Sometimes Trust is Not Enough: Intel TXT Advances to the Next Stage at IDF

Since the launch of Intel® Trusted Execution technology (Intel® TXT) on server platforms in 2010, there has been a growing awareness of the powerful role that trusted computing can play in enhancing enterprise and cloud security. This has been gratifying to see, as it affirms that trust does deliver value in increasing an organization’s ability to have greater visibility, control and compliance. But the enabling and marketing process has also affirmed that this is only a single step towards providing what businesses need in terms of controls.

Fortunately, we’ve recognized this for some time now, and have been working on and evangelizing a roadmap of enhancements that take the foundation of Intel TXT-enabled trust and extends this technology to provide new controls to meet the growing set of security requirements. And we’ve been making investments in enabling these solutions to market. Specifically, we’ve focused much of the enabling technology in the area of attestation. Attestation is the mechanism that challenges a server using TCG-compliant standards, receives a verifiable response and processes the information against a whitelist to determine if a system is trustworthy or not. In short, an attestation service is how one knows if a server is trusted or not and provide the APIs to utilize this information in other security, compliance or orchestration processes.


31205437_l.jpg

A small number of companies have developed their own attestation capabilities. Intel has developed several technologies to accelerate the market with attestation capabilities. The project code named Mt Wilson is binary software licensed to selected ISV and Cloud Service Provider vendors. The Open Attestation (OAT) Project is a similar set of capabilities that is maintained by Intel and open to use and contribution by the outside world.

Each has seen growing adoption by a broad set of customers and a rapid advancement of attestation capabilities. For example, Huawei recently demonstrated enhancements to an OAT environment to deliver attestation for the “TPM 2.0” standard and discussed these solutions at the Intel Developer Forum (IDF) in San Francisco. And Intel has extended the Mt Wilson technology with “geo-tagging” or “asset-tagging” capabilities — allowing more granularity in control of data. It can now help provision and attest to platform trust as well as user-defined attributes such as location, workload type, customer or department data — the types of “traditional” boundaries that are logical for many compliance uses.

HyTrust is a company that has long aligned to the ability to use trust as a control point — knowing that customers don’t treat all workloads in a virtual environment the same, they provide a policy engine that can attest to platform trust and use that to control workload placement. With their announcement at VMworld in August, HyTrust is also the first to market with new “Boundary Controls” that allow policies to restrict workloads to trusted hosts and hosts in specific regions. This helps enable solutions to myriad security and compliance challenges.

HyTrust demonstrated this new release at IDF in the Data Center and SDI community of the exhibition. Also at IDF, Piston Cloud Computing and IBM/SoftLayer disclosed offerings for enhanced cloud security capabilities based on trusted platforms and related extensions. It is wonderful to see more solutions come to market that embrace and extend Intel’s foundational technologies. So I invite you to explore the innovation that Intel and others are driving around platform trust and security to make cloud and enterprise security faster, stronger and more useful.

James Greene is a senior technology lead for Security Technologies in the Data Center Group at Intel.