Welcome!

@CloudExpo Authors: Yeshim Deniz, William Schmarzo, Carmen Gonzalez, Elizabeth White, Liz McMillan

Blog Feed Post

COTS Cloud security reference design and related NIST workshop

By

NISTSince the beginning of the modern Cloud movement (which we trace to November 2006 — see here if you want to know why) technologists have been seeking ways to mitigate key risks. Top on our list include

1) The increased risk due to multi-tenancy

2) The mission needs of availability (including the need for always available path to resources)

3) New and at times nuanced challenges regarding data confidentiality

4) New challenges regarding integrity of data.

There are many other policy related risks that planners must consider, including how to establish the best user authentication methods and how to ensure compliance with regulations and laws of the geography that holds the data. But for a technologist, the four above are a continual concern, and if those technical concerns are mitigated it makes other concerns so much easier to deal with.

That is why we read with such great pleasure a recent announcement that NIST is continuing to work with industry to ensure advancements are being made in cloud security. The NIST National Cyber Center of Excellence (NNCOE) in Rockville, MD is a focal point for many great industry/government interactions, including a workshop at their facility January 14 that we are especially excited about.

This workshop is on the topic of  Trusted Geo location in the Cloud. It is a proof of concept implementation that uses technology that has proven to be the most scalable technology on the globe: Intel processors.  Technologists presenting and discussing these developments come from Intel, EMC-RSA, NIST and the NCCoE. This will be a great workshop that includes hands-on demonstrations of this technology, and we believe it will show ways to help mitigate all four of the challenges we  provide above.

Following the workshop the NCCoE will have a two day cloud computing event (details can be found on that here)

From the workshop flyer:

An upcoming workshop to be held at the NIST National Cyber Center of Excellence (NNCOE) facility in Rockville, MD on Monday, January 14th on Trusted Geo location in the Cloud : Proof of Concept Implementation.

There is a very interesting workshop being provided to a technical audience next week on Monday the 14th by NIST and private industry on a cloud use case embracing the security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation.

The motivation behind this use case is to improve the security of cloud computing and accelerate the adoption of cloud computing technologies by establishing an automated hardware root of trust method for enforcing and monitoring geolocation restrictions for cloud servers. A hardware root of trust is an inherently trusted combination of hardware and firmware that maintains the integrity of the geolocation information and the platform. This information is accessed using secure protocols to assert the integrity of the platform and confirm the location of the host.

At the heart of the solution is a reference design provided through the utilization of commercial off the shelf (COTS) products provided by Intel, VmWare and RSA Archer. The use case is of significant relevance to US Federal agencies in solving the security problem in question: improving the security of virtualized infrastructure cloud computing technologies by enforcing geolocation restrictions.

NIST now moves in conjunction with private industry in a workshop specific to this research (attached to this email) that explains and details how to implement this trusted cloud solution on January 14th at the NIST National Cyber Center of Excellence (NCCOE).

Audience 

This workshop and IR document has been created for security researchers, cloud computing practitioners, system integrators, and other parties interested in techniques for solving the security problem in question: improving the security of virtualized infrastructure cloud computing technologies by enforcing geolocation restrictions. 2:00 PM – 2:15 PM  NCCoE Introduction NIST 
2:15 PM – 2:30 PM  Trusted Cloud Description NIST 
2:30 PM – 2:45 PM  Trusted Geolocation in the Cloud Implementation – Trusted Measurement and Remote Attestation Intel Corporation 
2:45 PM – 3:00 PM  Trusted Geolocation in the Cloud Trusted – Monitoring of Measurements in a Governance, Risk, and Compliance Dashboard EMC-RSA 
3:00 PM – 3:15 PM  Trusted Cloud Demonstration Intel, EMC-RSA, and NIST 
3:15 PM – 4:00 PM  Questions and Answers / Hands-on Session Intel, EMC-RSA, and NIST 

 

Participation from all parties is welcomed and to register for this workshop: Please send an email with the attendee’s name, affiliation, and email address in the body of the message to [email protected], with the subject “Trusted Location in the cloud” by January 13, 2013.

This workshop is now part of their Big Data and Cloud Computing Workshop to be held at the NIST HQ in Gaithersburg, MD on January 15-17. http://www.nist.gov/itl/cloud/cloudbdworkshop.cfm

The importance of this secure cloud computing proof of concept can be found in the NIST Draft publication at the following link to the publication which details this reference design and clearry delineates how to stand up this secure cloud structure. The NIST Interagency Report (NISTIR) is a public/ private collaboration with co-authors from both NIST and private industry authors and is now taking public comments: http://csrc.nist.gov/publications/drafts/ir7904/draft_nistir_7904.pdf

____________________________________________________________________________________

Background Information taken from NISTIR 7904:

Shared cloud computing technologies are designed to be very agile and flexible, transparently using whatever resources are available to process workloads for their customers. However, there are security and privacy concerns with allowing unrestricted workload migration. Whenever multiple workloads are present on a single cloud server, there is a need to segregate those workloads from each other so that they do not interfere with each other, gain access to each other’s sensitive data, or otherwise compromise the security or privacy of the workloads. Imagine two rival companies with workloads on the same server; each company would want to ensure that the server can be trusted to protect their information from the other company.

Another concern with shared cloud computing is that workloads could move from cloud servers located in one country to servers located in another country. Each country has its own laws for data security, privacy, and other aspects of information technology (IT). Because the requirements of these laws may conflict with an organization’s policies or mandates (e.g., laws, regulations), an organization may decide that it needs to restrict which cloud servers it uses based on their location. A common desire is to only use cloud servers physically located within the same country as the organization. Determining the approximate physical location of an object, such as a cloud computing server, is generally known as geolocation. Geolocation can be accomplished in many ways, with varying degrees of accuracy, but traditional geolocation methods are not secured and they are enforced through management and operational controls that cannot be automated and scaled, and therefore traditional geolocation methods cannot be trusted to meet cloud security needs.

The motivation behind this use case is to improve the security of cloud computing and accelerate the adoption of cloud computing technologies by establishing an automated hardware root of trust method for enforcing and monitoring geolocation restrictions for cloud servers. A hardware root of trust is an inherently trusted combination of hardware and firmware that maintains the integrity of the geolocation information and the platform. The hardware root of trust is seeded by the organization, with the host’s unique identifier and platform metadata stored in tamperproof hardware. This information is accessed using secure protocols to assert the integrity of the platform and confirm the location of the host.

NIST now moves in conjunction with private industry in a workshop specific to this research (attached to this email) that explains and details how to implement this trusted cloud solution on January 14th at the NIST National Cyber Center of Excellence (NCCOE). This workshop is now part of their Big Data and Cloud Computing Workshop to be held at the NIST HQ in Gaithersburg, MD on January 15-17. http://www.nist.gov/itl/cloud/cloudbdworkshop.cfm

Here is the link to the publication from both NIST and private industry authors that is now taking public comments: http://csrc.nist.gov/publications/drafts/ir7904/draft_nistir_7904.pdf

For media interviews and comments, please contact:

Kevin Fiftal

Intel Corporation

 

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder and partner at Cognitio Corp and publsher of CTOvision.com

@CloudExpo Stories
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
SYS-CON Events announced today that delaPlex will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. delaPlex pioneered Software Development as a Service (SDaaS), which provides scalable resources to build, test, and deploy software. It’s a fast and more reliable way to develop a new product or expand your in-house team.
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
SYS-CON Events announced today that Tintri, Inc, a leading provider of enterprise cloud infrastructure, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Tintri offers an enterprise cloud platform built with public cloud-like web services and RESTful APIs. Organizations use Tintri all-flash storage with scale-out and automation as a foundation for their own clouds – to build agile development environments...
SYS-CON Events announced today that DivvyCloud will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. DivvyCloud software enables organizations to achieve their cloud computing goals by simplifying and automating security, compliance and cost optimization of public and private cloud infrastructure. Using DivvyCloud, customers can leverage programmatic Bots to identify and remediate common cloud problems in rea...
SYS-CON Events announced today that Carbonite will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Carbonite protects your entire IT footprint with the right level of protection for each workload, ensuring lower costs and dependable solutions with DoubleTake and Evault.
SYS-CON Events announced today that Technologic Systems Inc., an embedded systems solutions company, will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Technologic Systems is an embedded systems company with headquarters in Fountain Hills, Arizona. They have been in business for 32 years, helping more than 8,000 OEM customers and building over a hundred COTS products that have never been discontinued. Technologic Systems’ pr...
SYS-CON Events announced today that Tappest will exhibit MooseFS at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. MooseFS is a breakthrough concept in the storage industry. It allows you to secure stored data with either duplication or erasure coding using any server. The newest – 4.0 version of the software enables users to maintain the redundancy level with even 50% less hard drive space required. The software func...
SYS-CON Events announced today that EARP will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. "We are a software house, so we perfectly understand challenges that other software houses face in their projects. We can augment a team, that will work with the same standards and processes as our partners' internal teams. Our teams will deliver the same quality within the required time and budget just as our partn...
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists will examine how DevOps helps to meet th...
DevOps at Cloud Expo – being held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real r...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting challenge of adapting related cloud strategies to ensure optimal alignment, from managing complexity to ensuring proper governance. How can culture, automation, legacy apps and even budget be reexamined to enable this ongoing shift within the modern software factory?
Most technology leaders, contemporary and from the hardware era, are reshaping their businesses to do software in the hope of capturing value in IoT. Although IoT is relatively new in the market, it has already gone through many promotional terms such as IoE, IoX, SDX, Edge/Fog, Mist Compute, etc. Ultimately, irrespective of the name, it is about deriving value from independent software assets participating in an ecosystem as one comprehensive solution.
SYS-CON Events announced today that A&I Solutions has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 1999, A&I Solutions is a leading information technology (IT) software and services provider focusing on best-in-class enterprise solutions. By partnering with industry leaders in technology, A&I assures customers high performance levels across all IT environments including: mai...
SYS-CON Events announced today that Systena America will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Systena Group has been in business for various software development and verification in Japan, US, ASEAN, and China by utilizing the knowledge we gained from all types of device development for various industries including smartphones (Android/iOS), wireless communication, security technology and IoT serv...
Every successful software product evolves from an idea to an enterprise system. Notably, the same way is passed by the product owner's company. In his session at 20th Cloud Expo, Oleg Lola, CEO of MobiDev, will provide a generalized overview of the evolution of a software product, the product owner, the needs that arise at various stages of this process, and the value brought by a software development partner to the product owner as a response to these needs.
While some vendors scramble to create and sell you a fancy solution for monitoring your spanking new Amazon Lambdas, hear how you can do it on the cheap using just built-in Java APIs yourself. By exploiting a little-known fact that Lambdas aren’t exactly single threaded, you can effectively identify hot spots in your serverless code. In his session at 20th Cloud Expo, David Martin, Principal Product Owner at CA Technologies, will give a live demonstration and code walkthrough, showing how to ov...