Security is an ever-present consideration for applications and data in the cloud. It is a concern for executives trying to come up with criteria for migrating an application, for marketing organizations in trying to position the company in a good light as enlightened technology adopters, for application architects attempting to build a safe foundation and operations staff making sure bad guys don’t have a field day. It does not matter whether an application is a candidate for migration to the cloud or it already runs using cloud-based components. It does not even matter that an application has managed to run for years in the cloud without a major breach: an unblemished record does not entitle an organization to claim to be home free in matters of security; its executives are acutely aware that resting on their laurels regardless of an unblemished record is an invitation to disaster; and certainly past performance is no predictor for future gains.

Irrespective of whom you ask, security is arguably the biggest inhibitor for the broader adoption of cloud computing. Many organizations will need to apply best practices security standards that set a much higher bar than that for on-premise systems, in order to dislodge that incumbent on-premise alternative. The migration or adoption of cloud services then can provide an advantage, in that firms can design, from the ground up, their new cloud-based infrastructures with security “baked-in;” this is in contrast to the piecemeal and “after the fact” or “bolted-on” nature of security seen in most data centers today. But even a baked-in approach has its nuances, as we shall see in Chapter 1. Cloud service providers are hard at work building a secure infrastructure as the foundation for enabling multi-tenancy and providing the instrumentation, visibility, and control that organizations demand. They are beginning to treat security as an integration concern to be addressed as a service like performance, power consumption, and uptime. This provides a flexibility and granularity wherein solution architects design in as much security as their particular situation demands: security for a financial services industry (FSI) or an enterprise resource planning (ERP) application will be different from security for a bunch of product brochures, yet they both may use storage services from the same provider, which demands a high level of integrity, confidentiality, and protection.

Some practices—for instance, using resources in internal private clouds as opposed to public, third-party hosted clouds—while conferring some tactical advantages do not address fundamental security issues, such as perimeter walls made of virtual Swiss cheese where data can pass through anytime. We would like to propose a different approach: to anchor a security infrastructure in the silicon that runs the volume servers in almost every data center. However, end users running mobile applications don’t see the servers. What we’ll do is define a logical chain of trust rooted in hardware, in a manner not unlike a geometry system built out of a small set of axioms. We use the hardware to ensure the integrity of the firmware: BIOS code running in the chipset and firmware taking care of the server’s housekeeping functions. This provides a solid platform on which to run software: the hypervisor environment and operating systems. Each software component is “measured” initially and verified against a “known good” with the root of trust anchored in the hardware trust chain, thereby providing a trusted platform to launch applications.

We assume that readers are already familiar with cloud technology and are interested in a deeper exploration of security aspects. We’ll cover some cloud technology principles, primarily with the purpose of establishing a vocabulary from which to build a discussion of security topics (offered here with no tutorial intent). Our goal is to discuss the principles of cloud security, the challenges companies face as they move into the cloud, and the infrastructure requirements to address security requirements. The content is intended for a technical audience and provides architectural, design, and code samples as needed to show how to provision and deploy trusted clouds. While documentation for low-level technology components such as trusted platform modules and the basics of secure boot is not difficult to find from vendor specifications, the contextual perspective—a usage-centric approach describing how the different components are integrated into trusted virtualized platforms—has been missing from the literature. This book is a first attempt at filling this gap through actual proof of concept implementations and a few initial commercial implementations. The implementation of secure platforms is an emerging and fast evolving issue. This is not a definitive treatment by a long measure, and trying to compile one at this early juncture would be unrealistic. Timeliness is a more pressing consideration, and the authors hope that this material will stimulate the curiosity of the reader and encourage the community to replicate the results, leading to new deployments and, in the process, advancing the state of the art.

There are three key trends impacting security in the enterprise and cloud data centers:

• The evolution of IT architectures. This is pertinent especially with the adoption of virtualization and now cloud computing. Multi-tenancy and consolidation are driving significant operational efficiencies, enabling multiple lines of business and tenants to share the infrastructure. This consolidation and co-tenancy provide a new dimension and attack vector. How do you ensure the same level of security and control in an infrastructure that is not owned and operated by you? Outsourcing, cross-business, and cross-supply chain collaboration are breaking through the perimeter of traditional security models. These new models are blurring the distinction between data “inside” an organization and that which exists “outside” of those boundaries. The data itself is the new perimeter.
• The sophistication of attacks. No longer are attacks targeted at software and no longer are the hackers intent on gaining bragging rights. Attacks are sophisticated and targeted toward gaining control of assets, and with staying hidden. These attacks have progressively moved closer to the lower layers of the platform: firmware, BIOS, and the hypervisor hosting the virtual machine operating environment. Traditionally, controls in these lower layers are few, allowing malware to hide. With multi-tenancy and consolidation through virtualization, taking control of a platform could provide significant leverage and a large attack surface. How does an organization get out of this quandary and institute controls to verify the integrity of the infrastructure on which their mission-critical applications can run? How do they prove to their auditors that the security controls and procedures in effect are still enforced even when their information systems are hosted at a cloud provider?
• The growing legal and regulatory burden. Compliance requirements have increased significatly for IT practitioners and line-of-business owners. The cost of securing data and the risks of unsecured personally identifiable data, intellectual property, or financial data, as well as the implications of noncompliance to regulations, are very high. Additionally, the number of regulations and mandates involved are putting additional burdens on IT organizations.

Clearly, cloud security is a broad area with cross-cutting concerns that involve technology, products, and solutions that span mobility, networks security, web security, messaging security, protection of data or content and storage, identity management, hypervisor and platform security, firewalls, and audit and compliance, among other concerns. Looking at security from a tools and products perspective is an interesting approach. However, an IT practitioner in an enterprise or a cloud service provider iscompelled to look at usages and needs at the infrastructure level, and to provide a set of cohesive solutions that address business security concerns and requirements. Equally intriguing is to look at the usages that a private cloud or a public cloud have so as to address the following needs:

• For service providers to deliver enterprise-grade solutions. What does this compliant cloud look like? What are its attributes and behaviors?
• For developers, service integrators, and operators to deliver protected applications and workloads from and in the cloud. Irrespective of the type of cloud service, how does a service developer protect the static and the dynamic workload contents and data?
• For service components and users alike to granularly manage, authenticate, and assign trust for both devices and users.

Intel has been hard at work with its partners and as fellow travelers in providing comprehensive solution architectures and a cohesive set of products to not only address these questions but also deploy e solutions in private clouds, public clouds at scale. This book brings together the contributions of various Intel technologists, architects, engineers, and marketing and solution development managers, as well as a few key architects from our partners.

The book has roughly four parts:

• Chapters 1 and 2 cover the context of cloud computing and the idea of security, introducing the concept of trusted clouds. They discuss the key usage models to enable and instantiate the trusted infrastructure, which is a foundational for those trusted clouds. Additionally, these chapters cover the use-models with solution architectures and component exposition.
• Chapters 3, 4, and 5 cover use-cases, solution architectures, and technology components for enabling the trusted infrastructure, with emphasis on trusted compute, the role of attestation, and attestation solutions, as well as geo-fencing and boundary control in the cloud.
• Chapters 6 and 7 provide an interesting view of identity management and control in the cloud, as well as network security in the cloud.
• Chapter 8 extends the notion of trust to the virtual machines and workloads, with reference architecture and components built on top of the trusted compute pools discussed in earlier chapters. Then, Chapter 9 provides a comprehensive exposition of secure cloud bursting reference architecture and a real-world implementation that brings together all the concepts and usages discussed in the preceeding chapters.

These chapters take us on a rewarding journey. Starting with a set of basic technology ingredients rooted in hardware, namely the ability to carry out the secure launch of programs; not just software programs, but also implemented in firmware in server platforms: the BIOS and the system firmware. We have also added other platform sensors and devices to the mix, such as TPMs, location sensors. Eventually it will be possible integrate information from other security related telemetry in the platform: encryption accelerators, secure random generators for keys, secure containers, compression accelerators, and other related entities.

With a hardened platform defined it now becomes possible to extend the scope of the initial set of security features to cloud environments. We extend the initial capability for boot integrity and protection to the next goal of data protection during its complete life cycle: data at rest, in motion and during execution. Our initial focus is on the server platform side. In practical terms we use an approach similar to building a mathematical system, starting with a small set of assertions or axioms and slowly extending the scope of the assertions until the scope becomes useful for cloud deployments. On the compute side we extend the notion of protected boot to hypervisors and operating systems running on bare metal followed by the virtual machines running on top of the hypervisors. Given the intense need in the industry secure platforms, we hope this need will motivate application vendors and system integrators to extend this chain of trust all the way to application points of consumption.

The next abstraction beyond trust established by secure boot is to measure the level of trust for applications running in the platform. This leads to a discussion on attestation and frameworks and processes to accomplish attestation. Beyond that there are a number of practical functions needed in working deployments, including geo-location monitoring and control (geo-fencing), extending trust to workloads, the protected launch of workloads and ensuring run time integrity of workloads and data.

The cloud presents a much more dynamic environment than previous operating environments, including consolidated virtualized environments. For instance, virtual machines may get migrated for performance or business reasons, and within the framework of secure launch, it is imperative to provide security for these virtual machines and their data while they move and where they land. This leads to the notion of trusted compute pools.

Security aspects for networks comes next. One aspect left to be developed is the role of hardened network appliances taking advantage of secure launch to complement present safe practices. Identity management is an ever present challenge due to the distributed nature of the cloud, more so than its prior incarnation in grid computing because distribution, multi-tenancy and dynamic behaviors are carried out well beyond the practices of grid computing.

Along with the conceptual discussions we sprinkle in a number of case studies in the form of proofs of concept and even a few deployments by forward thinking service providers. For the architects integrating a broad range of technology components beyond those associated with the secure launch foundation these projects provides invaluable proofs of existence, an opportunity to identify technology and interface gaps and to provide very precise feedback to standards organizations. This will help accelerate the technology learning curve for the industry as a whole, enabling a rapid reduction in the cost and time to deploy specific implementations.

The compute side is only one aspect of cloud. We’ll need to figure out how to extend this protection to the network and storage capabilities in the cloud. The experience of building a trust chain starting from a secure boot foundation helps: network and storage appliances also run on the same components used to build servers. We believe that if we follow the same rigorous approach used to build a compute trust chain, it should be possible to harden network and storage devices to the same degree we attained with the compute subsystem. From this perspective the long journey is beginning to look more than like a trailblazing path.

Some readers will shrewdly note that the IT infrastructure in data centers encompasses more than servers; it also includes networks and storage equipment. The security constructs discussed in this book relate mostly to application stacks running on server equipment, and they are still evolving. It must be noted that network and storage equipment also runs on computing equipment, and therefore one strategy for securing network and storage equipment will be precisely to build analogous trust chains applicable to the equipment. These topics are beyond the scope of this book but are certainly relevant to industry practitioners and therefore are excellent subjects for subject-matter experts to document in future papers and books.

The authors acknowledge the enormous amount of work still to be done, but by the same token, these are enormously exciting areas to explore, with the potential of delivering equally enormous value to a beleaguered security industry—an industry that has been rocked by a seemingly endless stream of ever-more sophisticated and brazen exploits. We invite industry participants in any role, whether executive, architecture, engineering, system integration, or development, to join us in broadening this path. Actually, the path to innovation will never end—this is the essence of security. However, along the way, industry participants will build a much more robust foundation to the cloud, bringing some well-deserved assurances to customers.