Welcome!

@CloudExpo Authors: Elizabeth White, Liz McMillan, Yeshim Deniz, Pat Romanski, Flint Brenton

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Interview

Cloud Computing Security and the Role of Trust

Securing the cloud is a multidisciplinary challenge

In the fall of 2010, Trusted Computing Group announced the Trusted Multi-tenant Infrastructure (TMI) Work Group to address cloud computing security and the role of trust in that security. Last week, the work group released the first in a series of use cases (http://www.trustedcomputinggroup.org/developers/trusted_multitenant_infr...) and plans to deliver a reference framework later in 2011. With so much hype and confusion around the topic of cloud computing, we thought it might be useful to ask the co-chairs - Michael Donovan, HP, and Erik Visnyak, BAE Systems - of the TMI Work Group a few questions about their group's efforts.

Q. What role does Trusted Computing Group have in helping secure cloud services?

Michael Donovan & Erik Visnyak: Securing the cloud is a multidisciplinary challenge, as cloud computing can be thought of as a different way to deliver and use all of the same types of information technology we use today. The TCG was established to define standards and practices for building trusted infrastructure that will consistently behave in specific ways, and those behaviors will be enforced by hardware and software when the owner of those systems enables these technologies. The ability of trusted infrastructures to provide integrity measurements and attest to their state provides a key foundation for enabling trust in infrastructure platforms in the cloud, where the consumer does not have direct physical access to those resources. The ability to design, build and consume services delivered from a trustworthy infrastructure where providers and consumers of services can measure and attest to the configuration, state and behavior of platforms is the value of the TCG standards within the cloud ecosystem.

Q. Your work group has a long name. What does it mean?

Donovan & Visnyak: TMI stands for Trusted Multi-Tenant Infrastructure.  We wanted to select a name that properly represents delivering trusted operations and configuration/state validation to a multi-tenant infrastructure such as Cloud Computing.

Trust is the degree to which one party will rely on the assertions or information provided by another. Without the ability for an infrastructure consumer to rely on the information and services from a provider, there is likely to be little market for outsourcing of IT platforms and services. Establishing a trusted context for the providers and consumers of shared infrastructure is a key component of the reference framework under development by TMI.

Multi-tenancy is the ability for multiple unrelated consumers to share infrastructure from a common provider. If consumers were not able to share infrastructure within reasonable constraints, the cost of outsourced services would not be competitive with traditional models. This ability to provision as much or as little of a resource as a consumer needs at a fair price is at the heart of cloud computing.

Infrastructure defines the scope of work for the TMI work group. While the principles and reference model may have applicability to other parts of the cloud ecosystem, the TMI focus is clearly focused on developing reference models and best practices for design, build and consume trusted multi-tenant infrastructure platforms.

Q. How is what you are doing different from what CSA and other orgs have done or are doing?

Donovan & Visnyak: Many traditional IT standards bodies are working to apply their existent standards efforts to the cloud computing ecosystem. Some, such as DMTF, are focused on systems management and definition of physical and virtual resources, such as the Open Virtual Machine (OVF) definition for virtual machines. Newly formed organizations, such as CSA, focus on mitigating threats and risks within cloud computing by proposing best practices and link to specific security requirements for public and private sectors. As cloud potentially encompasses much of the existing IT landscape, each of these organizations has a valid role to play.

The TCG TMI work group is focused on standards-based approaches to trusted infrastructure. We intend to iteratively publish a library of use cases, deployment patterns, best practices and compliance testing to support the ability of infrastructure providers and consumers to make effective use of shared multitenant infrastructures.

TMI is identifying how standards can be used to implement trusted infrastructures as well as identifying any potential gaps. TMI will provide implementation guidance to both consumers and providers as to how standards address concerns within cloud computing and how they may be leveraged to create a trusted shared infrastructure environment.

Q. Your use cases mention "trust" a number of times. What exactly does "trust" mean for multi-tenant infrastructure?

Donovan & Visnyak: Trust is the degree to which one party will rely on the assertions or information provided by another. Without the ability for an infrastructure consumer to rely on the information and services from a provider, there is likely to be little market for outsourcing of IT platforms and services. Establishing a trusted context for the providers and consumers of shared infrastructure is a key component of the reference framework under development by TMI.

Trust enables the ability to apply policy and to guarantee that access controls within policies are adhered to in order to supply reliable logical isolation, guaranteed compliance, and continuous policy compliance monitoring within a multi-tenant environment. This allows the various consumers to trust that providers are meeting their concerns and housing their resources in a trusted fashion.

Q. Do you see other TCG specifications such as the TPM or TNC playing a role in a "trusted" cloud? If we have a bunch of PCs with TPMs, for example, can they be used in a multi-tenant infrastructure?

Donovan & Visnyak: The existing TCG standards provide a critical set of foundational services for establishing trust, exchanging information in a trusted context, enforcing policy, binding together and verifying the trusted state of infrastructure components. Without these core standards, it is unlikely we would be able to achieve the level of trust and compliance we see as critical to the ability of consumers to trust and effectively use cloud computing for core business functions.

TPM provides the ability to attest to a secure state that moves beyond software into the hardware of the infrastructure providing another level of security to assure that integrity and confidentiality of resources within the TMI are maintained.  TNC delivers monitoring of the secure state of TMI resources and utilizes policy enforcement to monitor data exchanges between resources within the TMI to ensure policy compliance.

The TMI working group intends to work with these key TCG standards working groups as well as those from other standards bodies to ensure that the business and mission goals of cloud consumers can be met in a secure trusted context.

Q. Why are you publishing use cases and what are they for?

Donovan & Visnyak: We are utilizing these use cases to describe the context and relationships between components in a trusted infrastructure. The first set of use cases are very narrow in scope and cover some of the key relationships necessary to establish and manage a trusted multi-tenant, multi-provider environment. Later use cases and scenarios will expand on this work and include scenarios putting these lower level use cases into business context.

The use cases are utilized to derive the elements of the reference framework and other downstream specifications. They define the parties, interface interactions and relationships between them to assist in scoping and validating the usage patterns and requirements included in the reference framework. The use cases allow the TMI to begin identifying various security requirements necessary for a TMI and begin the process of identifying standards within industry that map directly to use cases and implementation patterns.

Q. What else will you be doing?

Donovan & Visnyak: The next things you should see from TMI are aligned to the following path (in addition to presentations and white papers):

  • Use cases (initial set delivered)
  • Reference framework (high-level requirements and usage pattern library derived from initial use cases)
    • Patterns describe re-usable approaches to meeting the requirements derived from the use cases
    • Patterns are aligned to implementation standards for evaluation of tools and services
  • Implementation guidance (core guidance on how to use the patterns to build a trusted multi-tenant infrastructure)
    • Includes variants based upon general levels of trust, separation and security
  • Framework compliance test suite (guidance and (possibly) test harnesses for verification of compliance to TMI implementation patterns and standards)
  • Specification development strategy (if gaps are identified in the standards ecosystem necessary to achieve TMI compliance, a plan to address with the relevant bodies)
  • Industry profiles (implementation guidance, test suites and standards alignment targeted at specific industry solutions i.e. defense, PCI-DSS, HIPAA and others)

We plan to continue iterative development of our reference implementation patterns that are repeatable interactions and behaviors that can be implemented by utilizing industry standards that allow for TMI.  As patterns are developed we will engage appropriate standards bodies to see how the technology can apply to the implementation standards as well as its corresponding use cases.

•   •   •

Updates to the TMI Work Group will be available online at TCG's website, www.trustedcomputinggroup.org.

More Stories By Michael Donovan

Michael Donovan is the Chief Technologist for Strategic Capabilities with HP Enterprise Services, responsible for framework implementation to support capabilities and offering development for clients across the U.S. Public Sector. His responsibilities include harvesting existing solutions for re-use and developing new capabilities to meet the complex needs of federal, state and local governments, leveraging the best of our current account and corporate capabilities and those supported by our partner ecosystem and HP Labs. He also co-chairs the Trusted Multi-Tenant Infrastructure Work Group of the Trusted Computing Group.

More Stories By Erik Visnyak

Erik Visnyak, CISSP, is principle information assurance architect at BAE Systems, where he works on enterprise solution programs, research and development activities and proposal captures. He is co-chair of Trusted Computing Group’s Trusted Multi-tenant Infrastructure Work Group, which is working to drive the concepts of trust into cloud computing. He holds a masters degree in network security from DePaul University and a bachelors in information systems from Purdue University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
Cloud-based disaster recovery is critical to any production environment and is a high priority for many enterprise organizations today. Nearly 40% of organizations have had to execute their BCDR plan due to a service disruption in the past two years. Zerto on IBM Cloud offer VMware and Microsoft customers simple, automated recovery of on-premise VMware and Microsoft workloads to IBM Cloud data centers.
Why Federal cloud? What is in Federal Clouds and integrations? This session will identify the process and the FedRAMP initiative. But is it sufficient? What is the remedy for keeping abreast of cutting-edge technology? In his session at 21st Cloud Expo, Rasananda Behera will examine the proposed solutions: Private or public or hybrid cloud Responsible governing bodies How can we accomplish?
SYS-CON Events announced today that Massive Networks, that helps your business operate seamlessly with fast, reliable, and secure internet and network solutions, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. As a premier telecommunications provider, Massive Networks is headquartered out of Louisville, Colorado. With years of experience under their belt, their team of...
Many companies start their journey to the cloud in the DevOps environment, where software engineers want self-service access to the custom tools and frameworks they need. Machine learning technology can help IT departments keep up with these demands. In his session at 21st Cloud Expo, Ajay Gulati, Co-Founder, CTO and Board Member at ZeroStack, will discuss the use of machine learning for automating provisioning of DevOps resources, taking the burden off IT teams.
SYS-CON Events announced today that Nihon Micron will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Nihon Micron Co., Ltd. strives for technological innovation to establish high-density, high-precision processing technology for providing printed circuit board and metal mount RFID tags used for communication devices. For more inf...
SYS-CON Events announced today that mruby Forum will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. mruby is the lightweight implementation of the Ruby language. We introduce mruby and the mruby IoT framework that enhances development productivity. For more information, visit http://forum.mruby.org/.
In his session at @ThingsExpo, Greg Gorman is the Director, IoT Developer Ecosystem, Watson IoT, will provide a short tutorial on Node-RED, a Node.js-based programming tool for wiring together hardware devices, APIs and online services in new and interesting ways. It provides a browser-based editor that makes it easy to wire together flows using a wide range of nodes in the palette that can be deployed to its runtime in a single-click. There is a large library of contributed nodes that help so...
SYS-CON Events announced today that Ryobi Systems will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ryobi Systems Co., Ltd., as an information service company, specialized in business support for local governments and medical industry. We are challenging to achive the precision farming with AI. For more information, visit http:...
SYS-CON Events announced today that SIGMA Corporation will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. uLaser flow inspection device from the Japanese top share to Global Standard! Then, make the best use of data to flip to next page. For more information, visit http://www.sigma-k.co.jp/en/.
SYS-CON Events announced today that Daiya Industry will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Daiya Industry specializes in orthotic support systems and assistive devices with pneumatic artificial muscles in order to contribute to an extended healthy life expectancy. For more information, please visit https://www.daiyak...
Today traditional IT approaches leverage well-architected compute/networking domains to control what applications can access what data, and how. DevOps includes rapid application development/deployment leveraging concepts like containerization, third-party sourced applications and databases. Such applications need access to production data for its test and iteration cycles. Data Security? That sounds like a roadblock to DevOps vs. protecting the crown jewels to those in IT.
SYS-CON Events announced today that B2Cloud will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. B2Cloud specializes in IoT devices for preventive and predictive maintenance in any kind of equipment retrieving data like Energy consumption, working time, temperature, humidity, pressure, etc.
Automation is enabling enterprises to design, deploy, and manage more complex, hybrid cloud environments. Yet the people who manage these environments must be trained in and understanding these environments better than ever before. A new era of analytics and cognitive computing is adding intelligence, but also more complexity, to these cloud environments. How smart is your cloud? How smart should it be? In this power panel at 20th Cloud Expo, moderated by Conference Chair Roger Strukhoff, paneli...
SYS-CON Events announced today that NetApp has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. NetApp is the data authority for hybrid cloud. NetApp provides a full range of hybrid cloud data services that simplify management of applications and data across cloud and on-premises environments to accelerate digital transformation. Together with their partners, NetApp em...
Most of the time there is a lot of work involved to move to the cloud, and most of that isn't really related to AWS or Azure or Google Cloud. Before we talk about public cloud vendors and DevOps tools, there are usually several technical and non-technical challenges that are connected to it and that every company needs to solve to move to the cloud. In his session at 21st Cloud Expo, Stefano Bellasio, CEO and founder of Cloud Academy Inc., will discuss what the tools, disciplines, and cultural...
What is the best strategy for selecting the right offshore company for your business? In his session at 21st Cloud Expo, Alan Winters, U.S. Head of Business Development at MobiDev, will discuss the things to look for - positive and negative - in evaluating your options. He will also discuss how to maximize productivity with your offshore developers. Before you start your search, clearly understand your business needs and how that impacts software choices.
SYS-CON Events announced today that Interface Corporation will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Interface Corporation is a company developing, manufacturing and marketing high quality and wide variety of industrial computers and interface modules such as PCIs and PCI express. For more information, visit http://www.i...
SYS-CON Events announced today that Keisoku Research Consultant Co. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Keisoku Research Consultant, Co. offers research and consulting in a wide range of civil engineering-related fields from information construction to preservation of cultural properties. For more information, vi...
SYS-CON Events announced today that MIRAI Inc. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MIRAI Inc. are IT consultants from the public sector whose mission is to solve social issues by technology and innovation and to create a meaningful future for people.
SYS-CON Events announced today that Fusic will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Fusic Co. provides mocks as virtual IoT devices. You can customize mocks, and get any amount of data at any time in your test. For more information, visit https://fusic.co.jp/english/.