Why IT decision makers & IT professionals should be concerned or aware of the requirements of trust and control in the cloud.

photodune-5914000-word-cloud-information-security-s.jpg

Security of IT resources is always a concern.  It has to be. Analyst firm Gartner Group estimates that people, businesses and governments worldwide spent over $3.6 trillion on IT in 2013.  Certainly a good portion of this spending is on personal devices—PCs, laptops, tablets and phones.  But much of this massive investment is dedicated to the enterprise, data center and network infrastructures that these organizations are increasingly relying on their IT assets to enable growth and agility.  Certainly this is an investment worth protecting—making sure these assets are available to serve and protect the business.

The second critical element driving focus on security is of course the data. Data represents the lifeblood of a growing number of industries.  No matter what business one is in, it is almost certain that will involve critical data: Intellectual property, customer data, financial data, employee data and more. As part of protecting the business and business relationships, it is essential to be able to protect this critical information.  In a growing number of cases, it is not really even an option to not protect various categories of such data, as governmental and industry group regulations specify either specifically or generally how sensitive personal, financial or medical information must be handled and protected—with potentially significant legal and financial penalties for failure.

Clearly, security is on the radar screen of most IT managers.  IT shops were estimated to have spent $67.2B on IT security in 2013.  While that seems like a huge number, it pales against the multi-trillion dollar IT spend numbers.  Most of the estimates I’ve seen in recent years cite that typical IT shops spend between 2 and 5 percent of the IT budget on security. Of course, this goes up a bit when there is a big new threat or high-profile breach, but it typically settles down from there.  So the numbers tell us it is a consistent concern that can easily jump to top concern in the right context.

One context where security often surfaces as a top concern is when the topic of cloud computing is raised. Despite recognizing the huge investments in security tools, processes and skilled staff of the top-tier datacenters of the leading cloud providers, many businesses still feel uncomfortable trusting cloud providers with their more sensitive workloads.  Much of this distrust comes down to the limited visibility into the cloud security controls and capabilities at any given point in time to be able to verify the safety of their workloads.

New capabilities that can help assure new controls and a higher security posture for selected workloads can also help by enabling visibility and reporting that are impossible or difficult to do today.  The concept of Trusted Compute Pools (TCP) is one such capability that is now being offered by leading-edge cloud providers in the US, Latin America and elsewhere. Trusted compute pools are physical or logical groupings of computing platforms in a data center that have demonstrated integrity of key components in the launch process. TCP utilizes Intel TXT, as the mechanism to verify platform trust at launch and which provides the remote attestation capability to report trust status to an external entity such as a could orchestration engine, a cloud portal, security management tools and the like.

The high level benefit that customers appreciate from TCP is that they gain:

  • Visibility and insight into their cloud – with the ability to discern platforms that have integrity versus those that do not;
  • Control – with the ability to map the security needs of their workloads with the capabilities of the cloud host resources.  In this specific case, the ability to create policies that constrain their sensitive workloads to trusted hosts; and
  • Compliance – with the ability to create reportable tracking of platform controls and workload placements that help when security audits are needed.

These capabilities are only a small part of the overall security needs of an enterprise.  But they help address some of the critical roadblocks that limit a business’ ability to gain the flexibility, cost and efficiency benefits of cloud platforms for more of their workloads. These capabilities are also being recognized by and can address controls being specified in security recommendations and use models defined by NIST, the Open Data Center Alliance and others.  As more companies adopt these models and as vendor support grows, these capabilities will become the foundation for even greater level of security across physical, virtual and cloud datacenter architectures.

James Greene is a senior technology lead for Security Technologies in the Data Center Group at Intel