Welcome!

@CloudExpo Authors: Yeshim Deniz, Liz McMillan, Pat Romanski, Elizabeth White, Jason Bloomberg

Blog Feed Post

COTS Cloud security reference design and related NIST workshop

By

NISTSince the beginning of the modern Cloud movement (which we trace to November 2006 — see here if you want to know why) technologists have been seeking ways to mitigate key risks. Top on our list include

1) The increased risk due to multi-tenancy

2) The mission needs of availability (including the need for always available path to resources)

3) New and at times nuanced challenges regarding data confidentiality

4) New challenges regarding integrity of data.

There are many other policy related risks that planners must consider, including how to establish the best user authentication methods and how to ensure compliance with regulations and laws of the geography that holds the data. But for a technologist, the four above are a continual concern, and if those technical concerns are mitigated it makes other concerns so much easier to deal with.

That is why we read with such great pleasure a recent announcement that NIST is continuing to work with industry to ensure advancements are being made in cloud security. The NIST National Cyber Center of Excellence (NNCOE) in Rockville, MD is a focal point for many great industry/government interactions, including a workshop at their facility January 14 that we are especially excited about.

This workshop is on the topic of  Trusted Geo location in the Cloud. It is a proof of concept implementation that uses technology that has proven to be the most scalable technology on the globe: Intel processors.  Technologists presenting and discussing these developments come from Intel, EMC-RSA, NIST and the NCCoE. This will be a great workshop that includes hands-on demonstrations of this technology, and we believe it will show ways to help mitigate all four of the challenges we  provide above.

Following the workshop the NCCoE will have a two day cloud computing event (details can be found on that here)

From the workshop flyer:

An upcoming workshop to be held at the NIST National Cyber Center of Excellence (NNCOE) facility in Rockville, MD on Monday, January 14th on Trusted Geo location in the Cloud : Proof of Concept Implementation.

There is a very interesting workshop being provided to a technical audience next week on Monday the 14th by NIST and private industry on a cloud use case embracing the security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation.

The motivation behind this use case is to improve the security of cloud computing and accelerate the adoption of cloud computing technologies by establishing an automated hardware root of trust method for enforcing and monitoring geolocation restrictions for cloud servers. A hardware root of trust is an inherently trusted combination of hardware and firmware that maintains the integrity of the geolocation information and the platform. This information is accessed using secure protocols to assert the integrity of the platform and confirm the location of the host.

At the heart of the solution is a reference design provided through the utilization of commercial off the shelf (COTS) products provided by Intel, VmWare and RSA Archer. The use case is of significant relevance to US Federal agencies in solving the security problem in question: improving the security of virtualized infrastructure cloud computing technologies by enforcing geolocation restrictions.

NIST now moves in conjunction with private industry in a workshop specific to this research (attached to this email) that explains and details how to implement this trusted cloud solution on January 14th at the NIST National Cyber Center of Excellence (NCCOE).

Audience 

This workshop and IR document has been created for security researchers, cloud computing practitioners, system integrators, and other parties interested in techniques for solving the security problem in question: improving the security of virtualized infrastructure cloud computing technologies by enforcing geolocation restrictions. 2:00 PM – 2:15 PM  NCCoE Introduction NIST 
2:15 PM – 2:30 PM  Trusted Cloud Description NIST 
2:30 PM – 2:45 PM  Trusted Geolocation in the Cloud Implementation – Trusted Measurement and Remote Attestation Intel Corporation 
2:45 PM – 3:00 PM  Trusted Geolocation in the Cloud Trusted – Monitoring of Measurements in a Governance, Risk, and Compliance Dashboard EMC-RSA 
3:00 PM – 3:15 PM  Trusted Cloud Demonstration Intel, EMC-RSA, and NIST 
3:15 PM – 4:00 PM  Questions and Answers / Hands-on Session Intel, EMC-RSA, and NIST 

 

Participation from all parties is welcomed and to register for this workshop: Please send an email with the attendee’s name, affiliation, and email address in the body of the message to [email protected], with the subject “Trusted Location in the cloud” by January 13, 2013.

This workshop is now part of their Big Data and Cloud Computing Workshop to be held at the NIST HQ in Gaithersburg, MD on January 15-17. http://www.nist.gov/itl/cloud/cloudbdworkshop.cfm

The importance of this secure cloud computing proof of concept can be found in the NIST Draft publication at the following link to the publication which details this reference design and clearry delineates how to stand up this secure cloud structure. The NIST Interagency Report (NISTIR) is a public/ private collaboration with co-authors from both NIST and private industry authors and is now taking public comments: http://csrc.nist.gov/publications/drafts/ir7904/draft_nistir_7904.pdf

____________________________________________________________________________________

Background Information taken from NISTIR 7904:

Shared cloud computing technologies are designed to be very agile and flexible, transparently using whatever resources are available to process workloads for their customers. However, there are security and privacy concerns with allowing unrestricted workload migration. Whenever multiple workloads are present on a single cloud server, there is a need to segregate those workloads from each other so that they do not interfere with each other, gain access to each other’s sensitive data, or otherwise compromise the security or privacy of the workloads. Imagine two rival companies with workloads on the same server; each company would want to ensure that the server can be trusted to protect their information from the other company.

Another concern with shared cloud computing is that workloads could move from cloud servers located in one country to servers located in another country. Each country has its own laws for data security, privacy, and other aspects of information technology (IT). Because the requirements of these laws may conflict with an organization’s policies or mandates (e.g., laws, regulations), an organization may decide that it needs to restrict which cloud servers it uses based on their location. A common desire is to only use cloud servers physically located within the same country as the organization. Determining the approximate physical location of an object, such as a cloud computing server, is generally known as geolocation. Geolocation can be accomplished in many ways, with varying degrees of accuracy, but traditional geolocation methods are not secured and they are enforced through management and operational controls that cannot be automated and scaled, and therefore traditional geolocation methods cannot be trusted to meet cloud security needs.

The motivation behind this use case is to improve the security of cloud computing and accelerate the adoption of cloud computing technologies by establishing an automated hardware root of trust method for enforcing and monitoring geolocation restrictions for cloud servers. A hardware root of trust is an inherently trusted combination of hardware and firmware that maintains the integrity of the geolocation information and the platform. The hardware root of trust is seeded by the organization, with the host’s unique identifier and platform metadata stored in tamperproof hardware. This information is accessed using secure protocols to assert the integrity of the platform and confirm the location of the host.

NIST now moves in conjunction with private industry in a workshop specific to this research (attached to this email) that explains and details how to implement this trusted cloud solution on January 14th at the NIST National Cyber Center of Excellence (NCCOE). This workshop is now part of their Big Data and Cloud Computing Workshop to be held at the NIST HQ in Gaithersburg, MD on January 15-17. http://www.nist.gov/itl/cloud/cloudbdworkshop.cfm

Here is the link to the publication from both NIST and private industry authors that is now taking public comments: http://csrc.nist.gov/publications/drafts/ir7904/draft_nistir_7904.pdf

For media interviews and comments, please contact:

Kevin Fiftal

Intel Corporation

 

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com

@CloudExpo Stories
In this presentation, you will learn first hand what works and what doesn't while architecting and deploying OpenStack. Some of the topics will include:- best practices for creating repeatable deployments of OpenStack- multi-site considerations- how to customize OpenStack to integrate with your existing systems and security best practices.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
Evan Kirstel is an internationally recognized thought leader and social media influencer in IoT (#1 in 2017), Cloud, Data Security (2016), Health Tech (#9 in 2017), Digital Health (#6 in 2016), B2B Marketing (#5 in 2015), AI, Smart Home, Digital (2017), IIoT (#1 in 2017) and Telecom/Wireless/5G. His connections are a "Who's Who" in these technologies, He is in the top 10 most mentioned/re-tweeted by CMOs and CIOs (2016) and have been recently named 5th most influential B2B marketeer in the US. H...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
"With Digital Experience Monitoring what used to be a simple visit to a web page has exploded into app on phones, data from social media feeds, competitive benchmarking - these are all components that are only available because of some type of digital asset," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"Venafi has a platform that allows you to manage, centralize and automate the complete life cycle of keys and certificates within the organization," explained Gina Osmond, Sr. Field Marketing Manager at Venafi, in this SYS-CON.tv interview at DevOps at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Michael Maximilien, better known as max or Dr. Max, is a computer scientist with IBM. At IBM Research Triangle Park, he was a principal engineer for the worldwide industry point-of-sale standard: JavaPOS. At IBM Research, some highlights include pioneering research on semantic Web services, mashups, and cloud computing, and platform-as-a-service. He joined the IBM Cloud Labs in 2014 and works closely with Pivotal Inc., to help make the Cloud Found the best PaaS.
Creating replica copies to tolerate a certain number of failures is easy, but very expensive at cloud-scale. Conventional RAID has lower overhead, but it is limited in the number of failures it can tolerate. And the management is like herding cats (overseeing capacity, rebuilds, migrations, and degraded performance). In his general session at 18th Cloud Expo, Scott Cleland, Senior Director of Product Marketing for the HGST Cloud Infrastructure Business Unit, discussed how a new approach is neces...
"This week we're really focusing on scalability, asset preservation and how do you back up to the cloud and in the cloud with object storage, which is really a new way of attacking dealing with your file, your blocked data, where you put it and how you access it," stated Jeff Greenwald, Senior Director of Market Development at HGST, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
"We work around really protecting the confidentiality of information, and by doing so we've developed implementations of encryption through a patented process that is known as superencipherment," explained Richard Blech, CEO of Secure Channels Inc., in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis tool. It is an extremely lightweight tool that can integrate with pretty much any build process right now," explained Andrew Siegmund, Application Migration Specialist for CAST, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
The Founder of NostaLab and a member of the Google Health Advisory Board, John is a unique combination of strategic thinker, marketer and entrepreneur. His career was built on the "science of advertising" combining strategy, creativity and marketing for industry-leading results. Combined with his ability to communicate complicated scientific concepts in a way that consumers and scientists alike can appreciate, John is a sought-after speaker for conferences on the forefront of healthcare science,...
"Software-defined storage is a big problem in this industry because so many people have different definitions as they see fit to use it," stated Peter McCallum, VP of Datacenter Solutions at FalconStor Software, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
"Our strategy is to focus on the hyperscale providers - AWS, Azure, and Google. Over the last year we saw that a lot of developers need to learn how to do their job in the cloud and we see this DevOps movement that we are catering to with our content," stated Alessandro Fasan, Head of Global Sales at Cloud Academy, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
"We're focused on how to get some of the attributes that you would expect from an Amazon, Azure, Google, and doing that on-prem. We believe today that you can actually get those types of things done with certain architectures available in the market today," explained Steve Conner, VP of Sales at Cloudistics, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
As organizations shift towards IT-as-a-service models, the need for managing and protecting data residing across physical, virtual, and now cloud environments grows with it. Commvault can ensure protection, access and E-Discovery of your data – whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise. In his general session at 18th Cloud Expo, Randy De Meno, Chief Technologist - Windows Products and Microsoft Part...
Andi Mann, Chief Technology Advocate at Splunk, is an accomplished digital business executive with extensive global expertise as a strategist, technologist, innovator, marketer, and communicator. For over 30 years across five continents, he has built success with Fortune 500 corporations, vendors, governments, and as a leading research analyst and consultant.