AWS, Azure en Google Cloud: Wie houdt jouw data écht veilig?
Stel je voor dat je al jouw belangrijkste gegevens in een kluis plaatst, maar deze kluis van iemand anders is en staat op hun terrein. Hoe weet je zeker dat niemand meekijkt of iets verandert? Dit is precies het dilemma van bedrijven en organisaties die de cloud gebruiken om data te verwerken of op te slaan. Deze thesis zette belangrijke stappen om het nodige vertrouwen in de cloud beter te begrijpen én te verminderen, door te onderzoeken hoe we onafhankelijk kunnen controleren of gegevens in de cloud echt veilig blijven.
Cloud als de drijfveer van innovatie
Steeds meer bedrijven en organisaties verplaatsen hun gegevens naar de cloud, de digitale infrastructuur van providers zoals Amazon Web Services (AWS), Microsoft Azure en Google Cloud. Die overstap biedt heel wat voordelen: je hoeft geen eigen servers te onderhouden en je kunt eenvoudig uitbreiden en groeien. Bovendien stimuleert de opkomst van AI het gebruik van cloudinfrastructuur, omdat het trainen van complexe modellen enorme rekenkracht en schaalbare opslag vereist. Toch gaan die voordelen hand in hand met groeiende zorgen over privacy en veiligheid. Datalekken, zoals het Facebook-incident van 2019, tonen dat zelfs grote technologiebedrijven fouten kunnen maken. Voor organisaties die gevoelige informatie beheren, zoals ziekenhuizen, banken of AI-projecten, is blind vertrouwen in de cloud geen optie. Ook wetgeving zoals de GDPR verplicht bedrijven om gegevens zorgvuldig te beschermen.
Van blind vertouwen naar controle
Vandaag steunt het vertrouwen in de cloudproviders vaak op contracten, reputatie of softwarematige beveiliging. Dat zijn nuttige, maar zwakke garanties: je moet er nog steeds op vertrouwen dat de provider zich aan zijn woord houdt. Technisch bewijs dat jouw gegevens en toepassingen écht veilig blijven, ontbreekt.
Een mogelijke uitweg komt uit een relatief nieuw onderzoeksveld, confidential computing. Daarbij wordt speciale hardware gebruikt die cryptografisch kan aantonen dat data en programma’s beschermd zijn, zelfs tegen de cloudprovider. Zo kunnen organisaties onafhankelijk nagaan of hun informatie correct en veilig wordt verwerkt, in plaats van dat gewoon te moeten geloven.
Van lab naar praktijk: SVSM-vTPM in publieke clouds
De focus van deze thesis lag op het onderzoeken of de SVSM-vTPM, een technologie binnen confidential computing, toepasbaar is in echte publieke cloudomgevingen. Tot nu toe was deze technologie enkel getest in experimentele clouds, waarin veel meer vrijheid is om systemen aan te passen en te testen. Het doel van dit onderzoek was nagaan of de SVSM-vTPM in publieke clouds kan functioneren, zonder de beveiliging te verzwakken. De studie richtte zich daarbij op de drie grootste spelers: AWS, Azure en Google Cloud.
De resultaten bleken verrassend, want geen enkel van de onderzochte platformen laat vandaag toe om deze innoverende technologie te gebruiken. Uit het onderzoek blijkt duidelijk wat er nodig is om de SVSM-vTPM te kunnen toepassen en waarom dat nu nog niet haalbaar is bij de grootste cloudproviders.
Microsoft Azure: koploper in cloudveiligheid
Elk van de drie providers biedt wel confidential computing aan, maar deze oplossingen zijn vaak beperkt en weinig transparent, waardoor de klant afhankelijk blijft van de provider zelf. Een analyse bracht de sterktes en zwaktes van elk platform in kaart en liet zien dat Microsoft Azure momenteel de sterkste veiligheidsfundamenten biedt.
Het onderzoek kwam tot stand door grondige studie van de verschillende platformen. Daarbij werd gebruikgemaakt van schaarse en verspreide documentatie, aangevuld met praktische experimenten op de platformen zelf. Dit was een uitdaging, aangezien elk platform zeer gesloten en terughoudend is over de werking van zijn producten.
Omdat Microsoft Azure de sterkste veiligheidsfundamenten bood, werd dit platform gekozen voor de ontwikkeling van een praktische oplossing. Daarbij werd een framework ontworpen dat de betrouwbaarheid van programma’s controleert, gebaseerd op de ontwerpprincipes van de SVSM-vTPM. Het systeem werkte succesvol en leverde waardevolle inzichten op: het toont hoe organisaties binnen Azure hun gegevens beter kunnen beschermen en het vertrouwen in de cloudprovider kunnen verkleinen door zelf controlemechanismen toe te passen.
De cloud is de motor van innovatie, maar ook een bron van kwetsbaarheid. Met technologieën als confidential computing komt de dag dichterbij waarop vertrouwen in de cloud niet langer een kwestie is van geloof, maar van bewijs. Deze thesis laat zien hoe veilig publieke cloudplatformen vandaag werkelijk zijn en welke beperkingen er nog bestaan bij de oplossingen die zij bieden voor confidential computing. Tot slot werd een framework ontwikkeld dat organisaties kunnen gebruiken om de cloudprovider te controleren op het veiligst bevonden platform, Microsoft Azure. Zo kunnen organisaties in de toekomst niet langer louter gebruikers van de cloud zijn, maar een actieve rol nemen in de bescherming van hun eigen digitale veiligheid.
Bibliografie
[1] G. Cloud. (n.d.) What is cloud computing? [Accessed: 16-Mar-2025]. [Online]. Available: https://cloud.google.com/learn/what-is-cloud-computing [2] E. Sayegh, “How cloud computing revolutionized business operations and what lies ahead,” Forbes, 2023. [Online]. Available: https://www.forbes.com/sites/emilsayegh/2023/11/28/ how-cloud-computing-revolutionized-business-operations-and-what-lies-ahead/ [3] A. Holmes, “Stolen data of 533 million facebook users leaked online,” Business Insider, 2021. [Online]. Available: https://www.businessinsider.com/ stolen-data-of-533-million-facebook-users-leaked-online-2021-4 [4] European Parliament and Council of the European Union, “Regulation (eu) 2016/679 of the european parliament and of the council of 27 april 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (general data protection regulation),” Official Journal of the European Union, L 119, May 4, 2016, 2016. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2016/679/oj [5] U.S. Department of Health and Human Services, “Hipaa privacy rule to support reproductive health care privacy,” Federal Register, Vol. 89, No. 81, April 26, 2024, 2024. [Online]. Available: https://www.federalregister.gov/documents/2024/04/26/2024-08503/ hipaa-privacy-rule-to-support-reproductive-health-care-privacy [6] MarketsandMarkets, “Confidential computing market by component (hardware, software, services), application (data security, secure enclaves, pellucidity between users), deployment mode, vertical (retail & consumer goods, bfsi) and region - global forecast to 2028,” 2023. [Online]. Available: https://www.marketsandmarkets.com/Market-Reports/ confidential-computing-market-27796261.html [7] V. Narayanan, C. Carvalho, A. Ruocco, G. Almasi, J. Bottomley, M. Ye, T. Feldman-Fitzthum, D. Buono, H. Franke, and A. Burtsev, “Remote 60 BIBLIOGRAPHY 61 attestation of confidential vms using ephemeral vtpms,” in Proceedings of the 39th Annual Computer Security Applications Conference, ser. ACSAC ’23. New York, NY, USA: Association for Computing Machinery, 2023, p. 732–743. [Online]. Available: https://doi.org/10.1145/3627106.3627112 [8] R. Praveenraj and K. Desai, Introduction to Confidential Computing: A Comprehensive Guide to Understanding and Exploring Confidential Computing. New Delhi, India: BPB Publications, 2024. [9] M. Peters and L. Sturmann, “Zero trust security with a hardware root of trust,” Dec. 2023, accessed: 2025-03-16. [Online]. Available: https://www.redhat.com/en/blog/zero-trust-security-hardware-root [10] A. Galanou, K. Bindlish, L. Preibsch, Y.-A. Pignolet, C. Fetzer, and R. Kapitza, “Trustworthy confidential virtual machines for the masses,” 2024. [Online]. Available: https://arxiv.org/abs/2402.15277 [11] Keylime Documentation, [Accessed: Mar 5, 2025]. [Online]. Available: https://keylime.readthedocs.io/en/latest/ [12] “Svsm-vtpm artifacts,” 2023, accessed: 2025-03-20. [Online]. Available: https://github.com/svsm-vtpm/SVSM-vTPM-artifacts [13] J. Thijsman, M. Sebrechts, F. D. Turck, and B. Volckaert, “Trusting the cloud-native edge: Remotely attested kubernetes workers,” 2024. [Online]. Available: https://arxiv.org/abs/2405.10131 [14] P. Mell and T. Grance, “The nist definition of cloud computing,” National Institute of Standards and Technology, Tech. Rep. NIST Special Publication 800-145, 2011. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/Legacy/ SP/nistspecialpublication800-145.pdf [15] “What is a virtual machine and how does it work,” Microsoft Azure, 2023, accessed: 2025-03-18. [Online]. Available: https://azure.microsoft.com/en-au/ resources/cloud-computing-dictionary/what-is-a-virtual-machine/ [16] Y. Sun, D. Safford, M. Zohar, D. Pendarakis, Z. Gu, and T. Jaeger, “Security namespace: Making linux security frameworks available to containers,” in 27th USENIX Security Symposium (USENIX Security 18). Baltimore, MD: USENIX Association, Aug. 2018, pp. 1423–1439. [Online]. Available: https://www.usenix.org/conference/usenixsecurity18/presentation/sun [17] W. Luo, Q. Shen, Y. Xia, and Z. Wu, “Container-IMA: A privacypreserving integrity measurement architecture for containers,” in 22nd 62 BIBLIOGRAPHY International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), Beijing, China, 2019, pp. 487–500. [Online]. Available: https://www.usenix.org/conference/raid2019/presentation/luo [18] M. Sabt, M. Achemlal, and A. Bouabdallah, “Trusted execution environment: What it is, and what it is not,” in 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, 2015, pp. 57–64. [19] O. Hosam and F. BinYuan, “A comprehensive analysis of trusted execution environments,” in 2022 8th International Conference on Information Technology Trends (ITT), 2022, pp. 61–66. [20] J. Nakajima, “Introduction to sgx (software guard extensions) and sgx virtualization,” YouTube video, 2017, [Accessed: March 17, 2025]. [Online]. Available: https://www.youtube.com/watch?v=oES6hRhLJRM [21] S. Mofrad, F. Zhang, S. Lu, and W. Shi, “A comparison study of intel sgx and amd memory encryption technology,” in Proceedings of the 7th International Workshop on Hardware and Architectural Support for Security and Privacy, ser. HASP ’18. New York, NY, USA: Association for Computing Machinery, 2018. [Online]. Available: https://doi.org/10.1145/3214292.3214301
[22] D. Kaplan, J. Powell, and T. Woller, “AMD Memory Encryption White Paper,” October 2021, [Accessed: March 17, 2025]. [Online]. Available: https://www.amd.com/content/dam/amd/en/documents/ epyc-business-docs/white-papers/memory-encryption-white-paper.pdf [23] Advanced Micro Devices, Inc., “AMD SEV-SNP: Strengthening VM Isolation with Integrity Protection and More,” January 2020, [Accessed: March 17, 2025]. [Online]. Available: https://www.amd. com/content/dam/amd/en/documents/epyc-business-docs/white-papers/ SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf [24] “Secure vm service module for sev-snp guests,” Advanced Micro Devices, Tech. Rep. 58019 Rev. 0.50, 2023. [Online]. Available: https://www.amd.com/content/dam/amd/en/documents/ epyc-technical-docs/specifications/58019.pdf [25] “linux-svsm: Linux SVSM (Secure VM Service Module),” https://github.com/ AMDESE/linux-svsm, 2025, accessed: 2025-05-05. [26] Microsoft, “Tpm fundamentals,” 2024, [Accessed: March 19, 2025]. [Online]. Available: https://learn.microsoft.com/en-us/windows/security/ hardware-security/tpm/tpm-fundamentals BIBLIOGRAPHY 63 [27] S. Berger, R. C´aceres, K. Goldman, R. Perez, R. Sailer, and L. van Doorn, “Vtpm: Virtualizing the trusted platform module,” 07 2006. [28] M. Bursell, “What measured boot and trusted boot means for linux,” Opensource.com, 2020. [Online]. Available: https://opensource.com/article/ 20/10/measured-trusted-boot [29] Sekyourity. (2024, Dec. 29) Secure boot, measured boot, and roots of trust. Accessed: 2025- 05-27. [Online]. Available: https://medium.com/@sekyourityblog/ do-you-know-who-your-computer-is-and-can-you-trust-it-4646b67deaf4 [30] R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn, “Design and implementation of a TCG-based integrity measurement architecture,” in 13th USENIX Security Symposium (USENIX Security 04). San Diego, CA: USENIX Association, Aug. 2004. [Online]. Available: https://www.usenix.org/conference/13th-usenix-security-symposium/ design-and-implementation-tcg-based-integrity-measurement [31] N. Schear, P. T. Cable, T. M. Moyer, B. Richard, and R. Rudd, “Bootstrapping and maintaining trust in the cloud,” in Proceedings of the 32nd Annual Conference on Computer Security Applications, ser. ACSAC ’16. New York, NY, USA: Association for Computing Machinery, 2016, p. 65–77. [Online]. Available: https://doi.org/10.1145/2991079.2991104 [32] “Keylime,” [Accessed: Mar 5, 2025]. [Online]. Available: https://github.com/ keylime [33] M. Peters and G. Almasi, “Ibm implements remote attestation on linux with a hardware root-of-trust using keylime,” July 2021. [Online]. Available: https://www.cncf.io/blog/2021/07/06/ ibm-implements-remote-attestation-on-linux-with-a-hardware-root-of-trust-using-keylime/ [34] D. Duplyakin, R. Ricci, L. Stoller, M. Hibler, J. Duerig, K. W. Johnson, A. Akella, S. Alfeld, D. Arnold, and et al., “The design and operation of cloudlab,” in Proceedings of the USENIX Annual Technical Conference (ATC), 2019. [Online]. Available: https://www.usenix.org/system/files/ atc19-duplyakin 0.pdf [35] D. Buono and C. Carvalho, “Svsm-based vtpm implementation poc,” 2022, accessed: 2025-05-05. [Online]. Available: https://github.com/svsm-vtpm/ linux-svsm/blob/svsm-vtpm-preview/README-vtpm.md 64 BIBLIOGRAPHY [36] B. Posey. (2024) Top public cloud providers of 2025: How they compare. Accessed: 2025-05-05. [Online]. Available: https://www.techtarget.com/ searchcloudcomputing/tip/Top-public-cloud-providers-A-brief-comparison [37] “Amd sev-snp for amazon ec2 instances,” Amazon Web Services, 2025, accessed: 2025-05-07. [Online]. Available: https://docs.aws.amazon.com/ AWSEC2/latest/UserGuide/sev-snp.html [38] “Enable amd sev-snp for an ec2 instance,” Amazon Web Services, 2023. [Online]. Available: https://docs.aws.amazon.com/AWSEC2/latest/ UserGuide/snp-work-launch.html [39] “Uefi firmware github repository,” Amazon Web Services, 2025, accessed: 2025-05-07. [Online]. Available: https://github.com/aws/uefi [40] “The security design of the aws nitro system,” Amazon Web Services, accessed: 2025-05-07. [Online]. Available: https://docs.aws.amazon.com/pdfs/whitepapers/latest/ security-design-of-aws-nitro-system/security-design-of-aws-nitro-system.pdf [41] “Amazon ec2 instances,” Amazon Web Services, 2025, accessed: 2025- 05-07. [Online]. Available: https://docs.aws.amazon.com/AWSEC2/latest/ UserGuide/Instances.html [42] “Azure confidential vm options,” Microsoft Corporation, 2024, accessed: 2025-05-07. [Online]. Available: https://learn.microsoft.com/en-us/azure/ confidential-computing/virtual-machine-options [43] “Virtual tpms in azure confidential vms,” Microsoft Corporation, 2023, accessed: 2025-05-07. [Online]. Available: https://learn.microsoft.com/en-us/ azure/confidential-computing/virtual-tpms-in-azure-confidential-vm [44] C. Perezvargas, “Confidential vms on azure,” Microsoft Corporation, 2023, accessed: 2025-05-07. [Online]. Available: https://techcommunity.microsoft. com/blog/windowsosplatform/confidential-vms-on-azure/3836282 [45] “Azure confidential vms attestation guidance faq,” Microsoft Corporation, 2024, accessed: 2025-05-07. [Online]. Available: https://github.com/Azure/confidential-computing-cvm-guest-attestation/ blob/main/cvm-guest-attestation.md
[46] “Secure boot uefi keys - azure virtual machines,” Microsoft, 2025, accessed: 2025-05-28. [Online]. Available: https://learn.microsoft.com/en-us/azure/ virtual-machines/trusted-launch-secure-boot-custom-uefi BIBLIOGRAPHY 65 [47] “Hypervisor security on the azure fleet,” Microsoft, 2022, accessed: 2025- 05-28. [Online]. Available: https://learn.microsoft.com/en-us/azure/security/ fundamentals/hypervisor [48] “How to create a custom image for azure confidential vms,” Microsoft, 2023, accessed: 2025-05-28. [Online]. Available: https://learn.microsoft.com/en-us/ azure/confidential-computing/how-to-create-custom-image-confidential-vm [49] “Supported configurations — confidential vm,” Google Cloud, 2025, accessed: 2025-05-28. [Online]. Available: https://cloud.google.com/ confidential-computing/confidential-vm/docs/supported-configurations [50] “Oh SNP! VMs get even more confidential,” Google Cloud, March 2023, accessed: 2025-05-28. [Online]. Available: https://cloud.google.com/blog/ products/identity-security/rsa-snp-vm-more-confidential [51] “New Confidential Computing updates for more hardware security options,” Google Cloud, October 2024, accessed: 2025-05-28. [Online]. Available: https://cloud.google.com/blog/products/identity-security/ new-confidential-computing-updates-for-more-hardware-security-options [52] “Verify a confidential vm instance’s firmware,” Google Cloud, May 2025, accessed: 2025-05-28. [Online]. Available: https://cloud.google.com/ confidential-computing/confidential-vm/docs/verify-firmware [53] “Create custom confidential vm images,” Google Cloud, May 2025, accessed: 2025-05-28. [Online]. Available: https://cloud.google.com/confidential-computing/confidential-vm/docs/ create-custom-confidential-vm-images [54] N. Thaker, “Deep dive into nitrotpm and uefi secure boot support in amazon ec2,” December 2021, accessed: 2025- 05-29. [Online]. Available: https://aws.amazon.com/blogs/compute/ deep-dive-into-nitrotpm-and-uefi-secure-boot-support-in-amazon-ec2/ [55] “Confidential vm attestation,” Google Cloud, 2025, accessed: 2025-05- 29. [Online]. Available: https://cloud.google.com/confidential-computing/ confidential-vm/docs/attestation [56] “Retrieving endorsement keys,” Google Cloud, 2025, accessed: 2025-05- 29. [Online]. Available: https://cloud.google.com/compute/shielded-vm/docs/ retrieving-endorsement-key 66 BIBLIOGRAPHY [57] salrashid123, “Sign, verify and decode using google cloud vtpm endorsement and attestation key and certificate,” 2025, accessed: 2025-05-29. [Online]. Available: https://github.com/salrashid123/gcp-vtpm-ek-ak/blob/ main/README.md [58] AWS Sam, “Answer to: How to provision nitrotpm,” 2023, accessed: 2025-05-29. [Online]. Available: https://repost.aws/questions/ QUWzHj71c4TTWDbYP5RYCwHA/how-to-provision-nitrotpm [59] “Retrieve the public endorsement key for an ec2 instance,” Amazon Web Services, 2025, accessed: 2025-05-07. [Online]. Available: https: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/retrieve-ekpub.html [60] “Attest an amazon ec2 instance with amd sev-snp,” Amazon Web Services, 2025, accessed: 2025-05-29. [Online]. Available: https://docs.aws.amazon. com/AWSEC2/latest/UserGuide/snp-attestation.html [61] “Azure confidential virtual machines faq,” Microsoft, 2025, accessed: 2025-05-29. [Online]. Available: https://learn.microsoft.com/en-us/azure/ confidential-computing/confidential-vm-faq [62] C. Perezvargas, “Openhcl: the new, open source paravisor,” 2024, accessed: 2025-05-29. [Online]. Available: https://techcommunity.microsoft.com/blog/ windowsosplatform/openhcl-the-new-open-source-paravisor/4273172 [63] “Shielded vm,” Google Cloud, 2025, accessed: 2025-05-29. [Online]. Available: https://cloud.google.com/compute/shielded-vm/docs/shielded-vm [64] W.-K. E. Belemgnegre. (2024, Jun.) The ultimate guide to docker: Benefits, architecture, and practical steps. Accessed: 2025-05- 29. [Online]. Available: https://medium.com/@belemgnegreetienne/ the-ultimate-guide-to-docker-benefits-architecture-and-practical-steps-02d0f02e7eee [65] B. Sandu. (2025, Apr.) What is docker compose? simplifying multi-container apps. Accessed: 2025-05-29. [Online]. Available: https://tms-outsource.com/ blog/posts/what-is-docker-compose/?utm source=chatgpt.com [66] “Rust implementation of the keylime agent,” https://github.com/keylime/ rust-keylime, Keylime, 2025, accessed: 2025-05-29. [67] W. Warley. (2024) Mastering vagrant: A practical guide to building and managing virtual development environments. Accessed: 2025-05-30. [Online]. Available: https://medium.com/@williamwarley/ mastering-vagrant-a-practical-guide-to-building-and-managing-virtual-development-environments BIBLIOGRAPHY 67 [68] IBM, “Ima 1.0 documentation,” 2023, accessed: 2025-05-31. [Online]. Available: https://ima-doc.readthedocs.io/en/latest/ [69] Keylime, “Enhancement 23: Use a dedicated keylime user account,” 2020, accessed: 2025-05-31. [Online]. Available: https://github.com/keylime/ enhancements/blob/master/23 dedicated keylime user account.md
[69] Keylime, “Enhancement 23: Use a dedicated keylime user account,” 2020, accessed: 2025-05-31. [Online]. Available: https://github.com/keylime/ enhancements/blob/master/23 dedicated keylime user account.md [70] Red Hat, Inc. (2024) Ensuring system integrity with keylime. Accessed: 2025-06-01. [Online]. Available: https://docs.redhat.com/ en/documentation/red hat enterprise linux/9/html/security hardening/ assembly ensuring-system-integrity-with-keylime security-hardening [71] K. S. Pujari, “Terraform vs pulumi: I used both—here’s what i’d choose again,” 2022, accessed: 2025-06- 02. [Online]. Available: https://medium.com/@kanishksinghpujari/ terraform-vs-pulumi-i-used-both-heres-what-i-d-choose-again-542a5b2bcae7 [72] Pulumi, “Deploy a virtual machine to azure,” 2025, accessed: 2025-06- 02. [Online]. Available: https://www.pulumi.com/templates/virtual-machine/ azure/ [73] “Azure confidential vm guest attestation design detail,” Microsoft, February 2025, accessed: 2025-06-03. [Online]. Available: https://learn.microsoft.com/en-us/azure/confidential-computing/ guest-attestation-confidential-virtual-machines-design [74] Trusted Computing Group, “Registry of reserved tpm 2.0 handles and localities,” 2017, accessed: 2025-06-03. [Online]. Available: https://trustedcomputinggroup.org/wp-content/uploads/ RegistryOfReservedTPM2HandlesAndLocalities v1p1 pub.pdf [75] VPSBG, “How to perform amd sev-snp attestation inside a guest virtual machine,” April 2025, accessed: 2025-06-03. [Online]. Available: https://www.vpsbg.eu/docs/ how-to-perform-amd-sev-snp-attestation-inside-a-guest-virtual-machine [76] “Faq for trusted launch - azure virtual machines,” Microsoft, May 2025, accessed: 2025-06-03. [Online]. Available: https://learn.microsoft.com/en-us/ azure/virtual-machines/trusted-launch-faq
