How to ensure trusted geolocation of data in the cloud
Connecting state and local government leaders
The first product of the NCCOE is a demonstration of a geolocation scheme to let end users validate that work being done in the cloud is being done in a secure location.
The National Cybersecurity Center of Excellence still is ramping up to full operational capability, but it has collaborated with industry to produce a scheme for ensuring trusted geolocation of work being done in the cloud.
This first product was published as an interagency report by the National Institute of Standards and Technology to address the challenges presented when sensitive applications or computing jobs are moved into a cloud where the user does not have direct control of the infrastructure.
“We have released a demonstration of how the end user can validate that the workload is in a secure location, and trace it through a hardware root of trust,” said Nate Lesser, deputy director of the NCCOE.
The draft report, “Trusted Geolocation in the Cloud: Proof of Concept Implementation,” is an example of the solutions to security challenges faced by government and industry that the center of excellence will produce. The center focuses on implementing existing technology rather than developing new ones. The proof of concept provides a template that can be used by the general security community, with enough details so that it can be reproduced.
“Shared cloud computing technologies are designed to be very agile and flexible, transparently using whatever resources are available to process workloads for their customers,” the report says in outlining the problem. “However, there are security and privacy concerns with allowing unrestricted workload migration.”
The proof of concept offered is intended to “improve the security of cloud computing and accelerate the adoption of cloud computing technologies.”
Workloads on the same server need to be segregated to ensure privacy and security, and the physical location of the server doing the work can be important because security laws and policies vary from place to place. All of this means that end users need a way to track where their work is going. To do this, NCCOE proposes using an automated hardware root of trust.
“A hardware root of trust is an inherently trusted combination of hardware and firmware that maintains the integrity of the geolocation information and the platform,” the report says. “The hardware root of trust is seeded by the organization, with the host’s unique identifier and platform metadata stored in tamperproof hardware. This information is accessed using secure protocols to assert the integrity of the platform and confirm the location of the host.”
Intel Trusted Execution Technology (Intel TXT) is used to securely house the information. Intel TXT is a set of enhanced hardware components, including the microprocessor, chipset and input/output subsystems, designed to protect sensitive information from software-based attacks.
The trusted geolocation scheme is in limited use now, but some technical challenges remain to practical implementation. The workflow is complex and needs to be automated to ensure that it scales and performs consistently. The proof of concept scheme could help trusted geolocation become a standard cloud vendor offering.
This NIST diagram shows the five generic steps to the operation of the stage 1 solution.
1. Server A performs an Intel TXT measured launch, with Intel TXT populating the platform configuration registers (PCR) values.
2. Server A sends a Trusted Platform Module (TPM) quote to the trust authority. The TPM quote includes signed hashes of the BIOS, TBOOT, ESX, and geotag values.
3. The trust authority verifies the signature and hash values and sends an authorization token to server A.
4. Server A’s management layer executes a policy-based action (in this case, a VM transfer to server B).
5. Server A and server B get audited periodically based on their PCR values.