The National Institute of Standards and Technology (NIST) released draft guidance targeted at cloud service providers (CSPs) to help them protect application containers in multi-tenant environments, taking a hardware-based approach to security.
The draft version of NISTIR 8320A – released on December 7 by NIST’s National Cybersecurity Center of Excellence (NCCoE) – provides a model for CSPs to consider in ensuring the full security of their multi-tenant environments and keeping the trust of their customers. NIST cites use cases like differing regulations for different companies, or containers with different security requirements as examples of where the approach can help.
“The motivation behind this use case is to improve the security and accelerate the adoption of cloud computing technologies by establishing an automated, hardware root-of-trust method for enforcing and monitoring platform integrity and geolocation restrictions for cloud servers,” the document says.
The high-level summary of 8320A’s approach is to configure the cloud server platform to be trusted, orchestrate workload placement to make sure they only run on trusted platforms, and have trusted asset tag information for each trusted platform instance that can be used for an asset tag check to the server. The approach also calls for periodic audits of the system and the asset tag to ensure the servers meet policy.
“The ultimate goal is to be able to use ‘trust’ as a logical boundary for deploying cloud workloads on server platforms within a cloud,” the guidance states.
Comments are open until January 29.