One of the major challenges that faces organizations using a cloud or hosting service is to know where their data is held and processed. This may be to ensure that they remain in compliance with laws and regulations or simply because they have a mistrust of certain geo-political regions. The location of this data may be defined in the contract with the CSP (Cloud Service Provider) but how can the organization using the service be sure that the contract is being met? This question has led to many organizations being reluctant to use cloud.
Using the cloud is not the only reason for this concern – my colleague Martin Kuppinger has previously blogged on this subject. Once information is outside of the system it is out of control and potentially lost somewhere in an information heaven or hell.
One approach to this problem is to encrypt the data so that if it moves outside of your control it is protected against unauthorized access. This can be straightforward encryption for structured application data or structured encryption using private and public keys as in some RMS systems for unstructured data like documents. However, as soon as the data is decrypted the risk re-merges. One approach to this could be to make use of ”sticky access policies”.
However while these approaches may protect against leakage they don’t let you ensure that your data is being processed in a trusted environment. What is needed is a way to enable you to control where your workload is being run in a secure and trusted way. This control needs to be achieved in a way that doesn’t add extra security concerns – for example allowing you to control where your data is must not allow an attacker to find your data more easily,
Two years ago NIST published a draft report IR 7904 Trusted Geolocation in the Cloud: Proof of Concept Implementation. The report describes the challenges that this poses and sets out a proposed approach that meets these challenges and which could be implemented as a proof of concept. The US based cloud service provider Virtustream recently announced that its service now supports this capability. They state “This capability allows our customers to specify what data centre locations that their data can be hosted at and what data centres cannot host their data. This is programmatically managed with our xStream cloud orchestration application.”
The NIST document describes three stages that are needed in the implementation of this approach:
- Platform Attestation and Safer Hypervisor Launch. This ensures that the cloud workloads are run on trusted server platforms. To achieve this you need to:
- Configure a cloud server platform as being trusted.
- Before each hypervisor launch, verify (measure) the trustworthiness of the cloud server platform.
- During hypervisor execution, periodically audit the trustworthiness of the cloud server platform.
- Trust-Based Homogeneous Secure Migration. This stage allows cloud workloads to be migrated among homogeneous trusted server platforms within a cloud.
- Deploy workloads only to cloud servers with trusted platforms.
- Migrate workloads on trusted platforms to homogeneous cloud servers on trusted platforms; prohibit migration of workloads between trusted and untrusted servers
- Trust-Based and Geolocation-Based Homogeneous Secure Migration. This stage allows cloud workloads to be migrated among homogeneous trusted server platforms within a cloud, taking into consideration geolocation restrictions.
- Have trusted geolocation information for each trusted platform instance
- Provide configuration management and policy enforcement mechanisms for trusted platforms that include enforcement of geolocation restrictions.
- During hypervisor execution, periodically audit the geolocation of the cloud server platform against geolocation policy restrictions.