The public cloud operating and application environment is often shared with other companies, thereby increasing the risk of cross-tenant activity. This can introduce unexpected or malicious behavior to occur within the operating system and the applications.
Therefore, the only real way to guarantee proof of operating integrity in the cloud is through the use of a keyless, scalable, code- and application-signing solution designed for the cloud. To properly address this risk, the developers must sign their 'gold master' code or application, declaring that only those applications approved (signed) by the developers would be allowed to execute. Any applications that were changed out of band, manipulated by malicious software, or changed by the cloud provider would not be allowed to execute.
This brings us back to the question: How can I trust the cloud provider with my environment and my data? To answer the question: Don't. Instead, operate with proof using a scalable, independently verifiable, mathematics-based data signing solution designed specifically for the cloud.
Sean Martin, CISSP, is owner and directing consultant at imsmartin consulting. Contact him at firstname.lastname@example.org.