Increasing Security and Compliance in the Cloud

Transcription

1 Reference Architecture Data Center Cloud and Software-Defined Infrastructure Increasing Security and Compliance in the Cloud Utilizing solutions from HyTrust, VMware, and Intel to enable a trusted virtualized cloud infrastructure Introduction Enterprises are constantly seeking ways to lower costs while responding more quickly to attract new and retain existing customers. Though business transformation may need to occur across the enterprise, IT can offer huge opportunities for innovation. The right technology solution can help businesses gain agility and rise above the competition. Virtualization and cloud technologies are one answer to this need for fast and agile business practices. They enable IT to run more efficiently and provide the flexibility to optimize the IT environment through workload placement and data migration. In order to address and meet business goals, IT must have a basic assurance of trustworthiness for their virtualized cloud infrastructure. In other words, they must be able to trust the platforms and hypervisors on which workloads are running. Trusted systems behave in expected ways, with hardware and software working together to enforce these behaviors and ensure they are consistent across servers, storage, and networking. When a system is trusted, the physical hardware, platforms, hypervisors, and servers geolocations are all trusted. If a system is untrustworthy, the enterprise cloud infrastructure is at greater risk of compromise which may violate regulatory compliance. To deliver on the promises of the cloud, companies must ensure that trust, security, and compliance are embedded in and are supported by their IT architecture. HyTrust, VMware, and Intel offer cloud solutions that enable IT to build a trusted virtualized infrastructure upon a foundation that utilizes hardware root-of-trust. With these solutions, after platform trust has been established, IT can apply and utilize trust and security policies to ensure that data and workloads run and launch only on trusted platforms or in given geolocations and that data is encrypted and decrypted at known locations according to policies (refer to Figure 1). HyTrust, Intel, and VMware offer a foundation for cloud control, visibility, data security, and management, enabling a more compliant virtualized cloud infrastructure. These solutions can support trust and compliance and help enterprises protect their data. This reference architecture document begins by reviewing the business challenges of the cloud and highlighting the benefits that enterprises can gain by utilizing solutions from HyTrust, VMware, and Intel. It then describes each of the solutions components and provides a set of sample use cases for business. It concludes by highlighting the importance of trust and compliance in a virtualized infrastructure. Trusted Untrusted ESXi Server ESXi Server ESXi Server???? CloudControl DataControl?? Figure 1. Intel, VMware, and HyTrust technology combine to ensure that data and workloads can move to and be processed by only trusted servers

2 Increasing Security and Compliance in the Cloud 2 Business Challenges of a Secure Cloud Companies all over the world are adopting and deploying cloud infrastructures. Some enterprises, such as those in health, financial, or related industries, may have customer data and workloads subject to regulatory compliance. Others may be running workloads that are subject to certain laws in one country and different laws in another, while others may have simply established their own stricter and more rigorous data governance policies. An enterprise needs to be able to trust a cloud solution to meet its privacy, compliance, and security requirements. Regardless of the domain in which a business works, it is essential to maintain data control and security and comply with regulatory rules. An enterprise s adoption of virtualized cloud solutions will significantly benefit from execution on trusted systems and hypervisors, upon which they can utilize a comprehensive security and compliance solution. That solution should address the need to set, apply, and enforce policies; enable auditing and reporting; and control who can access and manage systems, workloads, and data within the company s defined policies. Solutions from HyTrust, VMware, and Intel can deliver all of these capabilities and more. Solution Overview Solutions from VMware and HyTrust, enabled by Intel Trusted Execution Technology () and supported with Trusted Platform Module (), give enterprises the ability to ensure that their cloud infrastructures are trusted. HyTrust software provides extended functionality that complements VMware vcenter* with added visibility and control. HyTrust Trust Attestation Service (TAS) utilizes Intel TXT to establish comprehensive, hardware-based trust on managed ESXi 5.1 (or newer versions) or kernel-based virtual machine (KVM) hosts. (In the Architecture and Components section, this paper will examine HyTrust TAS in more depth.) Using information from HyTrust TAS, companies can define, apply, enforce, and audit trust and security policies, including controlling who can manage virtualized systems and access data and workloads. Figure 1 represents the movement of data and workloads from the data center to trusted or untrusted hosts, which IT can control via policies. Companies can also create geo-fencing boundaries, maintain governance, and isolate workloads according to IT policies and definitions. Overall, this solution can help enterprises increase the trust and security of their virtualized infrastructures and work towards increased compliance. HyTrust CloudControl* (HTCC), a HyTrust product, provides a centralized point of control for hypervisor configuration, compliance, and access management. HTCC delivers: Authentication, with trusted admins and infrastructure Authorization, with control over admins based on roles, objects, VM groupings, and boundaries Accounting/auditing, with complete, fine-grained audits for compliance and security forensics HyTrust DataControl* (HTDC) is an intelligent, robust cloud and virtualization encryption solution. HyTrust KeyControl* (HTKC), a component of HTDC, delivers an encryption solution for data security and policy-based key management, offering the flexibility to help secure data across virtualized cloud computing environments. The HTDC suite provides automated, centrally managed control over all encryption and key management policies. With HTDC, data is securely encrypted, whether at rest or in motion. HyTrust BoundaryControl, enabled by the combination of HTCC and HTDC, delivers rich functional capabilities that help to address business needs by defining, setting, and enforcing specific geolocation and geo-fencing via trust and security policies. These features can help businesses meet requirements for data control, workload isolations, and locations where systems, virtualized applications, and data can execute. A key requirement of any cloud solution is that an enterprise can trust it to meet privacy, compliance, and security requirements. To fully deliver on the promises of the cloud, a company s virtualized cloud solution needs to run on trusted systems and trusted hypervisors.

3 Increasing Security and Compliance in the Cloud 3 Architecture and Components of the HyTrust, VMware, and Intel solutions The trusted cloud solutions described in this paper include VMware vsphere* and VMware ESXi*; HyTrust CloudControl and HyTrust DataControl products running on physical or virtualized servers; Intel TXT, a technology inside Intel Xeon processors; and. Both VMware products provide direct support for Intel TXT and and enable integration with HyTrust solutions. (Refer to Figure 5 for a full architecture of the solutions.) Each time a server boots up, HyTrust TAS uses Intel TXT to establish hardware-based trust by cryptographically comparing the launch measurements of BIOS, OS, asset tag, and other components against a database of known good values. Server, BIOS, system, and hypervisor measurements (including the server s asset tag, which contains its geographic location) are stored in the. If the measurements during system launch match the expected values for the BIOS, firmware, and hypervisor, the system is labeled as trusted; if they do not, it is labeled untrusted. With these results and utilizing HTCC, administrators can set policies enabling and strengthening the security and compliance of the virtualized cloud infrastructure. Figure 2 shows the architecture of HyTrust TAS and notes some of the key capabilities it enables. Gather platform status HTTPS Provide platform trust status for trusted pools, compliance, etc. Linux/KVM Trust Agent SSL Attestation Server Privacy CA ESXi ESXi ESXi VMware vcenter Attestation Cache Key Management MLE + Whitelist Management Provisioning + Automation Software Hashes for Modules Good Known PCR Values Control Policies Etc. Trust Definition for MLI Figure 2. Architecture of HyTrust Trusted Attestation Service (TAS) Intel Trusted Execution Technology () is a key component of the solutions, providing the capabilities necessary to measure and report the system and hypervisor trust. It has an inherently secure execution process that utilizes a combination of hardware and software, including Intel Xeon processors, chipset, and I/O subsystem; Intel TXT-aware BIOS; Authenticated Code Modules; and other platform components that maintain the integrity of the measurements. Intel TXT measures the BIOS, operating system, and hypervisor to enable attestation on systems and hypervisors and establish a root-of-trust. Intel TXT is available by default in most Intel Xeon processor-powered servers supplied by leading server OEMs. Figure 3 highlights the hardware components and software on Intel TXT on enabled Intel Xeon processor-powered systems.

4 Increasing Security and Compliance in the Cloud 4 Intel VT-x & support (VMX+SMX) Intel Xeon Intel Xeon Intel VT-x & support (VMX+SMX) Intel Software BIOS AC Module SINIT AC Module AC modules and platform initialization BIOS IOH/ PCH 1.2 by 3 rd Party (TCG * Compliant) 3rd Party SW MLE, Hosted OS Apps etc. & Intel VT-d support in IOH Toolkit 1.2 Support Figure 3. System and components highlighting Intel Trusted Execution Technology (Intel TXT) The Trusted Platform Module (), an integral component of many enterprise-level systems sold today, is a secure cryptoprocessor that uses crypto-keys to provide hardware-level security. Companies that use servers powered by Intel Xeon processors should be able to take advantage of both and Intel TXT. Once has been fully configured, it cannot be re-plugged, moved, or reused from server to server, assuring the security of the stored information. Figure 4 shows the architecture of the Trusted Platform Module, in particular its various storage, encryption, and key generation components and how they communicate via the module s internal communication bus. I/O Opt-In Non-Volatile Storage Execution Engine Program Code SHA-1 Volatile Storage Interconnection Bus Random Number Generator Platform Configuration Register (PCR) RSA Engine Key Generation Trusted Platform Module 1.2 ( 1.2) Attestation Identity Key Figure 4. The architecture and component interconnection of the Trusted Platform Module () Attestation and Trusted Compute Pools As described earlier, HyTrust TAS establishes a root-of-trust by utilizing Intel TXT,, and HTCC. Information from attestation confirms the integrity of virtualized and non-virtualized Intel Xeon processor-powered servers and workloads, and it verifies when VMs are booted or migrated to new hardware. The hardware root-of-trust is a key foundation upon which companies can build a trusted virtualized cloud infrastructure. During provisioning, the IT organization may seed asset tag information for geolocation, with the cryptographic derivative of the host s unique identifier and platform metadata stored in the for use with TAS.

5 Increasing Security and Compliance in the Cloud 5 HTCC capabilities enable administrators to set policies, including workload placements, onto groups of servers known as trusted compute pools. These policies may apply to application execution, including the location of servers and data. Figure 5 shows a sample architecture, including several examples of trusted compute pools. As a foundation for a trusted cloud infrastructure, creating trusted compute pools is a leading approach to aggregate trusted systems and segregate them from untrusted resources. Trusted compute pools allow IT to gain the benefits of the dynamic cloud environment while still enforcing higher levels of protections for their critical workloads. They also enable audits and the separation of higher-value, more sensitive workloads from commodity application and data workloads. Trusted Compute Pool Trusted Compute Trusted Compute Trusted Compute VM VM VM CloudControl DataControl VMware vcenter Application/Data File System HTDC Agent Application/Data File System HTDC Agent Application/Data File System HTDC Agent VMware / ESXi VMware / ESXi VMware / ESXi Figure 5. The high-level architecture and components of the solutions, featuring trusted compute pools HyTrust CloudControl HTCC, along with Intel TXT technologies and, provides the essential foundation for cloud control and compliance in a VMware virtualized cloud infrastructure. Figure 6 shows the architecture of HTCC and its data flow from client access points through the protected virtualized infrastructure. HTCC is installed as a virtual appliance and integrates into a VMware vsphere environment. It captures highly detailed, real-time logs of every attempted, denied, and approved administrator action in the virtualized data center while enforcing security policies. It is also possible to configure high-availability HTCC servers. The web-based HTCC Management Console, available from any standard web browser, is used to customize HTCC configuration settings and set up policies for safeguarding a managed virtual infrastructure. It provides menus to set authentication options for users, add vcenter Server and hosts, define templates and policy checks to enforce security, and view and configure logs. Its capabilities include: Remote platform attestation, which ensures that cloud workloads are run on trusted server platforms Reporting on the trust of systems and creating trusted compute pools Trust- and geolocation-based homogeneous secure migration, which allows cloud workloads to be migrated among trusted server platforms within a cloud, taking into consideration geolocation policies Management of workload placement, enforcement, and policy on trusted systems Real-time monitoring, threat detection, and alerts of suspicious vcenter account activity Fine-grained, role-based, and resource-based authorization Enforced separation of duties and least privilege with need-to-know access Audit-quality logs enabling complete audit trails tied to individual users activities Strong, multi-factor authentication to protect access to the virtualization platform Hypervisor configuration hardening to ensure platform integrity

6 Increasing Security and Compliance in the Cloud 6 Client Access (SSH) Reporting Logging Client Access (VMware vsphere client) HyTrust Policy Enforcement Permit or Deny Request VMware vsphere VMware ESXi Client Access (HTTP) Administrator Identity Hypervisor Configuration Administrator Role Defined Security Policy Infrastructure Integrity VMware ESXi VMware ESXi Protected Virtual Infrastructure with servers powered by Intel Administrative Requests (VMware vcenter, VMware vsphere client, SSH, etc.) API to extend capabilities to HyTrust Partners HyTrust CloudControl Appliance Figure 6. Architecture of HyTrust CloudControl (HTCC), showing data flow from client access points to the virtual infrastructure HyTrust DataControl HTDC is an intelligent and robust cloud and virtualization encryption product providing automated, centrally managed control over policies. Because the software is part of a VM, encryption travels with the VM from one physical host to another. This means that data should be secure both in motion and at rest a critical point in an infrastructure in which data and workloads are constantly moving. Figure 7 shows a simplified representation of the HTDC architecture. HTDC Data Encryption provides: Both encryption and policy-based key management, which are both highly secure and easy to manage On-the-fly encryption and rekey encrypt of data with NIST-approved AES-128/256 algorithms Portability to different cloud infrastructures, completely transparent to users and applications Multitenant administration capabilities to create unique accounts and multiple levels of administration Role-based policy management that enables segment encryption and administration by department A simple policy agent that installs into the OS of each VM, making encryption transparent to applications Truly mobile encryption, with the VM copied for backup or availability Full RESTful API that can easily automate any task, such as provisioning new VMs or volume Security Audit Stream that captures, logs, and alerts on a broad range of activity to monitor and track

7 Increasing Security and Compliance in the Cloud 7 Virtualization VM VM VM VM Running VMs VM VM VM VM VM VM VM VM DataControl VM KeyControl DataControl VM VM VM VM VM Running VM VM VM VM VMs VM VM VM VM VMware vsphere Cloud Infrastructure Private Data Center IaaS Public Cloud Figure 7. Architecture of HyTrust DataControl (HTDC) showing the connections between a private data center and a public cloud Integral to HTDC, the HyTrust KeyControl server resides in the data center and allows organizations to be in control of their data and workloads, whether they re in the cloud or on a physical or virtual server. Once authenticated with HyTrust KeyControl, VMs can start encrypting data. All data encrypted in the OS is protected as it moves through the hypervisor and to storage. Operationally, HTDC is transparent when requested by authorized VMs. Encryption keys are securely retrieved, and the data is decrypted and presented back to the application. HyTrust KeyControl provides a highly available, security-hardened key management system with greatly simplified encryption management. Users can manage policies and settings though web interfaces or built-in APIs, even in multi-tenant environments. Encryption keys can be applied per device, for standard data partitions, and for Windows* boot. Finally, with online re-keying, onthe-fly changes are possible, letting administrators set policies to re-key data in accordance with industry standards. HTDC KeyControl Management provides: A highly available, security-hardened key management system and simplified encryption management Centralized key management and encryption policies Policy-based key management automated from a Web browser or through APIs Use of multi-tenant KeyControl supporting separation of duties and shared, secure administration The ability to apply encryption keys per device within a VM, for standard data partitions and for Windows boot Online rekeying, letting administrators set policies to rekey data in accordance with industry standards Ability to be deployed in distributed clusters for failover and high availability HTDC can detect and utilize hardware-based Intel Advanced Encryption Standard New Instructions (Intel AES-NI), a specialized instruction set designed to boost performance during cryptographic data operations. By enabling IT staff to encrypt customer data and assign encryption keys to the data owner, users can protect against unauthorized access or modification of customer data. HTDC also provides for the encryption of virtual disks, individual files, virtual machines, or physical servers in the data center. Together, all of these components can enable enterprises to extend the overall trust and security of their cloud infrastructures. Trust, Security, and Data Sovereignty Use Cases Previous sections of this paper demonstrated the robust functional capabilities of HTCC and HTDC, enabled by utilizing hardwareroot-of-trust, Intel Xeon processor-based servers, Intel TXT, and. The following section features a small sampling of four trust and security use cases that HTCC and HTDC support for a VMware virtualized cloud infrastructure. Because HyTrust BoundaryControl is an especially critical use case, this paper will explain it in more depth.

8 Increasing Security and Compliance in the Cloud 8 The sample use cases highlight functionalities that ensure that systems are trusted, applications and services are running on trusted systems and in specific locations, and workloads and data are executed in a given location. In addition, these functionalities allow companies to define and apply policy enforcement, create detailed reports, and utilize auditing capabilities to review every operational action undertaken for the VMware cloud infrastructure. Platform Attestation with Intel TXT Taking launch measurements of the server BIOS, low-level device drivers Performing platform and VM hypervisor attestation Validating measured vs. expected server measurements and known-good values/whitelist measurements against Measured Data Reporting the Trust Status of all systems and hypervisors Utilizing the Trust Status and Geotag location by HTCC Trusted Compute Pools and Secure Migration Creating trusted compute pools: a. Creating trusted compute pools with and HTCC policies b. Placing Trusted Servers (VMs) on the Trusted Compute Pools (Hosts) based upon policy Placing workloads in the trusted compute pools: a. Requesting a placement of the Service in a Trusted Pool b. Determining whether the request is in accordance with defined policy c. Permitting or denying requests for workloads to be executed on servers in the Trusted Pool d. Intercepting all administrative requests for the virtual infrastructure e. Recording all activities, including audit and compliance reporting Migrating workloads in compute pools: a. Examining migration policies based on the trust status of hosts b. Ensuring secure, attested ESXi hosts in vcenter are available c. Attempting to migrate a VM Allow or Disallow workload migration based on policy d. Intercepting all administrative requests for the virtual infrastructure; HTCC enforces migration and denies the VM to an untrusted host e. Recording all administrative access and change requests f. Recording all activities, including audit and compliance reporting Virtual Server Volume Decryption Based on Location with HTDC Gaining access to data management of data encryption on available drives Accessing the encrypted drive, saving a new file Revoking access to the encrypted drive Reviewing key management policies HyTrust BoundaryControl Extending Trust and Security with Geotags HyTrust BoundaryControl with PolicyTags capabilities is enabled in HTCC and HTDC solutions utilizing Intel TXT and. HTCC leverages the -enabled processors to more securely write administrator-defined descriptors to the server and hardware. Using this capability, HTCC users can define boundary policies for virtualized applications. Once boundary policies are defined, they can be applied to any -enabled hosts. To enforce those policies, IT can add them to rules as a Host Attribute constraint type. Using the Exclude Host Attributes directive allows users to exclude the hosts with matching PolicyTags values from the rule. Users can define values for five pre-defined PolicyTag names: Country, State/Province, Physical Data Center (PDC), Region (Logical), and Classification.

9 Increasing Security and Compliance in the Cloud 9 HyTrust BoundaryControl provides robust functionalities to meet business needs for data sovereignty and security, controlling the launch of solutions based upon geolocation requirements. It ensures that sensitive applications and data workloads may only run on authenticated, trusted hosts physically located in specific trust zones, data centers, or geographic locations. It also enables VMlevel visibility, detailed auditing, and data security. Capabilities of HyTrust BoundaryControl include helping to ensure that: The cloud compute platform hosting the enterprise s workload has not been modified or tampered with Sensitive workloads on a multi-tenancy cloud platform are isolated (within a logically defined environment) from the workloads of competing companies Workload migration occurs only between trusted clusters and within trusted data centers Cloud servers are located in their preferred regions or home countries, so the cloud provider is subject to the same data security and privacy laws Data and workloads are compliant with national and/or regional data sovereignty needs Sensitive applications and data cannot leave the secure data center Mission-critical applications run on optimal hardware to prevent application downtime or performance issues HyTrust BoundaryControl can help enterprises increase application security, data security, and high availability. It also empowers IT to bridge the gap between cloud computing benefits and cybersecurity concerns. Sample use cases of HyTrust BoundaryControl include: Provisioning and applying geotags, utilizing the hardware-root-of-trust capabilities enabled with -enabled servers for Geo Capabilities (geolocation, geo-fencing) Applying platform trust Validating that a boundary can be established in which only security-sensitive workloads are allowed to operate; further, disallowing data decryption outside of the boundary Restricting vmotion across boundaries Validating server attestation and that virtual workloads can be constrained to run on only known and trusted servers Labeling VMs and role-based access control (RBAC) to provide fine-grained control, which can be used to enforce a least-privilege model of vadmin governance Proving that data at rest is encrypted for any virtual workload and for any subsequent duplicates, clones, and backups Key management using KeyControl Creating and securely storing encryption keys within the KeyControl cluster and separate from virtual workloads KeyControl operates according to proper key management practices (least privilege, key-strength, key rotation, key revocation, etc.) Substantiating that KeyControl has been tested according to the NIST FIPS standard Substantiating that secure communication between an encrypted workload and KeyControl is in place Extended security features Hardening ESXi hosts and configuration to meet PCI specific standards (and/or other security standards) Using root-password-vaulting of ESXi hosts as a means to provide accountability over root-privileged access to hosts Integrating with two-factor authentication to ensure vadmin IDs are unique and that accountability of vadmin actions is attributable to individuals Gaining RBAC of vadmin actions Validating the means to monitor vadmin access and alert to indicate potential errors, misuse, or malfeasance Keeping fine-grained audit records, including both successful and denied attempts, for all vadmin actions and against creation and deletion of all system level (virtual) objects Using fine-grained audit to detect certain anomalies or suspicious activity by vadmins Using alerting to provide a continuous watch for repeated behavior that may be indicative of misuse

10 Increasing Security and Compliance in the Cloud 10 Summary The complexity of effectively managing and securing a virtual cloud infrastructure is increasing. The challenges begin at the most basic level: If enterprises can t trust their systems, they can t ensure that they re securing their data, providing access and control to the right people, following their own security policies, and adhering to compliance laws. Many technology companies are working diligently to create effective solutions, sharing best-known methods and collaborating to help enterprises effectively address today's complex and growing security requirements. Intel Xeon processor-based servers, HyTrust CloudControl, HyTrust DataControl, and Intel TXT with VMware vsphere can help address trust, security, data compliance, and data sovereignty for the cloud. By utilizing hardware-root-of-trust to establish a foundation for the virtualized cloud infrastructure, solutions from HyTrust, VMware, and Intel offer enterprises a way to enhance the security and compliance of their virtual environments. This reference architecture document discussed the problem of security and compliance in a virtualized cloud infrastructure and reviewed how solutions from HyTrust, VMware, and Intel can help solve that problem. It explained the architectures of the solutions and their components and highlighted four sample use cases applicable to enterprises today. To find the best solution for your organization, contact your Intel representative, register at IT Center, or visit To learn more about the solutions from HyTrust, VMware, and Intel, go to: HyTrust: VMware: Intel TXT: Intel Xeon processors: Solutions Proven By Your Peers Intel Solution Architects are technology experts who work with the world s largest and most successful companies to design business solutions that solve pressing business challenges. These solutions are based on real-world experience gathered from customers who have successfully tested, piloted, and/or deployed these solutions in specific business use cases. Martin Guttmann Principal Solution Architect; World Wide Data Center Solutions Intel Corporation Tamer Elsharnouby Solution Architect; World Wide Data Center Solutions Intel Corporation Intel technologies features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer. Intel, Intel Xeon, Intel TXT, Intel AES-NI, and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. Intel does not control, audit or endorse third-party products referenced in this document. You should independently confirm whether referenced data are accurate. *Other names and brands may be claimed as the property of others. 2016, Intel Corporation 0116/MMG/PT/PDF