Click here to close now.


@CloudExpo Authors: David Dodd, Ed Featherston, Liz McMillan, Chris Fleck, Anders Wallgren

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Interview

Cloud Computing Security and the Role of Trust

Securing the cloud is a multidisciplinary challenge

In the fall of 2010, Trusted Computing Group announced the Trusted Multi-tenant Infrastructure (TMI) Work Group to address cloud computing security and the role of trust in that security. Last week, the work group released the first in a series of use cases ( and plans to deliver a reference framework later in 2011. With so much hype and confusion around the topic of cloud computing, we thought it might be useful to ask the co-chairs - Michael Donovan, HP, and Erik Visnyak, BAE Systems - of the TMI Work Group a few questions about their group's efforts.

Q. What role does Trusted Computing Group have in helping secure cloud services?

Michael Donovan & Erik Visnyak: Securing the cloud is a multidisciplinary challenge, as cloud computing can be thought of as a different way to deliver and use all of the same types of information technology we use today. The TCG was established to define standards and practices for building trusted infrastructure that will consistently behave in specific ways, and those behaviors will be enforced by hardware and software when the owner of those systems enables these technologies. The ability of trusted infrastructures to provide integrity measurements and attest to their state provides a key foundation for enabling trust in infrastructure platforms in the cloud, where the consumer does not have direct physical access to those resources. The ability to design, build and consume services delivered from a trustworthy infrastructure where providers and consumers of services can measure and attest to the configuration, state and behavior of platforms is the value of the TCG standards within the cloud ecosystem.

Q. Your work group has a long name. What does it mean?

Donovan & Visnyak: TMI stands for Trusted Multi-Tenant Infrastructure.  We wanted to select a name that properly represents delivering trusted operations and configuration/state validation to a multi-tenant infrastructure such as Cloud Computing.

Trust is the degree to which one party will rely on the assertions or information provided by another. Without the ability for an infrastructure consumer to rely on the information and services from a provider, there is likely to be little market for outsourcing of IT platforms and services. Establishing a trusted context for the providers and consumers of shared infrastructure is a key component of the reference framework under development by TMI.

Multi-tenancy is the ability for multiple unrelated consumers to share infrastructure from a common provider. If consumers were not able to share infrastructure within reasonable constraints, the cost of outsourced services would not be competitive with traditional models. This ability to provision as much or as little of a resource as a consumer needs at a fair price is at the heart of cloud computing.

Infrastructure defines the scope of work for the TMI work group. While the principles and reference model may have applicability to other parts of the cloud ecosystem, the TMI focus is clearly focused on developing reference models and best practices for design, build and consume trusted multi-tenant infrastructure platforms.

Q. How is what you are doing different from what CSA and other orgs have done or are doing?

Donovan & Visnyak: Many traditional IT standards bodies are working to apply their existent standards efforts to the cloud computing ecosystem. Some, such as DMTF, are focused on systems management and definition of physical and virtual resources, such as the Open Virtual Machine (OVF) definition for virtual machines. Newly formed organizations, such as CSA, focus on mitigating threats and risks within cloud computing by proposing best practices and link to specific security requirements for public and private sectors. As cloud potentially encompasses much of the existing IT landscape, each of these organizations has a valid role to play.

The TCG TMI work group is focused on standards-based approaches to trusted infrastructure. We intend to iteratively publish a library of use cases, deployment patterns, best practices and compliance testing to support the ability of infrastructure providers and consumers to make effective use of shared multitenant infrastructures.

TMI is identifying how standards can be used to implement trusted infrastructures as well as identifying any potential gaps. TMI will provide implementation guidance to both consumers and providers as to how standards address concerns within cloud computing and how they may be leveraged to create a trusted shared infrastructure environment.

Q. Your use cases mention "trust" a number of times. What exactly does "trust" mean for multi-tenant infrastructure?

Donovan & Visnyak: Trust is the degree to which one party will rely on the assertions or information provided by another. Without the ability for an infrastructure consumer to rely on the information and services from a provider, there is likely to be little market for outsourcing of IT platforms and services. Establishing a trusted context for the providers and consumers of shared infrastructure is a key component of the reference framework under development by TMI.

Trust enables the ability to apply policy and to guarantee that access controls within policies are adhered to in order to supply reliable logical isolation, guaranteed compliance, and continuous policy compliance monitoring within a multi-tenant environment. This allows the various consumers to trust that providers are meeting their concerns and housing their resources in a trusted fashion.

Q. Do you see other TCG specifications such as the TPM or TNC playing a role in a "trusted" cloud? If we have a bunch of PCs with TPMs, for example, can they be used in a multi-tenant infrastructure?

Donovan & Visnyak: The existing TCG standards provide a critical set of foundational services for establishing trust, exchanging information in a trusted context, enforcing policy, binding together and verifying the trusted state of infrastructure components. Without these core standards, it is unlikely we would be able to achieve the level of trust and compliance we see as critical to the ability of consumers to trust and effectively use cloud computing for core business functions.

TPM provides the ability to attest to a secure state that moves beyond software into the hardware of the infrastructure providing another level of security to assure that integrity and confidentiality of resources within the TMI are maintained.  TNC delivers monitoring of the secure state of TMI resources and utilizes policy enforcement to monitor data exchanges between resources within the TMI to ensure policy compliance.

The TMI working group intends to work with these key TCG standards working groups as well as those from other standards bodies to ensure that the business and mission goals of cloud consumers can be met in a secure trusted context.

Q. Why are you publishing use cases and what are they for?

Donovan & Visnyak: We are utilizing these use cases to describe the context and relationships between components in a trusted infrastructure. The first set of use cases are very narrow in scope and cover some of the key relationships necessary to establish and manage a trusted multi-tenant, multi-provider environment. Later use cases and scenarios will expand on this work and include scenarios putting these lower level use cases into business context.

The use cases are utilized to derive the elements of the reference framework and other downstream specifications. They define the parties, interface interactions and relationships between them to assist in scoping and validating the usage patterns and requirements included in the reference framework. The use cases allow the TMI to begin identifying various security requirements necessary for a TMI and begin the process of identifying standards within industry that map directly to use cases and implementation patterns.

Q. What else will you be doing?

Donovan & Visnyak: The next things you should see from TMI are aligned to the following path (in addition to presentations and white papers):

  • Use cases (initial set delivered)
  • Reference framework (high-level requirements and usage pattern library derived from initial use cases)
    • Patterns describe re-usable approaches to meeting the requirements derived from the use cases
    • Patterns are aligned to implementation standards for evaluation of tools and services
  • Implementation guidance (core guidance on how to use the patterns to build a trusted multi-tenant infrastructure)
    • Includes variants based upon general levels of trust, separation and security
  • Framework compliance test suite (guidance and (possibly) test harnesses for verification of compliance to TMI implementation patterns and standards)
  • Specification development strategy (if gaps are identified in the standards ecosystem necessary to achieve TMI compliance, a plan to address with the relevant bodies)
  • Industry profiles (implementation guidance, test suites and standards alignment targeted at specific industry solutions i.e. defense, PCI-DSS, HIPAA and others)

We plan to continue iterative development of our reference implementation patterns that are repeatable interactions and behaviors that can be implemented by utilizing industry standards that allow for TMI.  As patterns are developed we will engage appropriate standards bodies to see how the technology can apply to the implementation standards as well as its corresponding use cases.

•   •   •

Updates to the TMI Work Group will be available online at TCG's website,

More Stories By Michael Donovan

Michael Donovan is the Chief Technologist for Strategic Capabilities with HP Enterprise Services, responsible for framework implementation to support capabilities and offering development for clients across the U.S. Public Sector. His responsibilities include harvesting existing solutions for re-use and developing new capabilities to meet the complex needs of federal, state and local governments, leveraging the best of our current account and corporate capabilities and those supported by our partner ecosystem and HP Labs. He also co-chairs the Trusted Multi-Tenant Infrastructure Work Group of the Trusted Computing Group.

More Stories By Erik Visnyak

Erik Visnyak, CISSP, is principle information assurance architect at BAE Systems, where he works on enterprise solution programs, research and development activities and proposal captures. He is co-chair of Trusted Computing Group’s Trusted Multi-tenant Infrastructure Work Group, which is working to drive the concepts of trust into cloud computing. He holds a masters degree in network security from DePaul University and a bachelors in information systems from Purdue University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@CloudExpo Stories
In his General Session at DevOps Summit, Asaf Yigal, Co-Founder & VP of Product at, explored the value of Kibana 4 for log analysis and provided a hands-on tutorial on how to set up Kibana 4 and get the most out of Apache log files. He examined three use cases: IT operations, business intelligence, and security and compliance. Asaf Yigal is co-founder and VP of Product at log analytics software company In the past, he was co-founder of social-trading platform Currensee, which...
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true ...
In recent years, at least 40% of companies using cloud applications have experienced data loss. One of the best prevention against cloud data loss is backing up your cloud data. In his General Session at 17th Cloud Expo, Sam McIntyre, Partner Enablement Specialist at eFolder, presented how organizations can use eFolder Cloudfinder to automate backups of cloud application data. He also demonstrated how easy it is to search and restore cloud application data using Cloudfinder.
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York and Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty ...
Internet of @ThingsExpo, taking place June 7-9, 2016 at Javits Center, New York City and Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 18th International @CloudExpo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world and ThingsExpo New York Call for Papers is now open.
Cloud computing delivers on-demand resources that provide businesses with flexibility and cost-savings. The challenge in moving workloads to the cloud has been the cost and complexity of ensuring the initial and ongoing security and regulatory (PCI, HIPAA, FFIEC) compliance across private and public clouds. Manual security compliance is slow, prone to human error, and represents over 50% of the cost of managing cloud applications. Determining how to automate cloud security compliance is critical...
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Day 2 Keynote at 17th Cloud Expo, San...
As organizations shift towards IT-as-a-service models, the need for managing & protecting data residing across physical, virtual, and now cloud environments grows with it. CommVault can ensure protection & E-Discovery of your data - whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise.
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
Today air travel is a minefield of delays, hassles and customer disappointment. Airlines struggle to revitalize the experience. GE and M2Mi will demonstrate practical examples of how IoT solutions are helping airlines bring back personalization, reduce trip time and improve reliability. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Dr. Sarah Cooper, M2Mi’s VP Business Development and Engineering, explored the IoT cloud-based platform technologies driving t...
There are over 120 breakout sessions in all, with Keynotes, General Sessions, and Power Panels adding to three days of incredibly rich presentations and content. Join @ThingsExpo conference chair Roger Strukhoff (@IoT2040), June 7-9, 2016 in New York City, for three days of intense 'Internet of Things' discussion and focus, including Big Data's indespensable role in IoT, Smart Grids and Industrial Internet of Things, Wearables and Consumer IoT, as well as (new) IoT's use in Vertical Markets.
The Internet of Things (IoT) is growing rapidly by extending current technologies, products and networks. By 2020, Cisco estimates there will be 50 billion connected devices. Gartner has forecast revenues of over $300 billion, just to IoT suppliers. Now is the time to figure out how you’ll make money – not just create innovative products. With hundreds of new products and companies jumping into the IoT fray every month, there’s no shortage of innovation. Despite this, McKinsey/VisionMobile data...
We all know that data growth is exploding and storage budgets are shrinking. Instead of showing you charts on about how much data there is, in his General Session at 17th Cloud Expo, Scott Cleland, Senior Director of Product Marketing at HGST, showed how to capture all of your data in one place. After you have your data under control, you can then analyze it in one place, saving time and resources.
SYS-CON Events announced today that Alert Logic, Inc., the leading provider of Security-as-a-Service solutions for the cloud, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Alert Logic, Inc., provides Security-as-a-Service for on-premises, cloud, and hybrid infrastructures, delivering deep security insight and continuous protection for customers at a lower cost than traditional security solutions. Ful...
Just over a week ago I received a long and loud sustained applause for a presentation I delivered at this year’s Cloud Expo in Santa Clara. I was extremely pleased with the turnout and had some very good conversations with many of the attendees. Over the next few days I had many more meaningful conversations and was not only happy with the results but also learned a few new things. Here is everything I learned in those three days distilled into three short points.
As organizations realize the scope of the Internet of Things, gaining key insights from Big Data, through the use of advanced analytics, becomes crucial. However, IoT also creates the need for petabyte scale storage of data from millions of devices. A new type of Storage is required which seamlessly integrates robust data analytics with massive scale. These storage systems will act as “smart systems” provide in-place analytics that speed discovery and enable businesses to quickly derive meaningf...
DevOps is about increasing efficiency, but nothing is more inefficient than building the same application twice. However, this is a routine occurrence with enterprise applications that need both a rich desktop web interface and strong mobile support. With recent technological advances from Isomorphic Software and others, rich desktop and tuned mobile experiences can now be created with a single codebase – without compromising functionality, performance or usability. In his session at DevOps Su...
In his General Session at 17th Cloud Expo, Bruce Swann, Senior Product Marketing Manager for Adobe Campaign, explored the key ingredients of cross-channel marketing in a digital world. Learn how the Adobe Marketing Cloud can help marketers embrace opportunities for personalized, relevant and real-time customer engagement across offline (direct mail, point of sale, call center) and digital (email, website, SMS, mobile apps, social networks, connected objects).
The buzz continues for cloud, data analytics and the Internet of Things (IoT) and their collective impact across all industries. But a new conversation is emerging - how do companies use industry disruption and technology enablers to lead in markets undergoing change, uncertainty and ambiguity? Organizations of all sizes need to evolve and transform, often under massive pressure, as industry lines blur and merge and traditional business models are assaulted and turned upside down. In this new da...
The Internet of Everything is re-shaping technology trends–moving away from “request/response” architecture to an “always-on” Streaming Web where data is in constant motion and secure, reliable communication is an absolute necessity. As more and more THINGS go online, the challenges that developers will need to address will only increase exponentially. In his session at @ThingsExpo, Todd Greene, Founder & CEO of PubNub, exploreed the current state of IoT connectivity and review key trends and t...