Jiří Vrbický – Cloud4com, a.s.

Intel Trusted Execution Technologie:

Cesta k vyššímu zabezpečení dat v cloudu

Cloud4com, a.s.

October 2014

Secure compute

platform stack

Cloud4com, a.s.

Secure Cloud platform usage model

www.intelcloudbuilders.com

Trusted hardware

With trusted hardware as your foundation, you

deploy your workloads on known-good pools of

servers that have been tested, validated, and

proven secure. It's a crucial first step toward

securing your cloud.

Virtualization Infrastructure

Hypervisors allow you to build and manage a

virtualized IT infrastructure. These important

cloud-based tools abstract processor, memory,

storage, and networking resources across

multiple virtual machines running multiple

operating systems and applications.

Policy management

Security policies protect data and applications in

the cloud, ensuring that your data and workloads

touch only known-good systems.

Security reporting

Trusted compute pools allow you to attest to the

safety of your computing infrastructure. You can

prove that your physical and virtual infrastructure

components are trustworthy. This is a critical

capability, because if you can't attest to the safety

of your computing infrastructure, you can't

validate the security of the data, software, and

services running on top of that infrastructure.

Cloud4com, a.s.

Intel TXT & Trusted Pools

Cloud4com, a.s.

Intel Trusted Execution Technology (TXT)

• Ability to attest platform and OS authenticity.

• Hardware-based Root of Trust for measurement, storage & reporting:

• Intel Xeon® Processor (from series 5600), IOH/PCH,

• Trusted Platform Module (TPM v1.2),

• Measurements of platform and system software components

(UEFI, OS boot loader & modules).

• Trusted Pools:

• Run workload and data on a trusted servers only.

• Trusted Launch:

• Trusted Boot in OS (Linux, Windows, VMware Hypervisor).

• Attestation & Compliance with Security Requirements.

www.intel.com/txt

Cloud4com, a.s.

Intel TXT: Components

Cloud4com, a.s.

Intel TXT: Measurement Process

Pre-Boot

BIOS

Pre-Launch Launch Post-

Launch

TBOOT

OS/VMM

Operation

OS Shut

Down

Reset /

Power

Off

Write Extend to

TPM PCR 0-7

Write Extend to

TPM PCR 17, 18

Write Extend to

TPM PCR 19-22

Trusted Mode of

Operation

Cloud4com, a.s.

Trusted Storage for TXT Measurements?

Attestation Service

Cloud4com, a.s.

Intel Attestation Service: OpenAttestation

www.01.org/openattestation

• The OpenAttestation Project provides a

software development kit (SDK) for the

creation of cloud management tools.

These tools are capable of establishing

the hosts’ integrity information by

remotely retrieving and verifying integrity

with Trusted Platform Module (TPM)

quotes.

• Support for Linux, KVM,

OpenStack, oVirt.

Cloud4com, a.s.

Intel Trust Attestation Solution (Enterprise Edition)

• Support for VMware, KVM, XEN hypervisor.

Cloud4com, a.s.

HyTrust CloudControl

• Separating “Security” from “Management” (on VMware platform)

• Verify Platform Integrity using Intel TXT.

• Authenticate and Verify Administrator Identity with two-factor

authentication including smart cards.

• Validate All Change Requests – Secondary Approval.

• Provide the System of Records – detail logs, visibility to all operations in

platform, usable for auditors.

• Assessment of the security configuration - C.I.S. Benchmark, PCI DSS,

VMware Best Practices.

• Geo tagging – Trusted Geolocation in a Cloud.

Cloud4com, a.s.

HyTrust CloudControl

Zone 1

Virtualization

Management

Clients

VMware Management Subnet

(ESXi and vCenter Server)

Corporate

Network

HyTrust CloudControl

Authentication via Active

Directory, RSA SecurID

Audit-Quality Log

Storage and Retention

HyTrust CloudControl Protects VMware

Infrastructure:

➡ Infrastructure Management is connected to Virtual IP

and routed through CloudControl for inspection

➡ All users are authenticated against Active Directory

➡ All Management Traffic is logged

➡ Disallowed Management Traffic is blocked

➡ Authorized Management Traffic is sent to the

Infrastructure

➡ Guest Traffic is not affected by CloudControl

Source IP Constraints

Enterprise

Clients Network Constraints Host Constraints

Delegate to Security dep.

vMotion*

Cloud4com, a.s.

HyTrust CloudControl & Intel TXT

• Hosts automatically labeled based on Intel TXT

measurement compared to Known Good Host

(WhiteList value).

• Rules enforce VMs are only allowed on Trusted

Hosts.

• Eliminates possibility of Admins moving or

powering on VMs on Untrusted hosts.

Protected VM

Virtual Infrastructure Virtual Administrator

Trusted Untrusted

Cloud4com, a.s.

HyTrust CloudControl & Intel TXT

Cloud4com, a.s.

• Enterprise IaaS Cloud with SLA.

• Flexibility – buy only what You want for any time depend on

Your Business!

• Scalability – scale from Small to Large.

• Security – runs on Intel TXT platform. Encrypt Your data in a

cloud and hold encryption keys with our unique product portfolio.

• Multi-tenant – Your vPDC is separated from the other customers.

• Self-Service Portal with integrated Billing and SLA reporting –

use application Virtix. You know how much does it cost, anytime!

vServer vStorage vNetwork Software Backup Encryption

Virtual Server Quality

SLA on Trusted Intel

TXT Platform

Virtual HDD and SSD

with

Quality SLA

Virtual Router,

Firewall, Balancer,

vLAN, connectivity

Software under

Service Provider

Licensing Program

vBackup and

agent-based Backup

with DB & application

integration

Application, DB & File

encryption with

external Key

Management

vServer Encryption

Option

Encryption on

Storage Option

Network Encryption

Option

Backup Encryption

Option

Build Your own Virtual Private Data Center

Virtual Private Data Center from Cloud4com

Cloud4com, a.s.

Questions?

• Questions

• Comments

Contact

Jiří Vrbický

jiri.vrbicky@cloud4com.com

+420 734 649 894

www.cloud4com.com sales@cloud4com.com Cloud4com, a.s.