Enabling trust and security in cloud with intel trusted executed technology


Published on

Enabling trust and security in cloud with intel trusted executed technology. Cisco Booth Presentation from VMworld 2013.

Published in: Technology, Business

Comments are closed

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Enabling trust and security in cloud with intel trusted executed technology

  1. 1. James J Greene III Sr Marketing Engineer, Security Technologies August 2013 Enabling Trust and Security in Cloud with Intel Trusted Executed Technology (Intel TXT) Martin Guttmann Principal Architect, WW Data Center Group
  2. 2. Legal Disclaimer Intel may make changes to specifications and product descriptions at any time, without notice. Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more information on performance tests and on the performance of Intel products, visit http://www.intel.com/performance Intel does not control or audit the design or implementation of third party benchmarks or Web sites referenced in this document. Intel encourages all of its customers to visit the referenced Web sites or others where similar performance benchmarks are reported and confirm whether the referenced benchmarks are accurate and reflect performance of systems available for purchase. Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request. Intel® Virtualization Technology (Intel® VT) requires a computer system with a processor, chipset, BIOS, virtual machine monitor (VMM) and applications enabled for virtualization technology. Functionality, performance or other virtualization technology benefits will vary depending on hardware and software configurations. Virtualization technology-enabled BIOS and VMM applications are currently in development. Intel, Intel Xeon, Intel Core microarchitecture, and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). The MLE could consist of a virtual machine monitor, an OS or an application. In addition, Intel TXT requires the system to contain a TPM v1.2, as defined by the Trusted Computing Group and specific software for some uses. For more information, see here The original equipment manufacturer must provide TPM functionality, which requires a TPM-supported BIOS. TPM functionality must be initialized and may not be available in all countries. Intel® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. AES-NI is available on select Intel® processors. For availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-standard- instructions-aes-ni/ © 2011 Standard Performance Evaluation Corporation (SPEC) logo is reprinted with permission
  3. 3. Agenda • Security trends and concerns • Intel provides foundation for best secure processing • Meeting the security challenge: • Use Models and Solutions to mitigate pain points • Examples • Summary
  4. 4. Security Concerns Limit Adoption of Cloud Better Security is Essential for Cloud Growth 1 McCann 2012 State of Cloud Security Global Survey, Feb 2012 Say lack of visibility inhibiting private cloud adoption1 Lack of control over public cloud1 Avoid putting workloads with compliance mandates in cloud1 57% 61% 55% IT Pro survey of key concerns: Gain visibility Maintain control Prove compliance
  5. 5. Platform Attacks Moving “Down the Stack” to Gain Greater Stealth and System Control Traditional attacks: Focused primarily on the application layer OS infected with APTs: Threats are hidden from security products Attacks disable security products New stealth attacks: Embed themselves below the OS and Virtual Machine, so they can evade current solutions Ultimate APT*s: Compromise platform and devices below the OS, using rootkits as cloaks Compromise virtual machine APT: Advanced Persistent Threat
  6. 6. A New Approach Is Required: “Hardware-enhanced Security” Move critical security processes down into the hardware • Encryption, Authentication, Manageability, and Platform Cleansing • Hardware is inherently less vulnerable to modification or corruption Hardware Root of Trust performs security-critical functions, e.g., • Measure and/or verify software (BIOS, Drivers, Hypervisor, etc. • Protect cryptographic keys • Perform device authentication Added Protection against: • Viruses and worms • Malware • Disabled software • Rootkits
  7. 7. US Dept of Homeland Security Cyber Security Research & Development Broad Agency Announcement (BAA): BAA 11- 023 NIST Guidelines Seek to Minimize Risk of BIOS attacks2 • Pre-runtime environment target of new attacks • Protections abstracted away by virtualization and cloud • Low-level attacks are hard to detect and can be difficult to recover from Mebromi: The First BIOS Rootkit in the Wild1 *Other names and brands may be claimed as the property of others Pain Point: Enforcement New Controls Needed to Enforce Protection of Infrastructure Source 1: http://www.outlookseries.com/A0995/Security/3817_Homeland_Security_Hearing_Cloud_Computing_Implications.htm Source 2: http://www.itbusinessedge.com/cm/blogs/lawson/multi-tenant-solutions-the-pros-the-questions-and-integration-concerns/?cs=45181&page=2 Source 3: https://cloudsecurityalliance.org/csaguide.pdf
  8. 8. Server Security Technologies Intel® TXT and Hardware Root of Trust • Intel® Trusted Execution Technology (Intel TXT) enforces control of the platform, measures launch components • A hardware based security foundation (Root of Trust) to build and maintain a chain of trust, to protect the platform from software based attacks Trusted and verifiable systems − Implement policies/controls on top of a foundation of trust beginning in HW and up the stack − VMware, SUSE, Redhat and others have products that support HW roots of trust and attestation *Other names and brands may be claimed as the property of others.
  9. 9. Server Security Technologies Intel® Trusted Execution Technology (Intel® TXT) Hardens and Helps Control the Platform •Enables isolation and tamper detection in boot process •Complements runtime protections •Hardware based trust provides verification useful in compliance •Trust status usable by security and policy applications to control workloads Internet Compliance Hardware support for compliance reporting enhances auditability of cloud environment Trusted Launch Verified platform integrity reduces malware threat Trusted Pools Control VMs based on platform trust to better protect data
  10. 10. Server Security Technologies Trusted Compute Cloud Solution with TXT Sample Solutions Architecture BIOS TPMIntel Servers with TXT API’s Virtual Management Console VMM Portal and Cloud Management ConfigMgr + SIEM Policy Engines GRC Trust Agent Verifier/ Attestation *Other names and brands may be claimed as the property of others.
  11. 11. R E S T Attestation Server Privacy CA Attestation Handler/Cac he MLE + Whitelist Management Provisioning + Automation Credential Mgt HyTrust enables platform attestation, enforce policies, provides the visibility for security, trust and compliance Server Security Technologies Example of Deployments w/CISCO UCS & TXT enabled Solutions Virtual Appliance McAfee’s management console; Unified management of system security, policy enforcement, event report Customer policy, Audit reports PS1PS2 FAN STAT FAN1FAN2 FAN STAT STAT OK FAIL N10-PAC1-550W OK FAIL N10-PAC1-550W PS1PS2 FAN STAT FAN1FAN2 FAN STAT STAT OK FAIL N10-PAC1-550W OK FAIL N10-PAC1-550W SLOT 1 SLOT 5 SLOT 3 SLOT 7 SLOT 2 SLOT 6 SLOT 4 SLOT 8 ! UCS 5108 OK FAIL OK FAIL OK FAIL OK FAIL VMware vCentervSphere 5.1 Cisco UCS 5108 M3 System with Intel TXT and UCS 6120XP Switch McAfee ePolicy Orchestrator *Other names and brands may be claimed as the property of others.
  12. 12. IT manager Enforce Policies Security management tools can assure workloads are managed and placed within policy, enable reporting and audit of controls VM Establish Boundaries Hardware based mechanism to verify platform integrity (trust) status and store/report other asset descriptor such as location IT manager Identify Workloads Evaluate workloads and data they contain. Use tool to label workloads’ security needs, create policy requirements VM IT manager Policy: sensitive FISMA VM requires trusted host, requires US host 1 2 3 NIST IR 7904 – Solution Reference Architecture for Trusted Compute Pools http://csrc.nist.gov/publications/drafts/ir7904/draft_nistir_7904.pdf *Other names and brands may be claimed as the property of others.
  13. 13. What have we learned? 13 *Other names and brands may be claimed as the property of others. 1. Security threats and requirements continue to grow 2. Security concerns limit ability to adopt cloud 3. Security can be integrated to make it more pervasive, effective and efficient 4. Leaders are building out trust-enabled solutions to deal with new threats and provide new controls for visibility and compliance in the cloud
  14. 14. What can we do? 14 *Other names and brands may be claimed as the property of others. 1. Take a cue from the examples we discussed: Find leverage and solutions 2. Assess your risks and capabilities: Determine what new controls are needed, are you using all the tools you have (such as UCS?), can they do more? 3. Get Help: What do your suppliers do for you to enable your business? 4. Be Helpful: If you’re an integrator (or an IT manager), how are you helping your customers get ahead of the threats? The business needs?