Cloud computing allows a user to obtain computing resources, such as processing cycles, applications and storage, from a cloud provider on demand. A public cloud provider provides computing resources to users and organizations over the Internet. As computing resources are provided on demand, an enterprise only needs to pay for what it uses and, therefore, reduces its expenditure on the computing infrastructure such as hardware, application and bandwidth costs. Therefore, cloud computing presents a cost effective solution for meeting the computing needs of an enterprise.
One of the resources that a public cloud can provide is a virtual machine (VM). The VM is executed under the control of an enterprise user. The VM image itself might be stored at the cloud provider. Therefore, an enterprise user has to rely on the best security practices of the cloud provider to protect the VM image. When persisted data is stored at a public cloud provider, by the nature of their business, there is a higher risk that the data could be leaked or stolen, and thus accessed by an unauthorized entity. Therefore, an enterprise typically avoids storing any kinds of passwords, keys, or certificates that would allow a VM to connect back to the enterprise resources.
When a VM connects to an enterprise, the VM may gain access to the data stored within the firewall of the enterprise computers. In a standard login procedure, an ordinary user who tries to gain access to the data within the firewall would need to type in his user ID and a password (e.g., a one-time password (OTP) since static passwords are not secure enough for remote users). In the case of automatically connecting a VM to an enterprise, there is a chicken and egg problem: for the purpose of connection, the VM needs to have an identity and know its password (e.g., an OTP or another kind of key or credential that the VM can be authenticated with). However, if the password is stored persistently within the VM, it can be stolen. With a stolen password, an intruder will be able to impersonate the VM and penetrate the enterprise security without the enterprise even knowing about the attack.