Raghu Yeluri

Building the Infrastructure for Cloud Security

For cloud users and providers alike, security is an everyday concern, yet there are very few books covering cloud security as a main subject. This book will help address this information gap from an Information Technology solution and usage-centric view of cloud infrastructure security. The book highlights the fundamental technology components necessary to build and enable trusted clouds. Here also is an explanation of the security and compliance challenges organizations face as they migrate mission-critical applications to the cloud, and how trusted clouds, that have their integrity rooted in hardware, can address these challenges.

Building Trust and Compliance in the Cloud for Services

Security is a key barrier to the broader adoption of cloud computing. The real and perceived risks of providing, accessing and controlling services in multitenant cloud environments can slow or preclude the migration to services by IT organizations. In a non-virtualized environment, the separation provided by physical infrastructure is assumed to provide a level of protection for applications and data. In the cloud, this traditional physical isolation between applications no longer exists. Cloud infrastructure is multi-tenant, with multiple applications utilizing a shared common physical infrastructure. This provides the benefit of much more efficient resource utilization. However, because the physical barriers between applications have been eliminated, it is important to establish compensating security controls to minimize the potential for malware to spread through the cloud. Newer types of malware threats, such as rootkit attacks, can be increasingly difficult to detect using traditional antivirus products. These threats use various methods of concealment to remain undetected as they infect key system components such as hypervisors and drivers. This increases the likelihood that the malware can operate in the background, spread through a cloud environment, and cause greater damage over time. This paper explores challenges in deploying and managing services in a cloud infrastructure from a security perspective, and as an example, discusses work that Intel is doing with partners and the software vendor ecosystem to enable a security enhanced platform and solutions with security anchored and rooted in hardware and firmware to increase visibility and control in the cloud.

Identity Management and Control for Clouds

In the last few chapters we covered the technologies, usage models, and capabilities that are required to enable trusted infrastructure in the cloud–one of the foundation pillars for trusted clouds. We looked at the concepts, solution architectures, and ISV components that establish and propagate platform trust, attestation, and boundary control, all of which are required to enable the trusted clouds. The other foundational pillar to enable them is identity management, and that is the focus on this chapter.

The Trusted Cloud: Addressing Security and Compliance

In Chapter 1 we reviewed the essential cloud concepts and took a first look at cloud security. We noted that the traditional notion of perimeter or endpoint protection left much to be desired in the traditional architecture with enterprise-owned assets. Such a notion is even less adequate today when we add the challenges that application developers, service providers, application architects, data center operators, and users face in the emerging cloud environment.

Trusted Virtual Machines: Ensuring the Integrity of Virtual Machines in the Cloud

In Chapters 3 and 4, we described how a service provider can ensure that the infrastructure on which the workloads and applications are instantiated has boot integrity, and how these workloads can be placed in trusted pools with compute assets exhibiting demonstrated trust that is rooted in hardware. This model provides an excellent framework for a trusted compute infrastructure, but its not sufficient for the cloud. Cloud data centers today almost invariably run virtualized. Stopping the chain of trust at the bare hypervisor is clearly insufficient; that is but the proverbial tip of the iceberg. Protection needs to be extended to support the multi-tenancy and virtualized networks of the cloud. Extending the chain of trust described to encompass these virtualized resources, embodied in the concept of trusted virtual machines, is what this chapter is about.

Global IT Manageability Policies across Service Boundaries in a Cloud Environment

As cloud computing becomes a mainstream technology, information technology (IT) organizations rely increasingly on outsourced functions: today customer relationship management (CRM) and human resources (HR) applications, and even e-mail are commonly delegated to service providers. This relationship can be recursive. Software as a service (SaaS) providers may not own their infrastructure. If their expertise is on the application domain, they will have a strong incentive to focus on their area of strength and in turn delegate the infrastructure provisioning to an IaaS provider. Under these relationships, there is inherently less transparency about the service components when services cross organizational boundaries as in private clouds or even company boundaries. It is difficult to implement manageability policies for a composite application made of outsourced components. For instance, there is no widely adopted method for service providers to report the energy consumption of their respective services nor there exist enforcement mechanisms to impose power limitations. These mechanisms would be needed to comply with regulations to report the carbon footprint of an application as a whole. Static estimation methods can be devised, but they require generous safety margins because they are inherently inaccurate. If these estimates are used to calculate a carbon emissions tax, it is in the economic interest of the organization to make these estimates as accurate as possible. Needed in this environment are mechanisms for service metadata exchange, information about the service itself. Service providers with this capability will have a first mover advantage, allowing their service consumers to implement global energy policies. The provider could implement innovative pricing schemes, such as lowering the baseline charges for the services in exchange for the service consumer covering and assuming the risks for energy consumption. We present a number of alternatives for the conveyance of metadata across service boundaries.

Cloud Computing Basics

In this chapter we go through some basic concepts with the purpose of providing context for the discussions in the chapters that follow. Here, we review briefly the concept of the cloud as defined by the U.S. National Institute of Standards and Technology, and the familiar terms of IaaS, PaaS, and SaaS under the SPI model. What is not often discussed is that the rise of cloud computing comes from strong historical motivations and addresses shortcomings of predecessor technologies such as grid computing, the standard enterprise three-tier architecture, or even the mainframe architecture of many decades ago.

Attestation: Proving Trustability

In the last few chapters we have looked at the first stages in a process toward establishing trust between systems. First, the establishment of roots of trust and the measured boot components; and second, the collection of evidence throughout the measurement process. We reviewed the different roots of trust in a compute platform—namely, the RTM, RTS, and RTR—and how the measured boot process (S-RTM and D-RTM) uses the RTM to measure and store the evidence in the RTS. The next stage in this process is the presentation of this evidence through attestation protocols and appraisal of the evidence that asserts the integrity of a platform. This stage is referred to as attestation and verification in this book, and it is our objective for this chapter.

Platform Boot Integrity: Foundation for Trusted Compute Pools

In Chapter 2, we introduced the concept of trusted clouds and the key usage models to enable a trusted infrastructure. We provided a brief exposition of the boot integrity usage model, and its applicability across the three infrastructure domains—compute, storage, and network. In this chapter we will take a deeper look into ensuring the boot integrity of a compute platform, which boils down to ensuring the integrity of a number of platform components: the pre-launch and launch components covering firmware, BIOS, and hypervisor. Boot integrity is foundational in embodying the concept of a trusted infrastructure.

Boundary Control in the Cloud: Geo-Tagging and Asset Tagging

Chapters 3 and 4 focused on platform boot integrity, trusted compute pools, and the attestation architecture. They covered the reference architecture for how organizations and service providers can deploy trusted pools as the enabler for trusted clouds. Data and workload locality and data sovereignty are top-line issues for organizations considering migrating their workloads and data into the cloud. A fundamental capability that is needed is to reliably identify the location of physical servers on which the data and workloads reside. Additionally, organizations would need to produce audit trails of data and workload movement, as well as carry out effective forensics when the occasion demands it. In particular, the asset location identification and attestation capability needs to be verifiable, auditable, and preferably anchored in hardware. These capabilities enable workload and data boundary control in the cloud, effectively conferring users control over where workloads and data are created, where they are run, and where they migrate to for performance, optimization, reliability, and high-availability purposes.