How IntegriCloud™ Secures Your Data

Architecture Overview

The IntegriCloud™ platform has been specifically designed to counter the spread of increasingly complex cloud security protocols built on a fundamentally untrustworthy, opaque root of trust. As such, we are the first and only provider to offer the option of multiple separate core roots of trust, with no single root of trust required below them. Our chain of trust operates "in the clear" to eliminate the potential of silent coercion, whether in the form of modified firmware or certification of malicious hardware.

As can be seen from the above diagram, there is no area where a malicious operator, administrator, or other entity can easily access data stored on the leased systems. Furthermore, our unique multi-root trust model allows for region-specific trust to be established; for example, EU corporations that must comply with the GDPR may choose to only use systems certified by a root of trust bound by EU data privacy legislation. Once provisioned, systems cannot easily be tampered with to inject hardware, firmware, or software based malware; in fact, the features of the active FlexVer™ security module allow a provisioned system to be shipped from one location to another while maintaining integrity at all times.

Data Protection

To achieve our goal of complete client data opacity, we use encryption heavily within the IntegriCloud™ system. Decrypted client data is only temporarily stored "in flight" on the CPUs and RAM of our nodes, and those nodes in turn run publicly auditable software that can be shown to deny all external access to the decrypted data. Furthermore, decryption occurs under full control of the client — we have no special means of forcibly decrypting the client data, unlike other providers that can simply dump encryption keys from VPS memory, migrate a VPS to a compromised hypervisor, or allocate compromised bare metal systems without detection.

Each node uses an ephemeral encryption key to scramble and protect data that is written to node local storage during leased system operation, preventing timing attacks against any unencrypted media such as system install images. This, in turn, allows the use of one-way hashing algorithms from within the MTI environment to verify correctness of any media loaded into a VPS instance before use of said media. Finally, our publicly auditable kernels enforce a level of memory isolation not normally seen on VPS hosts in an effort to mitigate side channel attacks against individual virtual machines.

→  Compare against other providers.

Roots of Trust

While ideally no blind trust would be required in a secure system, mathematics dictates that eventually something or someone must be trusted implicitly in order to establish a chain of trust. While other providers ask that you blindly trust their internal, hidden divisions that control the master keys for their platforms, we instead ask that you select a root of trust that you can authenticate through other means. We have no master key, or any other single point of failure where forced silent coercion or similar is able to take down the security of the entire platform. To this end, our security officers use GPG signing to attest to the fact that they have personally observed each system that has gone into production, that the system has not been compromised in any way, and that the hardware root of trust is implicitly trusted by that security officer. Furthermore, the FlexVer™ hardware allows firmware readback without the possibility of modification, and as a result "spot audits" of the FlexVer™ firmware itself are possible. The result is a system that can be trusted based on its transparency, instead of one that asks that you blindly accept the provider's word that they are not silently processing or exfiltrating data at your sole risk.

Get Started!

Get started with a secure IntegriCloud™ system today by topping up and following our easy Quick Start Guide!