An Evolution of Security in the Cloud – The RSA Security Conference

A couple of weeks ago, I presented on the work we have been driving around new security capabilities RSA conference. Not surprising I’m sure, but one of the hottest topics circling the conference was security in the cloud.  Walking off the plane I as greeted by massive signs espousing the latest Cloud security innovations from industry leaders like Symantec and EMC. OK, maybe I was just a little excited by the hype, but I couldn’t help but feel like I had arrived at some kind of techy paradise.


Even before the first official keynote of the show, the Cloud Security Alliance kicked off with a robust discussion on the issues and threats facing the cloud. Even Marc Benioff and his posse showed up to join the debate. There seems to be little debate that Cloud computing is reshaping the operational practices and user expectations of the way IT services are delivered. At the same time, there is clearly an aura of concern and a desire to understand the implications of the Cloud on data security and privacy.

One of the most valuable (and expected) elements of cloud is its capacity for self-service—users can create an email account or a fully functional virtual machine in seconds. Many of the enterprise IT organizations I’ve talked to are looking to adopt cloud-based models because of the self-service capabilities it brings. The control and flexibility of self-service is so compelling that several CIO’s have mentioned the emergence of “rogue IT” factions in their organizations  that are turning to external cloud clouds to deploy the services they demand. On the upside the agility virtualization enables and the emergence of innovative cloud operating environments like vCloud and Open Stack are putting self-service is within reach.

Whether businesses reign in rogue IT or embrace it as an accepted process, a fact remains where there is data, there is opportunity for theft, misuse, and compliance violation. The focus on cloud at RSA this year made it clear that the industry, governments, and businesses are looking at ways to ensure they protect their infrastructures from potential threats. Mitigating threats and improving data security is a multidimensional challenge—it is about layers.

At Intel, we have been working improving assurance of the infrastructure at some of the lowest layers—the foundation of the data center infrastructure. We are working to improve assurance of server platforms through a trustworthy boot process we call Trusted Execution Technology - TXT. When data center servers boot, the system can go through a routine of measuring the low-level firmware and verifying the hypervisor prior to launch.  A hash of this measurement is stored in a tamper-resistant place on the platform called the Trusted Platform Module. This measurement becomes the basis for establishing trustworthiness of the platform foundation. Deviations from expected measurements can invoke an exception and enforce appropriate launch control policies to mitigate potential vulnerabilities from joining the infrastructure resource pool.

Launch measurement and control is just the beginning. Working with ecosystem partners like RSA and HyTrust, we are exploring a series of new usage models that use the measurement of infrastructure assurance as a basis for isolation and migration of virtualized workloads—a concept we call Trusted Compute Pools.  In these models assurance measurement becomes a core element of virtualization migration policies. Security management consoles (e.g. GRC) can incorporate these measurements into the way cloud-based workloads are managed and deployed.

This is just one step on what we can expect will be a long journey the cloud computing evolution, but establishing the basis of trust in the infrastructure is poised to become a critical foundation. In subsequent posts I will share more details on some new usage models like Geotagging and the evolution of the solutions we are working on with our partners. I will also be digging into a number of other data center business and technology topics.