The National Cybersecurity Center of Excellence (NCCoE) is collaborating with industry to enforce geolocation restrictions and secure shared cloud servers. More specifically, the center is strengthening the security of virtualized infrastructure cloud computing technologies by using infrastructure as a service (IaaS) to address security challenges tied to shared cloud servers.
Security managers have found that, despite its tremendous benefits, shared cloud computing is exposing companies to a set of threats, risks and vulnerabilities. For example, the rapidity at which a technologist can migrate unrestricted workloads has compelled security managers to separate workloads so that they cannot be intentionally or accidentally moved across different security boundaries.
Companies also expose themselves to legal, policy and regulatory risks when they capitalize on the globalization benefits of cloud computing by migrating workloads from cloud servers located in one country to servers in another country.
The NCCoE uses geolocation to determine the approximate physical location of cloud computing servers so that companies can monitor and control their workloads, anticipate and mitigate risks, and reduce their exposure to data leakage. Moreover, it is clear that security managers cannot depend on traditional methods to meet the quickly changing security demands of cloud computing. In addition, the server firmware and operating system are measured at boot-up time and verified against a good known list to validate that it has not been modified.
In December 2012, the Information Technology Laboratory at NIST created a building block to help security managers validate and implement a proof of concept. Managers can harden their cloud-based security measures and facilitate their companies’ rapid adoption of cloud computing technologies that are safe and secure.
The building block is focused on developing a hardware root of trust capability that will enforce and monitor geolocation restrictions for cloud workloads on trusted servers. A commercially available technology, the hardware root of trust capability may be useful because:
1.The trusted measurement of the hardware at launch time ensures that it is still as it was when provisioned.
2.The trusted combination of hardware and firmware maintains the integrity of the geolocation information and the platform.
3. The host’s unique identifier and platform metadata are stored in tamper-proof hardware.
4. Secure protocols are used to assert the integrity of the platform and confirm the location of the host.
The NCCoE is exploring these benefits further and, as part of its building block process, will demonstrate and explain how organizations can adopt this and similar technologies to harden their infrastructures.
Read the NIST Interagency Report, Trusted Geolocation in the Cloud: Proof of Concept Implementation (Draft).
Visit our workshop page.