The Internet is used to interact with various web sites that offer up-to-date news, reports, real-time information, games, business functions, social interfaces, search functions, telepresence, e-commerce, etc. Behind all of the personal and business applications associated with the Internet is an evolving, rapidly growing, enormous amount of content and information in the form of text, graphics, audio, video, multi-media, data, web objects, applications, real-time streams, and other content capable of internet delivery. All of this content is typically stored on servers, which are basically powerful computers that are specially designed to store and provide or “serve” the requested content to the end users.
However, servers are rather expensive to install, upgrade, and maintain. In addition, the network hardware to connect the servers onto the Internet backbone can also be quite expensive to purchase, install, and maintain. It takes expert knowledge to build and efficiently operate a server farm or data center. Oftentimes, successful businesses may have to upgrade their server infrastructure to handle the increased Internet traffic. The upgrade process can be a difficult, time-consuming, and costly endeavor. Furthermore, running, servicing, troubleshooting, and load-balancing a server farm or data center can be quite daunting. Yet another downside inherent to server farms and data centers is that deployment can take a relatively long period of time. These days, content providers strive to be first-to-market in order to capture a particular audience, market segment, or business opportunity.
In response to the shortcomings of owning and running a dedicated server farm or data center, an Internet based computing technology known as “cloud computing” is gaining popularity. With cloud computing, an information technology (IT) service provider specializes in establishing and running one or more huge collections of servers. The computing, storage, and networking resources of the “cloud computer” are then essentially rented out to businesses and other content providers for a fee. Initially, a user or business can contract for a specific, desired amount of computing, networking, and storage resources in exchange for a specified periodic payment. The IT cloud computing service provider provisions and allocates the requested resources by means of virtualization. In this manner, the actual underlying infrastructure (e.g., servers, network devices, storage units, etc.) is transparent to the purchaser. And should the purchaser need to upgrade, the IT cloud computing service provider can simply provision and allocate the requisite additional amount of resources to handle the purchaser's needs.
Because the cloud computing infrastructure is shared amongst different end users, it is critical that the content and data is kept secure and confidential. It is also critical to keep the sensitive content and data secure from malicious attacks from hackers and other third parties as well. One way to accomplish both these goals entails the use of a symmetric key pair encryption process. One key is the public key, which can be shared publicly; whereas the other key is the private key, which must be kept in a secure local location. This type of encryption provides a very high degree of authentication whenever the cloud computer is being accessed. For example, when a user desires to initiate a command or request through an application programming interface (API) call, the API call is encrypted by means of the public and private keys. This ensures that the API call is authentic.
One problem with this setup is that in order to leverage the capabilities offered by cloud computing, automatically initiated servers should be able to execute an API call to access cloud services such as a distributed queuing service (e.g., Simple Queue Service—SQS). This, in turn, means that the server must have the proper pair of public and private keys to make that API call. However, before the servers are provisioned, they lack the proper pair. Although the public key is supposed to be transmitted and shared, the private key should not. Thus, the problem becomes how to provide the private keys to the servers so that they can execute the necessary API calls.
One solution to the problem is to hardcode the private keys to a read-only machine image. This machine image can then be loaded onto the servers. The disadvantage to this solution is that, should the private key ever become compromised or be periodically renewed for security reasons, it is a rather cumbersome process to have to manually update machine images containing the new private keys. Another possible solution is to transmit the private key as part of the user text data meant to customize the server's state. However, this is very dangerous because the private key is sent in plain text and is susceptible to being intercepted or hacked. A third solution is for a central server to continuously ping the other servers to determine when they are being provisioned. Once a server acknowledges that it is being provisioned, the central server then sends the private key via a secure channel. The downside to this approach is that the central sever has to continuously monitor and track each of the multitudes of servers and their respective states. Turning on many servers at the same time can result in a significant amount of computing overhead. Alternatively, the servers can notify the central server when they are being provisioned. Unfortunately, without an authentication mechanism, the central server may respond to maliciously fabricated notifications and the private key becomes compromised.
Thus, to-date, there is no expedient and fail-safe mechanism for providing credential information transfers in a cloud computing environment.