Cloud providers are in a position to greatly improve the trust clients have in network services: IaaS platforms can isolate services so they cannot leak data, and help verify that they are securely deployed. We describe a new system called CQSTR that allows clients of a service to verify its security properties. CQSTR provides a new cloud cloud container abstraction similar to Linux cloud containers but at the level of VM clusters within IaaS clouds. Cloud containers enforce constraints on what software can run, and control where and how much data can be communicated across service boundaries. With CQSTR, IaaS providers can make assertions about the security properties of a service running in the cloud.
We investigate implementations of CQSTR on both Amazon AWS and OpenStack. With AWS, we build on virtual private clouds to limit network access and authorization mechanisms to limit storage access. However, many security properties can only be checked by monitoring audit logs for violations. With modifications to OpenStack we fully realized an implementation of CQSTR with only modest modifications to the code. We demonstrate how to use CQSTR to build more secure deployments of the data analytics frameworks PredictionIO, PacketPig, and SpamAssassin. In experiments on CloudLab we found that performance overhead of applications running in CQSTR is near zero.