Designing Secure Storage for the Cloud Jesus Molina Fujitsu Laboratories of America
Introduction Trusted Computing and Cloud Overview of Trusted Computing CSA guidelines and TCG standards Trusted Storage WG Practical Applications Other Working Groups
Trusted Computing and Cloud So what is the root problem of cloud security? TRUST In cloud you cant verify directly the Trusted Computing Base
TCG standards and cloud In the cloud you can Standards VERIFY THEN TRUST OR JUST TRUST Certification Technology Lawyers
Introduction to TCG
TCG: Standards for Trusted Systems Virtualized Platform Mobile Phones Printers & Hardcopy Authentication Network Security Storage Security Hardware Applications Software Stack Operating Systems Web Services Authentication Data Protection Desktops & Notebooks Servers Infrastructure
Trusted Clients Security Built In Trusted Platform Module (TPM) Mobile Trusted Module (MTM) Features Authentication Encryption Attestation
Trusted Servers Security Built In Trusted Platform Module (TPM) Secure Virtualization Secure Cloud Features Authentication Encryption Attestation
Trusted Storage Security Built In Self Encrypting Drive (SED) Features Encryption Authentication
Trusted Networks Security Built In & Coordinated Trusted Network Connect (TNC) Features Authenticate Health Check Behavior Monitor Enforce
CSA Guidelines and TCG CSA Domain (Number) Type Examples (2) Governance/Risk Management Decrease risk exposure (3) Legal and Electronic Discovery Data Recovery and Encryption (4) Compliance and Audit Server Attestation (5) Information Lifecycle Management Safe Data Retirement (6) Portability and Interoperability Metadata Access Policy (7) Traditional Security Network Access Control (8) Incident Response Coordinated Security (11) Encryption / Key Management SED, Hardware Key storage (12) Identity/ Access Management Hardware Token Authentication (13) Virtualization Trusted Multitenancy
Trusted Storage Working Group
Enterprise Support ISV Application (on the Host) Implementation Overview TCG/T10/T13 Trusted Send and Receive Container Commands ATA or SCSI TRUSTED STORAGE Firmware/hardware enhancements for security and cryptography Firmware Hidden Storage Security Providers SP Controller Storage (Partitioned) Hidden Memory Security firmware/hardware Trusted Send/Receive Commands Assign Hidden Memory to Applications TRUSTED Assign Hidden Memory to Applications SED CHIP 13
Trusted Storage with Trusted Platform Trusted Storage Root Of Trust Secure Communications Trusted Platform TPM OR Trusted Element Life Cycle: Manufacture, Own, Enroll, PowerUp, Connect, Use, 14
Trusted Storage with Trusted Platform Trusted Storage Root Of Trust Secure Communications Trusted Platform TPM OR Trusted Element Life Cycle: Manufacture, Own, Enroll, PowerUp, Connect, Use, 15
TCG Storage WG Core Specification SPs (Security Providers) Logical Groupings of Features SP = Tables + Methods + Access Controls Tables Like registers, primitive storage and control Methods Get, Set Commands kept simple with many possible functions Access Control over Methods on Tables 16
TCG Storage WG Core Specification SPs (Security Providers) Tables Logical Groupings of Features SP = Tables + Methods + Access Controls Like registers, primitive storage and control Methods Get, Set Commands kept simple with many possible functions Access Control over Methods on Tables 17
TCG Storage: Document Structure General Documents Specific Documents PUBLISHED Core Spec Interface PC SSC (OPAL) Optical SSC Enterprise SSC Auxiliary Documents IN PROCESS Compliance and Security Evaluation SSC = Security Subsystem Class 18
Authentication in the Drive Storage Server Correct AK? Clear Data AK Authentication Key DEK Data Encryption Key Drive responds to No Read or Write Reqs Hash AK No = Yes Clear AK decrypts DEK Unlock HDD DEK encrypts and decrypts User Data Hashed AK Encrypted DEK Encrypted User Data 19
Practical Applications
How the Drive Retirement Process Works Retire Drive Replace Repair Repurpose Remove ALL drives Send even dead" drives through Queue in Secure Area Transport Offsite Queue in secure area People make mistakes Because of the volume of information we handle and the fact people are involved, we have occasionally made mistakes. which lost a tape with 150,000 Social Security numbers stored at an Iron Mountain warehouse, October 2007 1 Retirement Options Overwriting takes days and there is no notification of completion from drive Hard to ensure degauss strength matched drive type Shredding is environmentally hazardous Not always as secure as shredding, but more fun 99% of Shuttle Columbia's hard drive data recovered from crash site S E C U R E? Data recovery specialists at Kroll Ontrack Inc. retrieved 99% of the information stored on the charred Seagate hard drive's platters over a two day period. - May 7, 2008 (Computerworld) 1. http://www.usatoday.com/tech/news/computersecurity/2008-01-18-penney-data-breach_ 21
How the Drive Retirement Process Works Retire Drive Replace Repair Repurpose Remove ALL drives Drive Retirement is: Queue in Transport Queue in Secure Area Offsite secure area Send even dead" drives through Expensive Time-consuming People make mistakes Because of the volume of information we handle and the fact people are involved, we have occasionally made mistakes. Error-prone which lost a tape with 150,000 Social Security numbers stored at an Iron Mountain warehouse, October 2007 1 Retirement Options Overwriting takes days and there is no notification of completion from drive Hard to ensure degauss strength matched drive type Shredding is environmentally hazardous Not always as secure as shredding, but more fun 99% of Shuttle Columbia's hard drive data recovered from crash site S E C U R E? Data recovery specialists at Kroll Ontrack Inc. retrieved 99% of the information stored on the charred Seagate hard drive's platters over a two day period. - May 7, 2008 (Computerworld) 1. http://www.usatoday.com/tech/news/computersecurity/2008-01-18-penney-data-breach_ 22
Drive Retirement: Self-Encrypting Drives Retire Drive Replace Repair Repurpose Self-Encrypting Drives Remove ALL drives Send even dead" drives through Queue in secure area Transport Offsite Queue in secure area Power Off = Locked and Encrypted = Secure Reduces IT operating expense Eliminates the need to overwrite or destroy drive Secures warranty and expired lease returns Enables drives to be repurposed securely Provides safe harbor for most data privacy laws S E C U R E 23
Other Working Groups
Should you care? Storing data in the cloud is more than hardware storage Where does the data reside? How do yu handle information dispersal? Can you verify hardware? Remote integrity is also of importance How your data being erased? If so, when, how and utilizing what method? How do you make sure your data is not corrupted
Securing Multitenant Platforms Using TCG Some goals Protection of processing and information in motion and at rest Ability to share physical platforms among tenant domain components (shared services) Visibility and auditability of actions Management of physical resources independently of domain resources Loosely coupled architecture managed using application of appropriate policy and trust Ability to control the flow of information between tenant domains within policy constraints Ability to address various security models to protect integrity and confidentiality of services and data exchanges within enterprise Relevant Working Groups Virtualization work group (virtual certificates, virtual TPM, migration) TPM working Group (Server Attestation) Storage workgroup (multilevel storage) Trusted Network Connect (Policy definitions and enforcement)
Support Slides
NAC, IF-MAP VM VM VM VTPM Virtual Machine Monitor TPM Multilevel Storage