intel trusted execution technologie: cloudu...intel trusted execution technologie: cesta k...
TRANSCRIPT
Jiří Vrbický – Cloud4com, a.s.
Intel Trusted Execution Technologie:
Cesta k vyššímu zabezpečení dat v cloudu
Cloud4com, a.s.
October 2014
Secure compute
platform stack
Cloud4com, a.s.
Secure Cloud platform usage model
www.intelcloudbuilders.com
Trusted hardware
With trusted hardware as your foundation, you
deploy your workloads on known-good pools of
servers that have been tested, validated, and
proven secure. It's a crucial first step toward
securing your cloud.
Virtualization Infrastructure
Hypervisors allow you to build and manage a
virtualized IT infrastructure. These important
cloud-based tools abstract processor, memory,
storage, and networking resources across
multiple virtual machines running multiple
operating systems and applications.
Policy management
Security policies protect data and applications in
the cloud, ensuring that your data and workloads
touch only known-good systems.
Security reporting
Trusted compute pools allow you to attest to the
safety of your computing infrastructure. You can
prove that your physical and virtual infrastructure
components are trustworthy. This is a critical
capability, because if you can't attest to the safety
of your computing infrastructure, you can't
validate the security of the data, software, and
services running on top of that infrastructure.
Cloud4com, a.s.
Intel TXT & Trusted Pools
Cloud4com, a.s.
Intel Trusted Execution Technology (TXT)
• Ability to attest platform and OS authenticity.
• Hardware-based Root of Trust for measurement, storage & reporting:
• Intel Xeon® Processor (from series 5600), IOH/PCH,
• Trusted Platform Module (TPM v1.2),
• Measurements of platform and system software components
(UEFI, OS boot loader & modules).
• Trusted Pools:
• Run workload and data on a trusted servers only.
• Trusted Launch:
• Trusted Boot in OS (Linux, Windows, VMware Hypervisor).
• Attestation & Compliance with Security Requirements.
www.intel.com/txt
Cloud4com, a.s.
Intel TXT: Components
Cloud4com, a.s.
Intel TXT: Measurement Process
Pre-Boot
BIOS
Pre-Launch Launch Post-
Launch
TBOOT
OS/VMM
Operation
OS Shut
Down
Reset /
Power
Off
Write Extend to
TPM PCR 0-7
Write Extend to
TPM PCR 17, 18
Write Extend to
TPM PCR 19-22
Trusted Mode of
Operation
Cloud4com, a.s.
Trusted Storage for TXT Measurements?
Attestation Service
Cloud4com, a.s.
Intel Attestation Service: OpenAttestation
www.01.org/openattestation
• The OpenAttestation Project provides a
software development kit (SDK) for the
creation of cloud management tools.
These tools are capable of establishing
the hosts’ integrity information by
remotely retrieving and verifying integrity
with Trusted Platform Module (TPM)
quotes.
• Support for Linux, KVM,
OpenStack, oVirt.
Cloud4com, a.s.
Intel Trust Attestation Solution (Enterprise Edition)
• Support for VMware, KVM, XEN hypervisor.
Cloud4com, a.s.
HyTrust CloudControl
• Separating “Security” from “Management” (on VMware platform)
• Verify Platform Integrity using Intel TXT.
• Authenticate and Verify Administrator Identity with two-factor
authentication including smart cards.
• Validate All Change Requests – Secondary Approval.
• Provide the System of Records – detail logs, visibility to all operations in
platform, usable for auditors.
• Assessment of the security configuration - C.I.S. Benchmark, PCI DSS,
VMware Best Practices.
• Geo tagging – Trusted Geolocation in a Cloud.
Cloud4com, a.s.
HyTrust CloudControl
Zone 1
Virtualization
Management
Clients
VMware Management Subnet
(ESXi and vCenter Server)
Corporate
Network
HyTrust CloudControl
Authentication via Active
Directory, RSA SecurID
Audit-Quality Log
Storage and Retention
HyTrust CloudControl Protects VMware
Infrastructure:
➡ Infrastructure Management is connected to Virtual IP
and routed through CloudControl for inspection
➡ All users are authenticated against Active Directory
➡ All Management Traffic is logged
➡ Disallowed Management Traffic is blocked
➡ Authorized Management Traffic is sent to the
Infrastructure
➡ Guest Traffic is not affected by CloudControl
Source IP Constraints
Enterprise
Clients Network Constraints Host Constraints
Delegate to Security dep.
vMotion*
Cloud4com, a.s.
HyTrust CloudControl & Intel TXT
• Hosts automatically labeled based on Intel TXT
measurement compared to Known Good Host
(WhiteList value).
• Rules enforce VMs are only allowed on Trusted
Hosts.
• Eliminates possibility of Admins moving or
powering on VMs on Untrusted hosts.
Protected VM
Virtual Infrastructure Virtual Administrator
Trusted Untrusted
Cloud4com, a.s.
HyTrust CloudControl & Intel TXT
Cloud4com, a.s.
• Enterprise IaaS Cloud with SLA.
• Flexibility – buy only what You want for any time depend on
Your Business!
• Scalability – scale from Small to Large.
• Security – runs on Intel TXT platform. Encrypt Your data in a
cloud and hold encryption keys with our unique product portfolio.
• Multi-tenant – Your vPDC is separated from the other customers.
• Self-Service Portal with integrated Billing and SLA reporting –
use application Virtix. You know how much does it cost, anytime!
vServer vStorage vNetwork Software Backup Encryption
Virtual Server Quality
SLA on Trusted Intel
TXT Platform
Virtual HDD and SSD
with
Quality SLA
Virtual Router,
Firewall, Balancer,
vLAN, connectivity
Software under
Service Provider
Licensing Program
vBackup and
agent-based Backup
with DB & application
integration
Application, DB & File
encryption with
external Key
Management
vServer Encryption
Option
Encryption on
Storage Option
Network Encryption
Option
Backup Encryption
Option
Build Your own Virtual Private Data Center
Virtual Private Data Center from Cloud4com
Cloud4com, a.s.
Questions?
• Questions
• Comments
Contact
Jiří Vrbický
+420 734 649 894
www.cloud4com.com [email protected] Cloud4com, a.s.