As various forms of distributed computing, such as cloud computing, have come to dominate the computing landscape, security has become a bottleneck issue that currently prevents the complete migration of various capabilities and systems associated with sensitive data, such as financial data, to cloud-based infrastructures, and/or other distributive computing models. This is because many owners and operators of data centers that provide access to data and other resources are extremely hesitant to allow their data and resources to be accessed, processed, and/or otherwise used, by virtual assets, such as virtual machine and server instances in the cloud.
In a cloud computing environment, various virtual assets, such as, but not limited to, virtual machine instances, data stores, and various services, are created, launched, or instantiated, in the cloud for use by an “owner” of the virtual asset, herein also referred to as a user of the virtual asset.
Herein the terms “owner” and “user” of a virtual asset include, but are not limited to, applications, systems, and sub-systems of software and/or hardware, as well as persons or entities associated with an account number, or other identity, through which the virtual asset is purchased, approved managed, used, and/or created.
As noted, the owner of a virtual asset is typically associated with, and identified by, an account number used to create the owned virtual assets. Once the virtual assets are instantiated by the owner of the virtual asset they become available for use by the owner of the virtual asset which then typically authorizes the virtual asset to receive one or more secrets necessary to “boot up” and/or access sensitive data required by the virtual assets to perform the tasks for which the virtual assets were created. Consequently, when launched, the virtual assets are often provided highly sensitive data or secrets by the owner of the virtual asset.
Given the situation described above, it is highly desirable for the owner of virtual assets in a cloud computing environment to firmly establish that the virtual assets they are contemplating using are legitimate virtual assets created by, and owned by, the virtual asset owner. In short, one long-standing security issue associated with cloud computing is the need for owners of virtual assets to validate virtual assets before the virtual assets are provided secrets and sensitive data necessary to boot up, e.g., before any secrets are provided to the virtual assets.
However, a given cloud computing environment can include hundreds, thousands, or even millions, of virtual assets, owned or used by hundreds, thousands, or even millions, of parties. As a result, there is a significant risk that one or more parties with malicious intent will control some of the virtual assets in a cloud computing environment, or use other mechanisms within the cloud computing environment, to obtain access to sensitive secrets and data of other parties/owners. One common method used by these parties with malicious intent is to create malicious virtual assets, or other malicious software, that presents itself as a virtual asset owned by another party. This type of mechanism is known as “spoofing” and is used to lure an owner of virtual assets into believing that the spoofing virtual asset, or other software, is owned by the owner and therefore is eligible to receive secrets and other sensitive data controlled by the owner of virtual assets. Consequently, currently, there is a significant, and legitimate, concern that using cloud computing environments to process sensitive data, such as financial data, is a risky endeavor.
What is needed is a method and system to reliably authenticate that a virtual asset is owned by a given party, e.g., to validate that a virtual asset is a legitimate virtual asset, before providing any secrets, or other forms of sensitive data, to the virtual asset.