Welcome!

@CloudExpo Authors: Elizabeth White, Pat Romanski, Liz McMillan, Yeshim Deniz, William Schmarzo

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Interview

Cloud Computing Security and the Role of Trust

Securing the cloud is a multidisciplinary challenge

In the fall of 2010, Trusted Computing Group announced the Trusted Multi-tenant Infrastructure (TMI) Work Group to address cloud computing security and the role of trust in that security. Last week, the work group released the first in a series of use cases (http://www.trustedcomputinggroup.org/developers/trusted_multitenant_infr...) and plans to deliver a reference framework later in 2011. With so much hype and confusion around the topic of cloud computing, we thought it might be useful to ask the co-chairs - Michael Donovan, HP, and Erik Visnyak, BAE Systems - of the TMI Work Group a few questions about their group's efforts.

Q. What role does Trusted Computing Group have in helping secure cloud services?

Michael Donovan & Erik Visnyak: Securing the cloud is a multidisciplinary challenge, as cloud computing can be thought of as a different way to deliver and use all of the same types of information technology we use today. The TCG was established to define standards and practices for building trusted infrastructure that will consistently behave in specific ways, and those behaviors will be enforced by hardware and software when the owner of those systems enables these technologies. The ability of trusted infrastructures to provide integrity measurements and attest to their state provides a key foundation for enabling trust in infrastructure platforms in the cloud, where the consumer does not have direct physical access to those resources. The ability to design, build and consume services delivered from a trustworthy infrastructure where providers and consumers of services can measure and attest to the configuration, state and behavior of platforms is the value of the TCG standards within the cloud ecosystem.

Q. Your work group has a long name. What does it mean?

Donovan & Visnyak: TMI stands for Trusted Multi-Tenant Infrastructure.  We wanted to select a name that properly represents delivering trusted operations and configuration/state validation to a multi-tenant infrastructure such as Cloud Computing.

Trust is the degree to which one party will rely on the assertions or information provided by another. Without the ability for an infrastructure consumer to rely on the information and services from a provider, there is likely to be little market for outsourcing of IT platforms and services. Establishing a trusted context for the providers and consumers of shared infrastructure is a key component of the reference framework under development by TMI.

Multi-tenancy is the ability for multiple unrelated consumers to share infrastructure from a common provider. If consumers were not able to share infrastructure within reasonable constraints, the cost of outsourced services would not be competitive with traditional models. This ability to provision as much or as little of a resource as a consumer needs at a fair price is at the heart of cloud computing.

Infrastructure defines the scope of work for the TMI work group. While the principles and reference model may have applicability to other parts of the cloud ecosystem, the TMI focus is clearly focused on developing reference models and best practices for design, build and consume trusted multi-tenant infrastructure platforms.

Q. How is what you are doing different from what CSA and other orgs have done or are doing?

Donovan & Visnyak: Many traditional IT standards bodies are working to apply their existent standards efforts to the cloud computing ecosystem. Some, such as DMTF, are focused on systems management and definition of physical and virtual resources, such as the Open Virtual Machine (OVF) definition for virtual machines. Newly formed organizations, such as CSA, focus on mitigating threats and risks within cloud computing by proposing best practices and link to specific security requirements for public and private sectors. As cloud potentially encompasses much of the existing IT landscape, each of these organizations has a valid role to play.

The TCG TMI work group is focused on standards-based approaches to trusted infrastructure. We intend to iteratively publish a library of use cases, deployment patterns, best practices and compliance testing to support the ability of infrastructure providers and consumers to make effective use of shared multitenant infrastructures.

TMI is identifying how standards can be used to implement trusted infrastructures as well as identifying any potential gaps. TMI will provide implementation guidance to both consumers and providers as to how standards address concerns within cloud computing and how they may be leveraged to create a trusted shared infrastructure environment.

Q. Your use cases mention "trust" a number of times. What exactly does "trust" mean for multi-tenant infrastructure?

Donovan & Visnyak: Trust is the degree to which one party will rely on the assertions or information provided by another. Without the ability for an infrastructure consumer to rely on the information and services from a provider, there is likely to be little market for outsourcing of IT platforms and services. Establishing a trusted context for the providers and consumers of shared infrastructure is a key component of the reference framework under development by TMI.

Trust enables the ability to apply policy and to guarantee that access controls within policies are adhered to in order to supply reliable logical isolation, guaranteed compliance, and continuous policy compliance monitoring within a multi-tenant environment. This allows the various consumers to trust that providers are meeting their concerns and housing their resources in a trusted fashion.

Q. Do you see other TCG specifications such as the TPM or TNC playing a role in a "trusted" cloud? If we have a bunch of PCs with TPMs, for example, can they be used in a multi-tenant infrastructure?

Donovan & Visnyak: The existing TCG standards provide a critical set of foundational services for establishing trust, exchanging information in a trusted context, enforcing policy, binding together and verifying the trusted state of infrastructure components. Without these core standards, it is unlikely we would be able to achieve the level of trust and compliance we see as critical to the ability of consumers to trust and effectively use cloud computing for core business functions.

TPM provides the ability to attest to a secure state that moves beyond software into the hardware of the infrastructure providing another level of security to assure that integrity and confidentiality of resources within the TMI are maintained.  TNC delivers monitoring of the secure state of TMI resources and utilizes policy enforcement to monitor data exchanges between resources within the TMI to ensure policy compliance.

The TMI working group intends to work with these key TCG standards working groups as well as those from other standards bodies to ensure that the business and mission goals of cloud consumers can be met in a secure trusted context.

Q. Why are you publishing use cases and what are they for?

Donovan & Visnyak: We are utilizing these use cases to describe the context and relationships between components in a trusted infrastructure. The first set of use cases are very narrow in scope and cover some of the key relationships necessary to establish and manage a trusted multi-tenant, multi-provider environment. Later use cases and scenarios will expand on this work and include scenarios putting these lower level use cases into business context.

The use cases are utilized to derive the elements of the reference framework and other downstream specifications. They define the parties, interface interactions and relationships between them to assist in scoping and validating the usage patterns and requirements included in the reference framework. The use cases allow the TMI to begin identifying various security requirements necessary for a TMI and begin the process of identifying standards within industry that map directly to use cases and implementation patterns.

Q. What else will you be doing?

Donovan & Visnyak: The next things you should see from TMI are aligned to the following path (in addition to presentations and white papers):

  • Use cases (initial set delivered)
  • Reference framework (high-level requirements and usage pattern library derived from initial use cases)
    • Patterns describe re-usable approaches to meeting the requirements derived from the use cases
    • Patterns are aligned to implementation standards for evaluation of tools and services
  • Implementation guidance (core guidance on how to use the patterns to build a trusted multi-tenant infrastructure)
    • Includes variants based upon general levels of trust, separation and security
  • Framework compliance test suite (guidance and (possibly) test harnesses for verification of compliance to TMI implementation patterns and standards)
  • Specification development strategy (if gaps are identified in the standards ecosystem necessary to achieve TMI compliance, a plan to address with the relevant bodies)
  • Industry profiles (implementation guidance, test suites and standards alignment targeted at specific industry solutions i.e. defense, PCI-DSS, HIPAA and others)

We plan to continue iterative development of our reference implementation patterns that are repeatable interactions and behaviors that can be implemented by utilizing industry standards that allow for TMI.  As patterns are developed we will engage appropriate standards bodies to see how the technology can apply to the implementation standards as well as its corresponding use cases.

•   •   •

Updates to the TMI Work Group will be available online at TCG's website, www.trustedcomputinggroup.org.

More Stories By Michael Donovan

Michael Donovan is the Chief Technologist for Strategic Capabilities with HP Enterprise Services, responsible for framework implementation to support capabilities and offering development for clients across the U.S. Public Sector. His responsibilities include harvesting existing solutions for re-use and developing new capabilities to meet the complex needs of federal, state and local governments, leveraging the best of our current account and corporate capabilities and those supported by our partner ecosystem and HP Labs. He also co-chairs the Trusted Multi-Tenant Infrastructure Work Group of the Trusted Computing Group.

More Stories By Erik Visnyak

Erik Visnyak, CISSP, is principle information assurance architect at BAE Systems, where he works on enterprise solution programs, research and development activities and proposal captures. He is co-chair of Trusted Computing Group’s Trusted Multi-tenant Infrastructure Work Group, which is working to drive the concepts of trust into cloud computing. He holds a masters degree in network security from DePaul University and a bachelors in information systems from Purdue University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists will examine how DevOps helps to meet th...
DevOps at Cloud Expo – being held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real r...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting challenge of adapting related cloud strategies to ensure optimal alignment, from managing complexity to ensuring proper governance. How can culture, automation, legacy apps and even budget be reexamined to enable this ongoing shift within the modern software factory?
Most technology leaders, contemporary and from the hardware era, are reshaping their businesses to do software in the hope of capturing value in IoT. Although IoT is relatively new in the market, it has already gone through many promotional terms such as IoE, IoX, SDX, Edge/Fog, Mist Compute, etc. Ultimately, irrespective of the name, it is about deriving value from independent software assets participating in an ecosystem as one comprehensive solution.
SYS-CON Events announced today that A&I Solutions has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 1999, A&I Solutions is a leading information technology (IT) software and services provider focusing on best-in-class enterprise solutions. By partnering with industry leaders in technology, A&I assures customers high performance levels across all IT environments including: mai...
SYS-CON Events announced today that Systena America will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Systena Group has been in business for various software development and verification in Japan, US, ASEAN, and China by utilizing the knowledge we gained from all types of device development for various industries including smartphones (Android/iOS), wireless communication, security technology and IoT serv...
Every successful software product evolves from an idea to an enterprise system. Notably, the same way is passed by the product owner's company. In his session at 20th Cloud Expo, Oleg Lola, CEO of MobiDev, will provide a generalized overview of the evolution of a software product, the product owner, the needs that arise at various stages of this process, and the value brought by a software development partner to the product owner as a response to these needs.
While some vendors scramble to create and sell you a fancy solution for monitoring your spanking new Amazon Lambdas, hear how you can do it on the cheap using just built-in Java APIs yourself. By exploiting a little-known fact that Lambdas aren’t exactly single threaded, you can effectively identify hot spots in your serverless code. In his session at 20th Cloud Expo, David Martin, Principal Product Owner at CA Technologies, will give a live demonstration and code walkthrough, showing how to ov...
Five years ago development was seen as a dead-end career, now it’s anything but – with an explosion in mobile and IoT initiatives increasing the demand for skilled engineers. But apart from having a ready supply of great coders, what constitutes true ‘DevOps Royalty’? It’ll be the ability to craft resilient architectures, supportability, security everywhere across the software lifecycle. In his keynote at @DevOpsSummit at 20th Cloud Expo, Jeffrey Scheaffer, GM and SVP, Continuous Delivery Busine...
SYS-CON Events announced today that Outscale will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Outscale's technology makes an automated and adaptable Cloud available to businesses, supporting them in the most complex IT projects while controlling their operational aspects. You boost your IT infrastructure's reactivity, with request responses that only take a few seconds.
SYS-CON Events announced today that Progress, a global leader in application development, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Enterprises today are rapidly adopting the cloud, while continuing to retain business-critical/sensitive data inside the firewall. This is creating two separate data silos – one inside the firewall and the other outside the firewall. Cloud ISVs ofte...
SYS-CON Events announced today that Interoute has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Interoute is the owner operator of Europe's largest network and a global cloud services platform, which encompasses over 70,000 km of lit fiber, 15 data centers, 17 virtual data centers and 33 colocation centers, with connections to 195 additional partner data centers. Our full-service Unifie...
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...
SYS-CON Events announced today that Enzu will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Enzu’s mission is to be the leading provider of enterprise cloud solutions worldwide. Enzu enables online businesses to use its IT infrastructure to their competitive ad...
SYS-CON Events announced today that Peak 10, Inc., a national IT infrastructure and cloud services provider, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Peak 10 provides reliable, tailored data center and network services, cloud and managed services. Its solutions are designed to scale and adapt to customers’ changing business needs, enabling them to lower costs, improve performance and focus intern...
SYS-CON Events announced today that Twistlock, the leading provider of cloud container security solutions, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Twistlock is the industry's first enterprise security suite for container security. Twistlock's technology addresses risks on the host and within the application of the container, enabling enterprises to consistently enforce security policies, monitor...
This talk centers around how to automate best practices in a multi-/hybrid-cloud world based on our work with customers like GE, Discovery Communications and Fannie Mae. Today’s enterprises are reaping the benefits of cloud computing, but also discovering many risks and challenges. In the age of DevOps and the decentralization of IT, it’s easy to over-provision resources, forget that instances are running, or unintentionally expose vulnerabilities.
Everywhere we turn in our industry we can find strong opinions about the direction, type and nature of cloud’s impact on computing and business. Another word that is used in every context in our industry is “hybrid.” In his session at 20th Cloud Expo, Alvaro Gonzalez, Director of Technical, Partner and Field Marketing at Peak 10, will use a combination of a few conceptual props and some research recently commissioned by Peak 10 to offer a real-world consideration of how the various categories of...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In his Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, will explore t...