Gault, whose keyless signature technology is used to secure cloud hosting provider Joyent, whose customers include LinkedIn, Gilt, and Twitter.

Cloud Computing Journal: What is GuardTime all about? As one of the few folks in the Cloud space with an initmate knowledge of Estonia, having lived there for more than three years, I know that its origins lie there...

Gault: GuardTime was started in 2006, as you say, in Estonia. For those not familiar with Estonia, Jeremy, let's explain how unique it is in several aspects. First, it’s one of the most wired countries - the whole country’s IT infrastructure was built post-Internet. And so, everything is basically built using the Internet, including the banking systems. For example, 97% of transactions are done online and with this comes a very high knowledge of IT security by the general population.

The academics that invented the keyless signature technology were involved in the design of the infrastructure. They worked together with the local banks in Estonia. During this program, they realized that there was a fundamental problem that remained unsolved in IT security, which is trust. Why should I trust you with my data? Why should you have complete trust in your system administrator? The technology was built as an answer to these questions; as an alternative to the existing PKI technologies that are incapable of solving these specific problems.

Cloud Computing Journal: What happened to PKI (public key infrastructure)?

Gault: The U.S. has a long history in the 1990s and early 2000s with PKI as an IT security tool. It is very powerful for encryption and data privacy. It’s also very powerful for authentication but as a mechanism to prove the integrity and authenticity of data, it’s a horrible technology. It requires key management and trust authorities, both of which could be compromised and even a hint of a compromise would invalidate all historical records. In the end, it costs more to sign the data than it does to actually store the data. This is one of the reasons why PKI achieved very limited uptake in the U.S. for signing data.

Cloud Computing Journal: And then along comes Cloud computing around 2007.

Gault: Exactly. People realized that something fundamentally changed. It basically went from this data is inside my organization and I’m willing to trust my IT department to ‘this data is outside my organization and I can no longer trust the IT department or outsiders, the people that are now hosting my data.

Cloud Computing Journal: And where does GuardTime fit in?

Gault: GuardTime provides the infrastructure for delivering data signatures – the verification of which does not rely on cryptographic keys. That means that any data in the Cloud or outside the organization can now be signed, and the verification of the signature is based solely on mathematics. This means that you can give your data to your Cloud provider and to your clients, to your partners, or the data can be hosted inside the organization. And you have mathematical proof that the data has not been tampered with.

Cloud Computing Journal: So what’s the overhead on this? Do you see this being for specific types of data in communication?

Gault: The ultimate goal is for keyless signatures to be ubiquitous with data integrity. We have scenarios running up and down the stack from file system integration to system integration to application integration, all the way down to very specific application uses, such as non-repudiated e-mail.

We have, for example, a relationship with Joyent where we integrate into the Joyent Smart Data Center technology providing keyless signing services to their users. Application providers hosting applications on the Cloud stack will usually sign specific data items to ensure both data integrity and operating integrity. For e-mail systems, we have clients using the signatures to verify and validate both the sending party and the authenticity of the e-mail and all of its attachments.

Cloud Computing Journal: As you move data to the Cloud there are many different challenges. Applications have to be designed differently. Security gets pushed further and further away from perimeter-based approaches. How do you see security threats changing in the move to the Cloud?

Gault: Cloud computing is the best thing that has happened to information security in 50 years, because it’s forcing people to address the perimeter issue. Up until the existence of Cloud computing it was acceptable to trust the IT department internally. Now that the IT department is outsourced, all of a sudden people are asking the right questions about IT security. The focus must be on the data itself and not on the perimeter around the data. Cloud computing is forcing IT to ask similar security questions about activities inside the enterprise as well. Cyber defense and Cloud computing are actually closely related, because it becomes about who can you trust and what do you do if you can no longer trust the people inside your organization or institution.

Cloud Computing Journal: What are some questions people should ask a Cloud vendor as people weigh their choices between Joyent, Rackspace, or Amazon?

Gault: Most Cloud vendors will provide security by SLA (service level agreements). What these Cloud providers are saying is, “Please trust us. If anything goes wrong, then we’ll give you your money back.” That doesn’t really inspire much confidence. A much better way of providing security is via proof as in “if anything goes wrong we can provide your verifiable proof of what happened”. For cloud services the SLA is key and people should look closely at ones which require trust and ones which provide proof. Currently only Joyent can provide proof via SLA.

Cloud Computing Journal: How would you know that you got that mathematical proof?

Gault: Data is signed as it is stored in the cloud. That data could be application executables, logs or general data. The result of the signature process is a data signature which is stored either embedded inside the data item, with the data item or separately from the data item. To verify a signature you run a series of hash functions using the signature data and either check the result electronically or for the truly paranoid against a newspaper copy.

Cloud Computing Journal: Not every security threat can be solved through mathematical proof of data signing; there’s still application vulnerabilities and insider threats. What are some security questions you would ask?

Gault: Certainly confidentiality is a major question. Having the right tools in place to ensure that confidentiality is also being maintained is critical. So, some questions would be: What mechanism do you have to protect and securely deliver logs? What are you actually able to log? What activity are you recording within your Cloud? Can the integrity of those logs be proven regardless of when and where they are sent?

Cloud Computing Journal: Security logs are notorious for sitting around and not being accessed unless there’s a known problem. Now that we’re moving to the Cloud, are there better tools to make logs actionable in real-time rather than something that’s basically forensic?

Gault: The SIEM providers are looking at technologies to pull together information and leverage the Cloud resources as well. Users of the Cloud have to employ their own security measures based on their risk level and their regulatory requirements. What GuardTime provides is the ability to prove that those technologies have indeed worked as designed and planned.

It’s important that the technologies have been implemented properly when the logs are being created and that they’re being used properly to analyze and correlate the data into different sets of information. All those actions, including the policy definitions and admin changes associated with them, need to be signed. Because, one of the first things that an attacker will do after gaining access to a system, especially if they are an inside attacker, is to go into the logs and remove the entries that show how and where the access was gained and what has been done to modify the environment to leave the back door open. GuardTime can’t prevent those things from happening, but it can prove that those logs are, in fact, intact and haven’t been changed outside of the rules defined.

More Stories By Jeremy Geelan

Jeremy Geelan is Chairman & CEO of the 21st Century Internet Group, Inc. and an Executive Academy Member of the International Academy of Digital Arts & Sciences. Formerly he was President & COO at Cloud Expo, Inc. and Conference Chair of the worldwide Cloud Expo series. He appears regularly at conferences and trade shows, speaking to technology audiences across six continents. You can follow him on twitter: @jg21.

More Stories By Mike Gault

Mike Gault is CEO of Guardtime, the developer of Keyless Signatures that algorithmically prove the time, origin and integrity of electronic data. He started his career conducting research in Japan on the computer simulation of quantum effect transistors. He then spent 10 years doing quantitative financial modeling and trading financial derivatives at Credit Suisse and Barclays Capital. Mike received a Ph.D. in Electronic Engineering from the University of Wales and an MBA from the Kellogg-HKUST Executive MBA Program.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
A look across the tech landscape at the disruptive technologies that are increasing in prominence and speculate as to which will be most impactful for communications – namely, AI and Cloud Computing. In his session at 20th Cloud Expo, Curtis Peterson, VP of Operations at RingCentral, highlighted the current challenges of these transformative technologies and shared strategies for preparing your organization for these changes. This “view from the top” outlined the latest trends and developments i...
Automation is enabling enterprises to design, deploy, and manage more complex, hybrid cloud environments. Yet the people who manage these environments must be trained in and understanding these environments better than ever before. A new era of analytics and cognitive computing is adding intelligence, but also more complexity, to these cloud environments. How smart is your cloud? How smart should it be? In this power panel at 20th Cloud Expo, moderated by Conference Chair Roger Strukhoff, paneli...
SYS-CON Events announced today that MobiDev, a client-oriented software development company, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex software systems for startups and enterprises. Since 2009 it has grown from a small group of passionate engineers and business...
Hardware virtualization and cloud computing allowed us to increase resource utilization and increase our flexibility to respond to business demand. Docker Containers are the next quantum leap - Are they?! Databases always represented an additional set of challenges unique to running workloads requiring a maximum of I/O, network, CPU resources combined with data locality.
SYS-CON Events announced today that GrapeUp, the leading provider of rapid product development at the speed of business, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market acr...
SYS-CON Events announced today that Ayehu will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on October 31 - November 2, 2017 at the Santa Clara Convention Center in Santa Clara California. Ayehu provides IT Process Automation & Orchestration solutions for IT and Security professionals to identify and resolve critical incidents and enable rapid containment, eradication, and recovery from cyber security breaches. Ayehu provides customers greater control over IT infras...
SYS-CON Events announced today that Datanami has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datanami is a communication channel dedicated to providing insight, analysis and up-to-the-minute information about emerging trends and solutions in Big Data. The publication sheds light on all cutting-edge technologies including networking, storage and applications, and the...
Artificial intelligence, machine learning, neural networks. We’re in the midst of a wave of excitement around AI such as hasn’t been seen for a few decades. But those previous periods of inflated expectations led to troughs of disappointment. Will this time be different? Most likely. Applications of AI such as predictive analytics are already decreasing costs and improving reliability of industrial machinery. Furthermore, the funding and research going into AI now comes from a wide range of com...
SYS-CON Events announced today that EnterpriseTech has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. EnterpriseTech is a professional resource for news and intelligence covering the migration of high-end technologies into the enterprise and business-IT industry, with a special focus on high-tech solutions in new product development, workload management, increased effi...
In this presentation, Striim CTO and founder Steve Wilkes will discuss practical strategies for counteracting fraud and cyberattacks by leveraging real-time streaming analytics. In his session at @ThingsExpo, Steve Wilkes, Founder and Chief Technology Officer at Striim, will provide a detailed look into leveraging streaming data management to correlate events in real time, and identify potential breaches across IoT and non-IoT systems throughout the enterprise. Strategies for processing massive ...
SYS-CON Events announced today that SourceForge has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. SourceForge is the largest, most trusted destination for Open Source Software development, collaboration, discovery and download on the web serving over 32 million viewers, 150 million downloads and over 460,000 active development projects each and every month.
"Our strategy is to focus on the hyperscale providers - AWS, Azure, and Google. Over the last year we saw that a lot of developers need to learn how to do their job in the cloud and we see this DevOps movement that we are catering to with our content," stated Alessandro Fasan, Head of Global Sales at Cloud Academy, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We focus on composable infrastructure. Composable infrastructure has been named by companies like Gartner as the evolution of the IT infrastructure where everything is now driven by software," explained Bruno Andrade, CEO and Founder of HTBase, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that Conference Guru has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organi...
SYS-CON Events announced today that Cloud Academy named "Bronze Sponsor" of 21st International Cloud Expo which will take place October 31 - November 2, 2017 at the Santa Clara Convention Center in Santa Clara, CA. Cloud Academy is the industry’s most innovative, vendor-neutral cloud technology training platform. Cloud Academy provides continuous learning solutions for individuals and enterprise teams for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and the most popular cloud com...
What's the role of an IT self-service portal when you get to continuous delivery and Infrastructure as Code? This general session showed how to create the continuous delivery culture and eight accelerators for leading the change. Don Demcsak is a DevOps and Cloud Native Modernization Principal for Dell EMC based out of New Jersey. He is a former, long time, Microsoft Most Valuable Professional, specializing in building and architecting Application Delivery Pipelines for hybrid legacy, and cloud ...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
"Tintri focuses on the Ops side of the DevOps, which basically is pushing more and more of the accessibility of the infrastructure to the developers and trying to get behind the scenes," explained Dhiraj Sehgal of Tintri in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We do one of the best file systems in the world. We learned how to deal with Big Data many years ago and we implemented this knowledge into our software," explained Jakub Ratajczak, Business Development Manager at MooseFS, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.