practical applications of trusted computing in the cloud · practical applications of trusted...
TRANSCRIPT
![Page 1: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/1.jpg)
Practical Applications of Trusted
Computing in the Cloud
Jesus Molina
Fujitsu Laboratories of America
![Page 2: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/2.jpg)
Introduction
Trusted Computing and Cloud
Overview of Trusted Computing
CSA guidelines and TCG standards
Practical Application
Encrypted Drives
Trusted Network Connect
Metadata Access Policies
Trusted virtual Multitenancy
![Page 3: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/3.jpg)
Trusted Computing and Cloud
TRUST
So what is the root problem of
cloud security?
In cloud you cant verify directly the Trusted Computing Base
![Page 4: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/4.jpg)
TCG standards and cloud
VERIFY THEN TRUST JUST TRUSTOR
In the cloud you can
Standards
Certification
Technology Lawyers
![Page 5: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/5.jpg)
Introduction to TCG
![Page 6: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/6.jpg)
TCG: Standards for Trusted Systems
Mobile Phones
Authentication
Storage
Applications•Software Stack
•Operating Systems
•Web Services
•Authentication
•Data Protection
Infrastructure
Servers
Desktops &
Notebooks
Security
Hardware
Network
Security
Printers &
Hardcopy
Virtualized Platform
![Page 7: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/7.jpg)
Trusted Clients
Security Built In Trusted Platform Module
(TPM)
Mobile Trusted Module (MTM)
Features Authentication
Encryption
Attestation
![Page 8: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/8.jpg)
Trusted Servers
Security Built In Trusted Platform Module
(TPM)
Secure Virtualization
Secure Cloud
Features Authentication
Encryption
Attestation
![Page 9: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/9.jpg)
Trusted Storage
Security Built In Self Encrypting Drive
(SED)
Features Encryption
Authentication
![Page 10: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/10.jpg)
Trusted Networks
Security Built In & Coordinated
Trusted Network Connect (TNC)
Features
Authenticate
Health Check
Behavior Monitor
Enforce
![Page 11: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/11.jpg)
CSA Guidelines and TCG
CSA Domain
(Number) Type
Examples
(2) Governance/Risk Management Decrease risk exposure
(3) Legal and Electronic Discovery Data Recovery and Encryption
(4) Compliance and Audit Server Attestation
(5) Information Lifecycle
Management
Safe Data Retirement
(6) Portability and Interoperability Metadata Access Policy
(7) Traditional Security Network Access Control
(8) Incident Response Coordinated Security
(11) Encryption / Key Management SED, Hardware Key storage
(12) Identity/ Access Management Hardware Token Authentication
(13) Virtualization Trusted Multitenancy
![Page 12: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/12.jpg)
Practical Applications
![Page 13: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/13.jpg)
13
Queue inSecure Area
RemoveALL drives
Send even“dead" drives
through
TransportOffsite
Queue insecure area
How the Drive Retirement Process Works
1. http://www.usatoday.com/tech/news/computersecurity/2008-01-18-penney-data-breach_
People make mistakes
which lost a tape with 150,000 Social Security numbersstored at an Iron Mountain warehouse, October 20071
“Because of the volume of information wehandle and the fact people are involved,
we have occasionally made mistakes.” 99% of Shuttle Columbia's hard drive data
recovered from crash site
Data recovery specialists at Kroll Ontrack Inc. retrieved
99% of the information stored on the charred Seagate hard
drive's platters over a two day period.
- May 7, 2008 (Computerworld)
Retire Drive
• Replace
• Repair
• Repurpose
Shredding is
environmentally
hazardous
Not always as
secure as shredding,
but more fun
Hard to ensure
degauss strength
matched drive type
Overwriting takes days and there is no notification of completion from drive
Retirement Options
S
E
C
U
R
E
?
![Page 14: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/14.jpg)
14
Queue inSecure Area
RemoveALL drives
Send even“dead" drives
through
TransportOffsite
Queue insecure area
How the Drive Retirement Process Works
1. http://www.usatoday.com/tech/news/computersecurity/2008-01-18-penney-data-breach_
People make mistakes
which lost a tape with 150,000 Social Security numbersstored at an Iron Mountain warehouse, October 20071
“Because of the volume of information wehandle and the fact people are involved,
we have occasionally made mistakes.” 99% of Shuttle Columbia's hard drive data
recovered from crash site
Data recovery specialists at Kroll Ontrack Inc. retrieved
99% of the information stored on the charred Seagate hard
drive's platters over a two day period.
- May 7, 2008 (Computerworld)
Retire Drive
• Replace
• Repair
• Repurpose
Shredding is
environmentally
hazardous
Not always as
secure as shredding,
but more fun
Hard to ensure
degauss strength
matched drive type
Overwriting takes days and there is no notification of completion from drive
Retirement Options
S
E
C
U
R
E
?
Drive Retirement is:
Expensive
Time-consuming
Error-prone
![Page 15: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/15.jpg)
15
RemoveALL drives
Send even“dead" drives
through
Queue insecure area
TransportOffsite
Queue insecure area
Retire Drive
• Replace
• Repair
• Repurpose
S
E
C
U
R
E
Self-Encrypting Drives
Drive Retirement: Self-Encrypting
Drives
Reduces IT operating expense
• Eliminates the need to overwrite or destroy drive
• Secures warranty and expired lease returns
• Enables drives to be repurposed securely
Provides safe harbor for most data privacy laws
Power Off = Locked and Encrypted = Secure
![Page 16: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/16.jpg)
User-Specific PoliciesAccess Requestor
Joe – Finance
Windows XP
OS Hotfix 9345
OS Hotfix 8834
AV - Symantec AV 10.1
Firewall
Policy
Enforcement
Point
Policy Decision
Point
NAC Policy
•Users and Roles
•Per-Role Rules
Metadata
Access
Point
Sensors
and Flow
Controllers
Mary – R&D
Guest User
![Page 17: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/17.jpg)
TPM-Based Integrity Check
Compliant SystemTPM verified
BIOS
OS
Drivers
Anti-Virus SW
Production
Network
Access Requestor Policy Decision
PointPolicy Enforcement
Point
NAC PolicyTPM enabled
•BIOS
•OS
•Drivers
•Anti-Virus SW
TPM – Trusted Platform Module
• HW module built into most of
today’s PCs
• Enables a HW Root of Trust
• Measures critical components
during trusted boot
• PTS interface allows PDP to
verify configuration and
remediate as necessary
![Page 18: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/18.jpg)
Routing IDS Switching Wireless Firewalls
IPAM
RADIUS
AD
IF-MAP
Protocol
SIM /SEM
Asset
Management
System
NAC
Decision
Point
DHCP
MAP
IF-MAP
Routing IDS Switching Wireless Firewalls
IPAM
RADIUS
AD
SNMP,
Syslog
SIM /SEM
Asset
Management
System
NAC
Decision
Point
DHCP
Custom
Integration
![Page 19: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/19.jpg)
Securing Multitenant Platforms Using TCG
Some goals
Protection of processing and information in motion and at rest
Ability to share physical platforms among tenant domain components (shared services)
Visibility and auditability of actions across the enterprise
Management of physical resources independently of domain resources
Loosely coupled architecture managed using application of appropriate policy and trust
Ability to control the flow of information between tenant domains within policy constraints
Ability to address various security models to protect integrity and confidentiality of services and data exchanges within enterprise
Virtualization work group
(virtual certificates, virtual TPM, migration)
Trusted Network Connect
(Policy definitions and
enforcement)
Storage workgroup (multilevel storage)
TPM working Group (Server Attestation)
Relevant Working Groups
![Page 20: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/20.jpg)
Support Slides
![Page 21: Practical Applications of Trusted Computing in the Cloud · Practical Applications of Trusted Computing in the Cloud Jesus Molina Fujitsu Laboratories of America. Introduction](https://reader034.vdocuments.site/reader034/viewer/2022042220/5ec6b2533377fe37217e8690/html5/thumbnails/21.jpg)
Virtual Machine Monitor
VM VM VM
TPM
VTPM
Multilevel
Storage
NAC,
IF-MAP