Data center virtualization, and the expansion of the data center perimeter into various cloud deployment models, requires security as an enabler. As enterprise IT leaders consider the adoption of cloud models, they demand assurance of platform integrity, location controls, data confidentiality and sovereignty, visibility, and tracking of workloads.
Security solutions can be broadly categorized with proactive and reactive approaches:
- Proactive: Some solutions include the ability to assure a known good state of platform, applications, and containers with guarantees from hardware that customers can depend on, visibility, and telemetry information on compute, network, and storage workloads in cloud with the ability to enforce geo/boundary policies and country-specific mandates.
- Reactive: Solutions include detection of and recovery from malicious behavior and day-zero attacks and the ability of the server to recover and remain operational even under worst-case attacks on its stacks.
At Intel, we have prioritized products that address these concerns via solutions that enable a “proactive approach,” like our Intel® Cloud Integrity Technology (Intel CIT) software, data security, and key management, and a “reactive approach,” like Advanced Threat Detection.
“Chain-of-trust” encompasses the ability to trust and assure integrity from boot process -> bare-metal OS -> hypervisors -> virtual machines (VMs) -> applications. Intel CIT provides a software solution that uses Intel® Trusted Execution Technology Intel TXT and Trusted Platform Module (TPM) for hardware based root-of-trust while interfacing with OpenStack and others for orchestration, visibility, and policy management.
Intel CIT is designed to enhance the security features of Intel® Xeon® processors to give enterprises the confidence that their cloud-based workloads are running on trusted servers and virtual machines whose configurations have not been altered. While assuring platform integrity, encryption of VMs and containers, Intel CIT also has the ability to ensure network function virtualization (NFV) elements (like VSwitch and firewall functions) and storage volumes are trusted and geo-controlled.
Intel CIT also provides location tags for boundary controls and helps cloud consumers define the geographies where their workloads can be instantiated. From sovereignty to compliance needs, this function provides much needed hardware assisted location enforcement for VMs, containers, data, and applications.
OpenStack scheduler has the required plug-ins to invoke the Intel CIT solution to check for various proactive parameters, including location controls, before it launches compute workloads. This is being extended to storage and network workloads as well. Intel CIT verifies the integrity of both virtualized and non-virtualized servers and workloads—including containers from Docker, Mesos, and others. Verification is enabled by innovative technologies embedded in Intel Xeon processors, including Intel TXT and TPM.
We will explore this proactive approach, prevalence of trust requirements as VMs and containers move in inter-cloud and intra-cloud use cases in more depth next week in sessions and demos at the OpenStack Summit in Tokyo. This includes a customer case study with IBM-SoftLayer that explains how Intel and IBM worked together to make trusted compute an ingredient of a hosted private cloud offering that includes OpenStack-based orchestration. Representatives from Intel and IBM will walk through a customer deployment that created a root of trust based on Intel CIT running in an IBM SoftLayer-hosted public cloud. For session details, see: Real World DevOps Experience and Demo Delivering a Trusted and Secure OpenStack Cloud.
Another session will explore the use of Intel CIT to enable workload and application integrity in containerized applications running in the cloud. For a closer look at the themes to be explored in this “trusted container” session, read the blog: Can you trust your containerized applications in cloud?
In summary, use of Intel CIT enables organizations to move applications and workloads to the cloud with confidence that comes with a verified hardware root of trust, location and boundary controls, and the assurance of data confidentiality and sovereignty with keys controlled by the tenant.