Private cloud and compliance

Many IT shops are considering building a private cloud. There are the usual variety of reasons from agility to cost savings. But there is one thing in common: the users of that private cloud are from many different business units in the company. The result is a multi-tenant private cloud.

Why is this distinction important? A single tenant cloud can make optimizations to streamline the implementation to suit that tenant. For example, the security model can be just enough to meet the needs of that one tenant. If however, that cloud hosts multiple tenants, then the needs of each tenant must be considered. For example, if one business group is processing payment card transactions, then the segment of the cloud hosting those workloads need to be held in compliance with PCI requirements while the rest of the cloud can meet a less stringent standard.

The implication is that workloads that require PCI compliance, for example, need to be placed on PCI compliant infrastructure while excluding non-PCI workloads from that infrastructure. But, how can the cloud workload scheduler know which systems are ‘trusted’ as compared to ones that are not ‘trusted’. Note that ‘trust’ here simply means that the configuration of the server (or storage or switch) is known to be a configuration that is trusted for that purpose. Being ‘not trusted’ does not always mean the server has been compromised, since it can also mean that the configuration is not on an approved ‘white list’.

Intel provides a set of technology, known as TXT, which allows for the boot time configuration of a server to be measured and later verified to be in a known trusted configuration. This process, known as attestation, provides a hardware based root of trust for supporting trusted compute pools. A server that boots with a trusted configuration will provide an attestation, starting from the hardware, which can then be used by cloud management software (VMware, OpenStack, more) to ensure that workloads are placed on the correct server and only those workloads are placed there.

OpenStack provides an implementation of this through the Open Attestation project and directly supports most widely used hypervisors.

Because Intel has implemented this technology into open source, specifically into OpenStack, it is widely available for the ecosystem to utilize. One example of industry use is in the IBM SmartCloud Orchestrator (SCO) solution. Since SCO utilizes OpenStack with extensions for dynamic scheduling with Platform Resource Scheduler, the trust status of a server can be readily used for placing workloads while taking into account the trust requirements.