Welcome!

@CloudExpo Authors: Kevin Benedict, Elizabeth White, Liz McMillan, Pat Romanski, Yeshim Deniz

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Interview

Cloud Computing Security and the Role of Trust

Securing the cloud is a multidisciplinary challenge

In the fall of 2010, Trusted Computing Group announced the Trusted Multi-tenant Infrastructure (TMI) Work Group to address cloud computing security and the role of trust in that security. Last week, the work group released the first in a series of use cases (http://www.trustedcomputinggroup.org/developers/trusted_multitenant_infr...) and plans to deliver a reference framework later in 2011. With so much hype and confusion around the topic of cloud computing, we thought it might be useful to ask the co-chairs - Michael Donovan, HP, and Erik Visnyak, BAE Systems - of the TMI Work Group a few questions about their group's efforts.

Q. What role does Trusted Computing Group have in helping secure cloud services?

Michael Donovan & Erik Visnyak: Securing the cloud is a multidisciplinary challenge, as cloud computing can be thought of as a different way to deliver and use all of the same types of information technology we use today. The TCG was established to define standards and practices for building trusted infrastructure that will consistently behave in specific ways, and those behaviors will be enforced by hardware and software when the owner of those systems enables these technologies. The ability of trusted infrastructures to provide integrity measurements and attest to their state provides a key foundation for enabling trust in infrastructure platforms in the cloud, where the consumer does not have direct physical access to those resources. The ability to design, build and consume services delivered from a trustworthy infrastructure where providers and consumers of services can measure and attest to the configuration, state and behavior of platforms is the value of the TCG standards within the cloud ecosystem.

Q. Your work group has a long name. What does it mean?

Donovan & Visnyak: TMI stands for Trusted Multi-Tenant Infrastructure.  We wanted to select a name that properly represents delivering trusted operations and configuration/state validation to a multi-tenant infrastructure such as Cloud Computing.

Trust is the degree to which one party will rely on the assertions or information provided by another. Without the ability for an infrastructure consumer to rely on the information and services from a provider, there is likely to be little market for outsourcing of IT platforms and services. Establishing a trusted context for the providers and consumers of shared infrastructure is a key component of the reference framework under development by TMI.

Multi-tenancy is the ability for multiple unrelated consumers to share infrastructure from a common provider. If consumers were not able to share infrastructure within reasonable constraints, the cost of outsourced services would not be competitive with traditional models. This ability to provision as much or as little of a resource as a consumer needs at a fair price is at the heart of cloud computing.

Infrastructure defines the scope of work for the TMI work group. While the principles and reference model may have applicability to other parts of the cloud ecosystem, the TMI focus is clearly focused on developing reference models and best practices for design, build and consume trusted multi-tenant infrastructure platforms.

Q. How is what you are doing different from what CSA and other orgs have done or are doing?

Donovan & Visnyak: Many traditional IT standards bodies are working to apply their existent standards efforts to the cloud computing ecosystem. Some, such as DMTF, are focused on systems management and definition of physical and virtual resources, such as the Open Virtual Machine (OVF) definition for virtual machines. Newly formed organizations, such as CSA, focus on mitigating threats and risks within cloud computing by proposing best practices and link to specific security requirements for public and private sectors. As cloud potentially encompasses much of the existing IT landscape, each of these organizations has a valid role to play.

The TCG TMI work group is focused on standards-based approaches to trusted infrastructure. We intend to iteratively publish a library of use cases, deployment patterns, best practices and compliance testing to support the ability of infrastructure providers and consumers to make effective use of shared multitenant infrastructures.

TMI is identifying how standards can be used to implement trusted infrastructures as well as identifying any potential gaps. TMI will provide implementation guidance to both consumers and providers as to how standards address concerns within cloud computing and how they may be leveraged to create a trusted shared infrastructure environment.

Q. Your use cases mention "trust" a number of times. What exactly does "trust" mean for multi-tenant infrastructure?

Donovan & Visnyak: Trust is the degree to which one party will rely on the assertions or information provided by another. Without the ability for an infrastructure consumer to rely on the information and services from a provider, there is likely to be little market for outsourcing of IT platforms and services. Establishing a trusted context for the providers and consumers of shared infrastructure is a key component of the reference framework under development by TMI.

Trust enables the ability to apply policy and to guarantee that access controls within policies are adhered to in order to supply reliable logical isolation, guaranteed compliance, and continuous policy compliance monitoring within a multi-tenant environment. This allows the various consumers to trust that providers are meeting their concerns and housing their resources in a trusted fashion.

Q. Do you see other TCG specifications such as the TPM or TNC playing a role in a "trusted" cloud? If we have a bunch of PCs with TPMs, for example, can they be used in a multi-tenant infrastructure?

Donovan & Visnyak: The existing TCG standards provide a critical set of foundational services for establishing trust, exchanging information in a trusted context, enforcing policy, binding together and verifying the trusted state of infrastructure components. Without these core standards, it is unlikely we would be able to achieve the level of trust and compliance we see as critical to the ability of consumers to trust and effectively use cloud computing for core business functions.

TPM provides the ability to attest to a secure state that moves beyond software into the hardware of the infrastructure providing another level of security to assure that integrity and confidentiality of resources within the TMI are maintained.  TNC delivers monitoring of the secure state of TMI resources and utilizes policy enforcement to monitor data exchanges between resources within the TMI to ensure policy compliance.

The TMI working group intends to work with these key TCG standards working groups as well as those from other standards bodies to ensure that the business and mission goals of cloud consumers can be met in a secure trusted context.

Q. Why are you publishing use cases and what are they for?

Donovan & Visnyak: We are utilizing these use cases to describe the context and relationships between components in a trusted infrastructure. The first set of use cases are very narrow in scope and cover some of the key relationships necessary to establish and manage a trusted multi-tenant, multi-provider environment. Later use cases and scenarios will expand on this work and include scenarios putting these lower level use cases into business context.

The use cases are utilized to derive the elements of the reference framework and other downstream specifications. They define the parties, interface interactions and relationships between them to assist in scoping and validating the usage patterns and requirements included in the reference framework. The use cases allow the TMI to begin identifying various security requirements necessary for a TMI and begin the process of identifying standards within industry that map directly to use cases and implementation patterns.

Q. What else will you be doing?

Donovan & Visnyak: The next things you should see from TMI are aligned to the following path (in addition to presentations and white papers):

  • Use cases (initial set delivered)
  • Reference framework (high-level requirements and usage pattern library derived from initial use cases)
    • Patterns describe re-usable approaches to meeting the requirements derived from the use cases
    • Patterns are aligned to implementation standards for evaluation of tools and services
  • Implementation guidance (core guidance on how to use the patterns to build a trusted multi-tenant infrastructure)
    • Includes variants based upon general levels of trust, separation and security
  • Framework compliance test suite (guidance and (possibly) test harnesses for verification of compliance to TMI implementation patterns and standards)
  • Specification development strategy (if gaps are identified in the standards ecosystem necessary to achieve TMI compliance, a plan to address with the relevant bodies)
  • Industry profiles (implementation guidance, test suites and standards alignment targeted at specific industry solutions i.e. defense, PCI-DSS, HIPAA and others)

We plan to continue iterative development of our reference implementation patterns that are repeatable interactions and behaviors that can be implemented by utilizing industry standards that allow for TMI.  As patterns are developed we will engage appropriate standards bodies to see how the technology can apply to the implementation standards as well as its corresponding use cases.

•   •   •

Updates to the TMI Work Group will be available online at TCG's website, www.trustedcomputinggroup.org.

More Stories By Michael Donovan

Michael Donovan is the Chief Technologist for Strategic Capabilities with HP Enterprise Services, responsible for framework implementation to support capabilities and offering development for clients across the U.S. Public Sector. His responsibilities include harvesting existing solutions for re-use and developing new capabilities to meet the complex needs of federal, state and local governments, leveraging the best of our current account and corporate capabilities and those supported by our partner ecosystem and HP Labs. He also co-chairs the Trusted Multi-Tenant Infrastructure Work Group of the Trusted Computing Group.

More Stories By Erik Visnyak

Erik Visnyak, CISSP, is principle information assurance architect at BAE Systems, where he works on enterprise solution programs, research and development activities and proposal captures. He is co-chair of Trusted Computing Group’s Trusted Multi-tenant Infrastructure Work Group, which is working to drive the concepts of trust into cloud computing. He holds a masters degree in network security from DePaul University and a bachelors in information systems from Purdue University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
SYS-CON Events announced today that Massive Networks will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Massive Networks mission is simple. To help your business operate seamlessly with fast, reliable, and secure internet and network solutions. Improve your customer's experience with outstanding connections to your cloud.
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily own their code into production, but want to use platforms instead of raw automation. That’s changing the landscape that we understand as DevOps with both architecture concepts (CloudNative) and process redefinition (SRE). Rob Hirschfeld’s recent work in Kubernetes operations has led to the conclusion that containers and related platforms have changed the way we should be thinking about DevOps and...
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution and join Akvelon expert and IoT industry leader, Sergey Grebnov, in his session at @ThingsExpo, for an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
Because IoT devices are deployed in mission-critical environments more than ever before, it’s increasingly imperative they be truly smart. IoT sensors simply stockpiling data isn’t useful. IoT must be artificially and naturally intelligent in order to provide more value In his session at @ThingsExpo, John Crupi, Vice President and Engineering System Architect at Greenwave Systems, will discuss how IoT artificial intelligence (AI) can be carried out via edge analytics and machine learning techn...
FinTechs use the cloud to operate at the speed and scale of digital financial activity, but are often hindered by the complexity of managing security and compliance in the cloud. In his session at 20th Cloud Expo, Sesh Murthy, co-founder and CTO of Cloud Raxak, showed how proactive and automated cloud security enables FinTechs to leverage the cloud to achieve their business goals. Through business-driven cloud security, FinTechs can speed time-to-market, diminish risk and costs, maintain continu...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
Existing Big Data solutions are mainly focused on the discovery and analysis of data. The solutions are scalable and highly available but tedious when swapping in and swapping out occurs in disarray and thrashing takes place. The resolution for thrashing through machine learning algorithms and support nomenclature is through simple techniques. Organizations that have been collecting large customer data are increasingly seeing the need to use the data for swapping in and out and thrashing occurs ...
As many know, the first generation of Cloud Management Platform (CMP) solutions were designed for managing virtual infrastructure (IaaS) and traditional applications. But that’s no longer enough to satisfy evolving and complex business requirements. In his session at 21st Cloud Expo, Scott Davis, Embotics CTO, will explore how next-generation CMPs ensure organizations can manage cloud-native and microservice-based application architectures, while also facilitating agile DevOps methodology. He wi...
SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
SYS-CON Events announced today that GrapeUp, the leading provider of rapid product development at the speed of business, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market acr...
Blockchain is a shared, secure record of exchange that establishes trust, accountability and transparency across business networks. Supported by the Linux Foundation's open source, open-standards based Hyperledger Project, Blockchain has the potential to improve regulatory compliance, reduce cost as well as advance trade. Are you curious about how Blockchain is built for business? In her session at 21st Cloud Expo, René Bostic, Technical VP of the IBM Cloud Unit in North America, will discuss th...
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business - from apparel to energy - is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
In his opening keynote at 20th Cloud Expo, Michael Maximilien, Research Scientist, Architect, and Engineer at IBM, discussed the full potential of the cloud and social data requires artificial intelligence. By mixing Cloud Foundry and the rich set of Watson services, IBM's Bluemix is the best cloud operating system for enterprises today, providing rapid development and deployment of applications that can take advantage of the rich catalog of Watson services to help drive insights from the vast t...
There is only one world-class Cloud event on earth, and that is Cloud Expo – which returns to Silicon Valley for the 21st Cloud Expo at the Santa Clara Convention Center, October 31 - November 2, 2017. Every Global 2000 enterprise in the world is now integrating cloud computing in some form into its IT development and operations. Midsize and small businesses are also migrating to the cloud in increasing numbers. Companies are each developing their unique mix of cloud technologies and service...
Cloud adoption is often driven by a desire to increase efficiency, boost agility and save money. All too often, however, the reality involves unpredictable cost spikes and lack of oversight due to resource limitations. In his session at 20th Cloud Expo, Joe Kinsella, CTO and Founder of CloudHealth Technologies, tackled the question: “How do you build a fully optimized cloud?” He will examine: Why TCO is critical to achieving cloud success – and why attendees should be thinking holistically ab...
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, will introduce two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a...
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
An increasing number of companies are creating products that combine data with analytical capabilities. Running interactive queries on Big Data requires complex architectures to store and query data effectively, typically involving data streams, an choosing efficient file format/database and multiple independent systems that are tied together through custom-engineered pipelines. In his session at @BigDataExpo at @ThingsExpo, Tomer Levi, a senior software engineer at Intel’s Advanced Analytics ...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting challenge of adapting related cloud strategies to ensure optimal alignment, from managing complexity to ensuring proper governance. How can culture, automation, legacy apps and even budget be reexamined to enable this ongoing shift within the modern software factory?
While some vendors scramble to create and sell you a fancy solution for monitoring your spanking new Amazon Lambdas, hear how you can do it on the cheap using just built-in Java APIs yourself. By exploiting a little-known fact that Lambdas aren’t exactly single-threaded, you can effectively identify hot spots in your serverless code. In his session at @DevOpsSummit at 21st Cloud Expo, Dave Martin, Product owner at CA Technologies, will give a live demonstration and code walkthrough, showing how ...