NIST Issues Draft Guide on Secure IaaS

Trusted Geolocation in the Cloud: Proof of Concept Implementation
NIST Issues Draft Guide on Secure IaaS

A draft of new guidance intended to be a blueprint to validate and implement a secure infrastructure as a service cloud computing offering has been issued by the National Institute of Standards and Technology.

See Also: Federal Agencies Tech Brief: Security Investigation, Detection and Rapid Response

Draft Interagency Report 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation, explains selected security challenges involving infrastructure as a service cloud computing technologies and geolocation.

The publication describes a proof of concept implementation that was designed to address those challenges. IR 7904 provides sufficient details about the proof of concept implementation so that organizations can reproduce it if desired.

From IR 7904, here's how NIST explains the problems the draft guidance addresses:

    Shared cloud computing technologies are designed to be very agile and flexible, transparently using whatever resources are available to process workloads for their customers. But there are security and privacy concerns with allowing unrestricted workload migration.

    Whenever multiple workloads are present on a single cloud server, there is a need to segregate those workloads from each other so that they do not interfere with each other, gain access to each other's sensitive data, or otherwise compromise the security or privacy of the workloads. Imagine two rival companies with workloads on the same server; each company would want to ensure that the server can be trusted to protect their information from the other company.

    Another concern with shared cloud computing is that workloads could move from cloud servers located in one country to servers located in another country. Each country has its own laws for data security, privacy and other aspects of information technology. Because the requirements of these laws may conflict with an organization's policies or mandates - for instance, laws, regulations - an organization may decide that it needs to restrict which cloud servers it uses based on their location.

    A common desire is to only use cloud servers physically located within the same country as the organization. Determining the approximate physical location of an object, such as a cloud computing server, is known as geolocation. Geolocation can be accomplished in many ways, with varying degrees of accuracy, but traditional geolocation methods are not secured and they are enforced through management and operational controls that cannot be automated and scaled, and therefore traditional geolocation methods cannot be trusted to meet cloud security needs.

    The motivation behind this use case is to improve the security of cloud computing and accelerate the adoption of cloud computing technologies by establishing an automated hardware root of trust method for enforcing and monitoring geolocation restrictions for cloud servers. A hardware root of trust is an inherently trusted combination of hardware and firmware that maintains the integrity of the geolocation information and the platform. The hardware root of trust is seeded by the organization, with the host's unique identifier and platform metadata stored in tamperproof hardware. This information is accessed using secure protocols to assert the integrity of the platform and confirm the location of the host.

NIST requests comments on Draft IR 7904 by Jan. 31. Comments should be sent to ir7904-comments@nist.gov, with "IR 7904 comments" in the subject line.


About the Author

Information Security Media Group

Information Security Media Group (ISMG) is the world's largest media company devoted to information security and risk management. Each of its 37 media sites provides relevant education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Its yearly global summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.