One of the curses of our jargon-filled era is the tendency to use simple words with subtle semantics as though no definition or explanation is needed. One of the words that are most frequently abused in this way is “secure”. In a provocative blog piece entitled “Encrypted Storage and Key Management for the cloud“, my colleague Jim Hughes takes the OVF committee to task for claiming to have described “an open, secure, portable, efficient and extensible format for the packaging and distribution of software to be run in virtual machines” without ever defining what they mean by “secure”. And then he proposes one possible approach, or perhaps a challenge:
What does it mean to have secure storage in the cloud:
- Only I can boot my virtual machine,
- Unauthorized tampering of my virtual machine will be detected,
- My data is accessed solely by my virtual machine, and
- The system should not require me to enter a key or passphrase.
These seemly simple goals are surprisingly elusive