enabling trust and security in cloud with intel trusted executed technology
DESCRIPTION
Enabling trust and security in cloud with intel trusted executed technology. Cisco Booth Presentation from VMworld 2013.TRANSCRIPT
James J Greene III
Sr Marketing Engineer, Security Technologies
August 2013
Enabling Trust and Security in Cloud
with Intel Trusted Executed
Technology (Intel TXT)
Martin Guttmann
Principal Architect, WW Data Center Group
Legal Disclaimer Intel may make changes to specifications and product descriptions at any time, without notice.
Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more information on performance tests and on the performance of Intel products, visit http://www.intel.com/performance
Intel does not control or audit the design or implementation of third party benchmarks or Web sites referenced in this document. Intel encourages all of its customers to visit the referenced Web sites or others where similar performance benchmarks are reported and confirm whether the referenced benchmarks are accurate and reflect performance of systems available for purchase.
Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.
Intel® Virtualization Technology (Intel® VT) requires a computer system with a processor, chipset, BIOS, virtual machine monitor (VMM) and applications enabled for virtualization technology. Functionality, performance or other virtualization technology benefits will vary depending on hardware and software configurations. Virtualization technology-enabled BIOS and VMM applications are currently in development.
Intel, Intel Xeon, Intel Core microarchitecture, and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). The MLE could consist of a virtual machine monitor, an OS or an application. In addition, Intel TXT requires the system to contain a TPM v1.2, as defined by the Trusted Computing Group and specific software for some uses. For more information, see here
The original equipment manufacturer must provide TPM functionality, which requires a TPM-supported BIOS. TPM functionality must be initialized and may not be available in all countries.
Intel® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. AES-NI is available on select Intel® processors. For availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni/
© 2011 Standard Performance Evaluation Corporation (SPEC) logo is reprinted with permission
Agenda
• Security trends and concerns
• Intel provides foundation for best secure processing
• Meeting the security challenge:
• Use Models and Solutions to mitigate pain points
• Examples
• Summary
Security Concerns Limit Adoption of Cloud Better Security is Essential for Cloud Growth
1 McCann 2012 State of Cloud Security Global Survey, Feb 2012
Say lack of visibility
inhibiting private cloud
adoption1
Lack of control over
public cloud1
Avoid putting workloads with
compliance mandates in
cloud1
57% 61% 55%
IT Pro survey of key concerns:
Gain visibility
Maintain control
Prove compliance
Platform Attacks Moving “Down the Stack” to Gain Greater Stealth and System Control
Traditional attacks: Focused primarily on the application layer
OS infected with APTs: Threats are hidden from security products
Attacks disable security
products
New stealth attacks: Embed themselves below the OS and Virtual Machine, so they can evade current solutions
Ultimate APT*s: Compromise platform and devices below the OS, using rootkits as
cloaks
Compromise virtual machine
APT: Advanced Persistent Threat
A New Approach Is Required: “Hardware-enhanced Security”
Move critical security processes down into the hardware
• Encryption, Authentication, Manageability, and Platform Cleansing
• Hardware is inherently less vulnerable to modification or corruption
Hardware Root of Trust performs security-critical functions, e.g.,
• Measure and/or verify software (BIOS, Drivers, Hypervisor, etc.
• Protect cryptographic keys
• Perform device authentication
Added Protection against:
• Viruses and worms
• Malware
• Disabled software
• Rootkits
US Dept of Homeland Security
Cyber Security Research &
Development Broad Agency
Announcement (BAA): BAA 11-
023
NIST Guidelines Seek to Minimize Risk of BIOS attacks2
• Pre-runtime
environment target of
new attacks
• Protections abstracted
away by virtualization
and cloud
• Low-level attacks are
hard to detect and can
be difficult to recover
from
Mebromi: The First BIOS
Rootkit in the Wild1
*Other names and brands may be claimed as the property of others
Pain Point: Enforcement New Controls Needed to Enforce Protection of Infrastructure
Source 1: http://www.outlookseries.com/A0995/Security/3817_Homeland_Security_Hearing_Cloud_Computing_Implications.htm
Source 2: http://www.itbusinessedge.com/cm/blogs/lawson/multi-tenant-solutions-the-pros-the-questions-and-integration-concerns/?cs=45181&page=2
Source 3: https://cloudsecurityalliance.org/csaguide.pdf
Server Security Technologies
Intel® TXT and Hardware Root of Trust
• Intel® Trusted Execution Technology (Intel TXT) enforces control of the platform, measures launch components
• A hardware based security foundation (Root of Trust) to build and maintain a chain of trust, to protect the platform from software based attacks
Trusted and verifiable systems
− Implement policies/controls on top of a foundation of trust beginning in HW and up the stack
− VMware, SUSE, Redhat and others have products that support HW roots of trust and attestation
*Other names and brands may be claimed as the property of others.
Server Security Technologies
Intel® Trusted Execution Technology (Intel® TXT) Hardens and Helps Control the Platform
•Enables isolation and tamper detection in boot process
•Complements runtime protections
•Hardware based trust provides verification useful in compliance
•Trust status usable by security and policy applications to control workloads
Internet
Compliance Hardware support for compliance reporting enhances auditability of cloud environment
Trusted Launch Verified platform integrity reduces malware threat
Trusted Pools Control VMs based on platform trust to better protect data
Server Security Technologies
Trusted Compute Cloud Solution with TXT Sample Solutions Architecture
BIOS
TPM Intel Servers with TXT
API’s
Virtual Management Console
VMM
Portal and Cloud Management
ConfigMgr + SIEM Policy Engines GRC
Trust Agent
Verifier/ Attestation
*Other names and brands may be claimed as the property of others.
R E S T
Attestation Server
Privacy CA
Attestation Handler/Cac
he
MLE + Whitelist
Management
Provisioning +
Automation
Credential Mgt
HyTrust enables platform attestation,
enforce policies, provides the
visibility for security, trust
and compliance
Server Security Technologies
Example of Deployments w/CISCO UCS & TXT enabled Solutions
Virtual Appliance
McAfee’s management console;
Unified management of system
security, policy enforcement, event
report
Customer policy, Audit reports
PS
1P
S2
FAN
STAT FAN
1FA
N2
FAN
STAT
STA
T
OK
FAIL
N10-PAC1-550W
OK
FAIL
N10-PAC1-550W
PS
1P
S2
FAN
STAT FAN
1FA
N2
FAN
STAT
STA
T
OK
FAIL
N10-PAC1-550W
OK
FAIL
N10-PAC1-550W
SLOT
1
SLOT
5
SLOT
3
SLOT
7
SLOT
2
SLOT
6
SLOT
4
SLOT
8
!
UCS 5108
OK FAIL OK FAIL OK FAIL OK FAIL
VMware vCenter vSphere 5.1
Cisco UCS 5108 M3 System
with Intel TXT and UCS 6120XP Switch
McAfee
ePolicy Orchestrator
*Other names and brands may be claimed as the property of others.
IT manager
Enforce Policies
Security management tools can assure workloads are managed and placed within policy, enable reporting and audit of controls
VM
Establish Boundaries
Hardware based mechanism to verify platform integrity (trust) status and store/report other asset descriptor such as location
IT manager
Identify Workloads
Evaluate workloads and data they contain. Use tool to label workloads’ security needs, create policy requirements
VM
IT manager
Policy: sensitive FISMA VM
requires trusted host, requires US
host
1 2 3
NIST IR 7904 – Solution Reference Architecture for Trusted Compute Pools
http://csrc.nist.gov/publications/drafts/ir7904/draft_nistir_7904.pdf
*Other names and brands may be claimed as the property of others.
What have we learned?
13 *Other names and brands may be claimed as the property of others.
1. Security threats and requirements continue to grow
2. Security concerns limit ability to adopt cloud
3. Security can be integrated to make it more pervasive, effective and efficient
4. Leaders are building out trust-enabled solutions to deal with new threats and provide new controls for visibility and compliance in the cloud
What can we do?
14 *Other names and brands may be claimed as the property of others.
1. Take a cue from the examples we discussed: Find leverage and solutions
2. Assess your risks and capabilities: Determine what new controls are needed, are you using all the tools you have (such as UCS?), can they do more?
3. Get Help: What do your suppliers do for you to enable your business?
4. Be Helpful: If you’re an integrator (or an IT manager), how are you helping your customers get ahead of the threats? The business needs?