Seeding the Cloud with Trust: Real World Trusted Multi-Tenancy Use Cases Emerge
Cloud providers, large and small, must provide flexible services and avoid data failures to attract and keep clients. However, this is just the start. Perhaps the most difficult business aspect they face is ensuring privacy, security, and compliance of data and services over a network when renting other companies infrastructure such as data centers, computing capacity, and information systems.
As the demand for this rental model continues to gain traction, every end-user organization seeks high operational efficiency of its resources while reducing the operational cost of maintaining a standalone infrastructure. It is becoming increasingly critical to enable trust models and interoperability that support secure multi-tenant use and management of back-end infrastructure, and permit the sharing of high-density IT resources.
Long before the term cloud computing became the industry's darling buzzword, suppliers that develop the enabling hardware and software, companies that make end products and services, and large security-conscious user organizations were concerned about improving computer and enterprise security. These industry leaders joined together to develop standardized techniques to thwart the malicious intent of unauthorized parties.
Since establishing the Trusted Computing Group (TCG) as a not-for profit organization a decade ago, experts from over 100 companies have created industry standard specifications to establish trust in computers, servers, networks, storage devices, portable communication devices, and more. Hardware and software that implement these standards allows users to obtain consistent expected behavior - an improved level of trust - from all of these items. With cloud computing and the unique exposure it provides to corporate assets, TCG formed a new work group (WG) to bring these point solutions together in a comprehensive architecture.
Trusted Multi-tenant Infrastructure (TMI)
TCG's Trusted Multi-Tenant Infrastructure (TMI) architecture is an open framework that defines end-to-end reference models for the practical deployment of trusted cloud or shared infrastructures. The benefits of TMI include:
- Identified trust activities/relationships between provider and consumer.
- Maximize scalability and hardware utilization of cloud without compromising security
- Enhance information sharing in a trusted manner between consumers and providers.
- Increase accountability of consumers and providers within cloud
- Reduce hardware footprint lower costs associated with dedicated physical hardware.
- Standards compliance addressed from the beginning
- Defense-in-depth enterprise environment
The TMI architecture provides the guidance that allows IT experts to understand how all the trusted pieces can be glued together to solve the business security problem for their organization. The intent is a common approach, rather than solutions that vary from company to company, configured by the experts that defined the specifications for PCs, networks, storage media, and other equipment.
As a result, the TMI architecture will not be a point specification similar to other TCG standards. Rather than a technical standard work group, the TMI WG is a solution-oriented work group with a reference framework as its goal focused on how to glue the pieces together. The reference framework for a shared infrastructure environment is based on three core functions: establishment of trusted context between parties, exchange of information between parties in a trusted context, and policy enforcement.
Avoiding a Security Breach: Integrating Industry Standards
To avoid a weak link in enterprise security, trust must be established in all the components in the infrastructure. This requires establishing a relationship, understanding the identity of all the devices and parties within the trust domain, and being able to exchange essential key material that allows signing any messages that are sent back and forth. This initial core function takes advantage of available tools including Public Key Infrastructure (PKIv3) and TCG's Trusted Platform Module (TPM), to establish a level of trust including the degree and types of information to be accepted between parties. With this function in place, trusted communication can occur between all the elements.
The second core function requires all exchanged information to conform to the trusted context. Once again, the TPM provides attestation to ensure that information exchange between parties occurs within the bounds of the trust relationship.
Part of maintaining the trust relationship, the final core function, requires the ability to define and enforce policy constraints on the infrastructure. Another tool already in TCG's trust arsenal called IF-MAP (interface between the Metadata Access Points) is used to apply these policy constraints.
Use Cases and Using the TMI Architecture
The TMI architecture includes generic use cases that may apply to a provider of a Trusted Systems Domain or a consumer of those services or both as well as use cases specific to providers and users. In the cloud, many pieces must be connected together and each of those pieces may house information from industry competitors that needs to be kept separate. Figure 1 shows a logical view of the TMI Reference Architecture designed to provide this separation.
Figure 1. Separation is essential in a trusted reference architecture.
A User Access Device (UAD) supports connecting to one or more concurrent domains while the network represents devices that can transfer data from multiple domains. Server and storage identify federated aspects. A Federated Data Center of servers can host multiple independent domains and data is stored in a Federated Storage infrastructure. Both areas have their own common management system. Exchange identifies the logical component (both physical and virtual) that defines cross-domain information flow rules.
Once the appropriate separation level is achieved at the logical level, the next step involves managing the exchange of information between policy domains of UAD, network, server, and storage. The gateway provides that control. Figure 2 shows the interrelation of these elements.
Figure 2. Resource management is an essential aspect of establishing and maintaining trust.
In a trusted computing environment, the separation of management duties is essential. Users need to establish trusted multi-provider solutions. They want the flexibility to take some components or services from one company and include virtual machines from another source and do this as often as required to meet the organization's resource requirements.
Each of the provider organizations has responsibilities for managing the platforms that they own and establishing their terms and conditions, policies, and compliance patterns. But they don't necessarily have any need to see the data that is inside, the assets that they provision for the user.
Once the user is given access to a server, the provider manages that resource as a server without knowing the specific transactions. The top down management by the user requires management of those assets across all of its suppliers, the end to end management of all of the assets that have been allocated to that policy trust domain across however many suppliers are involved.
For the user, it is not necessary to manage the physical hardware; they simply need to manage the assets that have been allocated by a provider. So separating those into two different management areas allows users to maintain that trust relationship between the two providers, or the provider and the consumer, and do it in a manner that supports both multi-tenancy and multi-provider environments.
To achieve the separation required for the TMI architecture, use cases have been developed to address how to establish a trust domain, how to provision infrastructure components into it and how to manage those infrastructure components. The published uses cases are quite specific in terms of tasks that an IT organization would do in order to deploy virtual machines and other internal and cloud aspects.
The next step involves deriving a reference model from those use cases. The reference model is a set of requirements that define key aspects of a trusted multi-tenant infrastructure that must be implemented. Each requirement is mapped to a set of implementation patterns. A pattern is essentially an architecture level description on how to achieve that particular requirement.
The TMI architecture offers different patterns to meet each requirement. An architect or IT organization can chose from those patterns, which map to technical standards that then can be mapped to tools to configure a solution.
Those are the building blocks from which users can create trusted infrastructure solutions. The next set of documentation is implementation guidance. This process involves suggested solutions to a particular business problem by combining those building blocks in a proven manner.
The final stage is tuning the guidance for a particular industry - for example, configuring the building blocks in a way that is compliant with defense, financial or healthcare requirements. This process will provide a map on how to glue all the pieces together.
An Example of a Trusted Cloud Implementation
One of the business problems associated with the cloud involves combining cloud resources with resources within the user's enterprise. In many cases, the user doesn't have detailed insight into where the servers are, where the storage is, where the data center is, or who is operating it. After the specific service is purchased, the website returns a link to a virtual machine. From a trust standpoint, it's a lot like buying a quality watch on a street corner.
A chief information officer or IT manager needs to know that they can trust the cloud-based server to be compliant with the IT policies of the organization. Within the organization, those policies are generally well known. For example, from a U.S. government point of view, the servers have to be within the U.S., the data center has to be Federal Information Security Management Act (FISMA) compliant, and many of the components have to be Federal Information Processing Standards (FIPS) or Common Criteria certified before they can be used to either process or store government data.
A potential user needs a way to ask the infrastructure questions and get answers that have some level of integrity to determine that the responses are indeed true. The TMI solution starts by putting the patterns together to establish a trust relationship with a potential provider and overlay the three core functions. This provides the ability to have a policy discussion and establish a trust domain. The use cases establish the set of policies that need to be enforced. Once these steps are taken, the user can "interview" potential suppliers to see if they are willing to provide resources that are compliant with the organization's policies.
When it comes time to provision a virtual machine, the user can select a supplier that has committed to implement the organization's operational policies. Once the virtual machine is provisioned, the user has the TPM and other TCG technologies to measure the integrity of that device and return a credential to identify that it is the right device and the right provider so it can be included in the organization's infrastructure solution. With these credentials, the enterprise has almost the same level of trust that would exist if the server resided in its own data center and was operated by people hired as dedicated employees.
Ultimately, if an organization has a domain that includes resources from both on premise data centers and devices from the cloud, IT needs to know that every device included from outside of the organization has been uniquely measured and its compliance verified. Once this is performed, there are no unknowns within the domain. This establishes the level of trust required to transmit data within that ecosystem.
The process is very similar for other organizations such as financial or healthcare institutions when those organizations' unique policies are taken into account. For healthcare, the Health Insurance Portability and Accountability Act (HIPPA) is a unique requirement or for financial transactions PCI Data Security Standard (PCI DSS). The approach can even be simplified to an individual consumer point of view. When a person receives an email with an embedded link and the credentials are not correct, a "do not trust" message can be transmitted.
In all of these cases, there is a lot of commonality, the same underpinning as the government use case. It's just a matter of how the cloud solution is configured.
Pulling It All Together
Describing the overall cloud security problem tends to be a lot like the classic situation of describing an elephant without being able to see it. Everyone that approaches the topic sees something different. TCG's approach addresses the problem from an infrastructure point of view.
In contrast, other organizations are concerned about building trust in applications, or virtualization, like the Distributed Management Task Force (DMTF). In addition, there are risk and compliance models such as those developed by the Cloud Security Alliance. In fact, there are many things that an organization can do to achieve a trusted enterprise.
TCG's TMI architecture is by no means the entire solution for securing the cloud but it does uniquely address the problems of trusted infrastructure. While it does not solve all the cloud security problems, for IT managers, TMI could be among the most important cloud security aspect for them to consider.
Trusted Computing Group and Trusted Multi-Tenant Infrastructure
Cloud Computing and Security: A Natural Match
Presentations from SecureCloud 2010 Conference
The Trusted Computing Group (TCG) provides open standards that enable a safer computing environment across platforms and geographies. Benefits of Trusted Computing include protection of business-critical data and systems, secure authentication and strong protection of user identities, and the establishment of strong machine identity and network integrity. Organizations using built-in, widely available trusted hardware and applications reduce their total cost of ownership. TCG technologies also provide regulatory compliance that is based upon trustworthy hardware. TCG's specifications are implemented by manufacturers of PCs, servers, networking gear, applications and other software, hard drives and embedded devices. More information and the organization's specifications and work groups are available at the Trusted Computing Group's website, www.trustedcomputinggroup.org.
People interested in participating in the TMI work group can contact the co-chairman at Michael Donovan and Erik Visnyak.