Cloud computing is a service model where computing resources are delivered over a network. Typically, a common virtualized infrastructure is used to provide services for multiple client organization (tenants). Advantages of cloud computing include lower costs through shared computing and network infrastructure, on-demand provisioning of resources, and multi-tenant solutions, among others.
Data security within the shared cloud network infrastructure is a major concern. Although secure web services and virtual private networks (VPNs) can provide secure communication with the cloud, such security ends at the entry point to the cloud provider. That is, data traversing the internal network of the cloud provider's infrastructure typically flows in an unsecure manner.
One solution for securing data traversing the provider's internal network uses virtual local area networks (VLANs), which afford tenants segregated logical networks. However, VLANs may allow malicious entities to gain unauthorized access to network data by means such as passive wiretapping, masquerading attacks, man-in-the-middle attacks, private VLAN attacks, and some denial of service attacks.
Another solution for securing data traversing the provider's internal network relies on point-to-point encryption techniques, such as Secure Sockets Layer (SSL) or IPSec. However, such techniques, which typically require negotiation of encryption keys by each pair of endpoints wishing to communicate securely, do not scale well. For example, if n virtual machines (VMs) (or applications running thereon) wish to communicate securely with each other, then each VM (or application) must be capable of performing the particular type of encryption (e.g., SSL encryption), as well as negotiate and manage n*(n−1) security keys.