How do you know if your data is in good hands? Here's how.
- By William Jackson
- Jan 09, 2013
When agencies move IT workloads to the cloud, they often gain flexibility and efficiency, but do the owners of the data know where their data is? They should.
The "cloud," of course, isn’t any kind of cloud, but servers at many large data centers scattered around the country or the world, as we are reminded whenever a cloud provider loses service. And agencies must ensure that these resources are being maintained in an appropriate and secure environment.
The National Institute of Standards and Technology has produced a scheme to provide this assurance through continuous monitoring of the location and condition of the cloud platforms being used. The blueprint for what is called trusted geolocation, laid out in draft NIST Interagency Report 7904, can help determine whether data is where it is supposed to be in rapidly changing environments and whether cloud providers are meeting contractual requirements for the security of the platform.
The goal of Trusted Geolocation in the Cloud: Proof of Concept Implementation is "to improve the security of cloud computing and accelerate the adoption of cloud computing technologies by establishing an automated hardware root of trust method for enforcing and monitoring geolocation restrictions for cloud servers."
Cloud service providers to federal agencies must meet security requirements under the Federal Information Security Management Act, and the General Services Administration has established the Federal Risk and Authorization Management Program (FedRAMP) to certify that baseline requirements are met. But the challenge remains of making sure that workloads are being carried out on certified servers and that they have not migrated offshore.
"People are very concerned about this," said Murugiah Souppaya, co-author of the NIST report. Cloud environments now can be plagued by a lack of transparency for customers. "We believe having a technology stack that supports this from a continuous monitoring perspective would be helpful."
Contracts are vehicles for expressing technical requirements, said Matt Scholl, deputy chief of NIST’s Computer Security Division. The scheme for trusted geolocation provides a method for enforcing those requirements.
The proof-of-concept implementation of trusted geolocation technology detailed in the report is based on earlier work by industry and security professionals, which was presented at the RSA Security conference several years ago. The hardware and software used are commonly available, and several cloud providers already are quietly offering the capability, Souppaya said.
"We wanted to validate their claims and move it from behind the scenes," he said. The report provides a blueprint that can be used by the general security community to implement and validate the scheme.
It is based on a hardware root of trust, "an inherently trusted combination of hardware and firmware that maintains the integrity of the geolocation information and the platform." This root includes a unique identifier and platform metadata for each host. The information is stored in tamperproof hardware and accessed by the customer using secure protocols. This allows the integrity and location of the host to be determined at any time and continuously monitored.
The Intel Trusted Execution Technology (Intel TXT) is used to securely house the information. Intel TXT is a set of enhanced hardware components, including the microprocessor, chipset and input/output subsystems, designed to protect sensitive information from software-based attacks.
Although the trusted geolocation scheme already is in limited use, "there still are some technical challenges to make this more operational," Souppaya said. The workflow is complex and needs to be automated to ensure that it scales and performs consistently.
Even with remaining challenges, Scholl and Souppaya said they hope to see trusted geolocation begin to emerge as a common cloud vendor offering within a matter of months.
Comments on the draft interagency report should be sent by Jan. 31 to email@example.com, with "IR 7904 Comments" the subject line.
William Jackson is freelance writer and the author of the CyberEye blog.