How to secure the bare metal cloud

Conceptual image of security in cloud storage
(Image credit: Shutterstock)

Bare metal isn't exactly a new technology concept, it was first applied to a hard drive more years ago than I care to mention. In terms of a bare metal environment then, we must think of any network where a virtual machine is installed directly on hardware rather than running within a host OS.

The term has now started to gain traction within the cloud environment, where it refers to dedicated hardware servers in a co-location space that specifically do not run a hypervisor and so are not virtualised but are still delivered within a cloud-like service model. Most commonly these are implemented by way of complimenting a virtualised cloud service, although they can sometimes be seen as a complete substitute.

One thing remains constant though, and that is the driver of the bare metal cloud is overhead elimination (the removal of the hypervisor) in order exploit the best price/performance capability. However, there are also security benefits courtesy of the dedicated, single tenant, nature of the bare metal beast.

The bare metal security conundrum

Internap’s vice president of product management, Satish Hemachandran, explains this removal of the hypervisor from the cloud equation as also removing "one of the potential attack vectors" and while admitting that hypervisors have become highly resilient over the years points to the recent bug in the Xen hypervisor as cause for caution.

"While this (Xen) patch update and the corrective actions are seemingly behind us" Hemachandran argues "customers deployed on systems without a hypervisor didn't have to worry about being affected."

He's convinced that if implemented along with additional security elements like firewalls, data encryption and strictly monitored access to the network, "the fully dedicated hardware of bare-metal cloud can provide better control over your data."

Bare metal is not risk free

Most security experts would agree that if the user has a dedicated server then they can benefit from the knowledge that no other tenant will have access to that server, and this makes a bare metal approach physically more secure simply because it's isolated from other environments. However, that doesn't mean it is a risk-free cloud environment.

"The primary risk for bare metal customers is that the servers fall short of platform standards required for different use cases" warns Dos Dosanjh, Head of Solutions at CipherCloud who continues "they will need to ensure that the bare metal servers adhere to their own internal security requirements."

A viewpoint that Catalin Cosoi, Chief Security Strategist at Bitdefender confirms. "Rolling your own security setup is probably the biggest source of risk" Cosoi told Cloud Pro, adding "look into purchasing an integrated solution that can work in such environments, preferably one that includes IT staff training and post-sales support."

Training and support are vital, especially when you factor human error into the risk assessment. "Servers will have to be provisioned manually when scale is required" Dosanjh explains, "these manual steps, though certain tasks can be automated, will require an individual to provision the bare metal cloud services and that can lead to human error."

The pros and cons of isolation

One of the weaknesses of the bare metal model, although it can also be a primary strength, is the physical isolation thing. It has been suggested by some in the IT security space that bare metal cloud environments 'lack physical isolation between tenants and typically do not provide sufficient protection against physical server access, particularly against threats that could compromise server memory’.

The so-called 'Evil Maid' attack has to be considered a possibility. Bruce Schneier defines this by way of an example scenario whereby an encrypted computer is left in your hotel room while you have dinner, and the 'evil maid' sneaks in and installs a hacked bootloader.

Cosoi warns that in this scenario there really is precious little difference between bare metal and virtualised infrastructures. "There is something to be said for physical separation of processing cores and memory, though" Cosoi adds "in a virtualised environment the possibility of exotic threats such as timing channel attacks on encryption keys used by a ‘neighbouring’ VM cannot be entirely discounted." And, as Dosanjh points out, physical server isolation requirements are based upon the organizations risk tolerance and pricing model. "If bare metal servers are not securely isolated," he admits "then they could become susceptible to unauthorized access."

In conclusion

OK then, on to the $64 million question: how can the enterprise best mitigate the risks of using bare metal clouds? Cosoi thinks that the initially counter-intuitive sounding option of not discounting the power of virtualisation and containerisation even when taking the bare metal route is worthy of consideration.

"New techniques, for example isolating specific tasks inside micro-VMs or Docker container", he says "can benefit from the performance of bare metal and offer added security at the same time."

While Dosanjh suggests employing a strategy whereby physical isolation of the bare metal servers (rack, cage, power, connectivity) are in place. "In addition" he concludes "a well-defined policy and process that activates additional servers" should be implemented.

Best practise tips for securing the bare metal cloud

  • Ensure that the bare metal server hardware and software (OS/Apps) meets the organisations security requirements
  • Ensure facility and physical location are provisioned for scale
  • Ensure that the staff are certified in deploying and managing the servers
  • As with any out-of premise deployment, carefully consider the security, integrity and availability of the data you're storing and processing. Security in transit and in storage is a must, as are reliable backups and a fail-over capacity.
  • Pay close attention to the physical and logical architecture of the network you're using, to avoid any inadvertent data leaks.
Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at