September 8, 2014 | Written by: Karunakar (Karna) Bojjireddy
Share this post:
Cloud computing is entering what some have called the “cloud 2.0 era,” where users are no longer lingering in the “testing the waters” phase (using cloud computing for non-mission critical workloads). Now, cloud users are taking advantage of its benefits for their mission-critical workloads, and IT departments are turning their attention to data security. In fact, according to the IDC 2013 Global Cloud Track survey, 50 percent of respondents claimed security concerns were the number one inhibitor for both public and private cloud deployments.
While security is (and should be) addressed, it should not be a deterrent to cloud adoption. Many cloud providers are adding security features that provide environments that are secure and meet various compliance requirements.
IBM’s SoftLayer, one of the largest cloud providers with more than 100,000 physical nodes and 22,000,000 domains, offers a rich set of security services that organizations can use to secure their environment. And now, they’re adding even more peace of mind with an exciting security agreement with Intel®.
SoftLayer has augmented its platform security capabilities with Intel Trusted Execution Technology (Intel TXT)-capable bare metal servers. This move enables workloads to run on a Trusted Compute Platform.
In addition to this new offering, SoftLayer security services include:
• Vulnerability scanning
• Antivirus and anti-spyware protection
• Host-based intrusion protection
• Firewall and network based threat protection (IPS, DDoS)
• Network Gateways
• Firewall and network based threat protection (IPS, DDoS)
• Virtual Private Networking (VPN):
• SSL Certificates that enable confidentiality of data-in-transit
What is a Trusted Computing Platform?
According to National Institute of Science and Technology (NIST), trusted computing means that the platform behaves as it’s expected to, and the software inventory is what we think it is. The configurations and security are in place and operating as they should. In the world of cloud computing, this means users have sight to the physical location of data in the cloud.
What are the components of a Trusted Computing Platform?
When looking at the components of a Trusted Computing Platform, one of the most important areas is the chipset. Intel TXT includes a set of features in the microprocessor, chipset, I/O subsystems, and other platform components that provide the building blocks to enable visibility, trust and control in the cloud. Designed to measure the execution environment and protect sensitive information from software-based attacks, Intel TXT operates with Trusted Platform Module (TPM) to securely store artifacts used to verify the integrity of the information.
To extend the trusted computing platform to the cloud, we need a set of building blocks. The building blocks consist of:
• A chain of trust rooted in the hardware extending all the way to the hypervisor
• A hardened virtualization environment using best known methods
• Geo-location of cloud resources for compliance and audit purpose
• Automation to bring it all together to improve operational efficiency
What is a hardware-based root of trust?
A hardware-based root of trust is a minimum set of functions implemented in the hardware to establish the trustworthiness of the host platform. When coupled with an enabled operating system, hypervisor, and solutions, it is the foundation for a more secure computing platform that can ensure hypervisor and VMM integrity at boot from security attacks.
The system elements that are needed to provide hardware root of trust are:
• Root of trust for measurement (RTM): Intel TXT provides this, and trust in this component is the basis for all the other measurements
• Root of trust for reporting (RTR): This is provided by the TPM
• Root of trust for storage (RTS): This is provided by the TPM
The hardware-based root of trust uses open industry standards developed by Trusted Computing Group (TCG) to establish and ensure platform trust and store measurements in a TPM. The solution works using a chain of trust with a cohesive set of measurements started by RTM (see figure below).
If integrity and trust are not verified in the launch process, Intel TXT identifies that the code has been compromised, which lets you protect the system and remediate the problem.
Intel TXT/TPM can provide valuable insights and controls when used in the context of cloud computing modules. Some of the use cases for Intel TXT/TPM in cloud are:
• Trusted Pool Creation: This involves measured boot with Intel TXT and validation against known good (attestation server) and if the measurements match the compute node enters into the trusted compute pool.
• Workload placement including location: When a cloud compute subscriber requests a trusted placement, the cloud orchestrator determines the best node after attestation. The orchestrator places workload on the trusted node and reports to the subscriber.
• Workload migration: When some policy triggers migration, the cloud orchestrator validates trust via orchestration, and after trust is established the workload is migrated to the trusted node in the right geo-location and a compliance record is created
Intel TXT is especially advantageous for large enterprises subject to compliance and audit regulations, such as healthcare, financial services and government organizations. Now, these organizations will be able to certify that a cloud computing pool is appropriately secured for workloads such as governance and enterprise risk, information and life-cycle management, compliance and audit, etc.
By providing servers with Intel TXT/TPM capabilities and enabling creation of trusted compute pool models, SoftLayer is providing a foundation for building compliance and trust in the cloud.
Intel TXT is available today on SoftLayer bare metal servers with the following Intel processors:
• Intel Xeon – Ivy Bridge E5-2600 V2
• Intel Xeon – Haswell E3-1200-V3
• Intel Xeon – Sandy Bridge E5-4600
In the second part of this blog, I’ll let you know how you can use OpenStack and Open Attestation servers to extend “trust” from enterprise data center to public cloud.
For more information about SoftLayer and Intel TXT visit SoftLayer.com/intel-txt.