Trusted Cloud: VMware Hybrid Cloud IaaS Environments

In cloud environments, workloads are constantly spun up, scaled out, moved around, and shut down. Organizations often find adopting cloud technologies is not a good business proposition because they encounter issues, such as inability to maintain consistent security and privacy protections for information across platforms, and to have visibility into protections to ensure compliance with requirements.

The foundation to any data center or edge computing security strategy should be securing the physical platform where workloads will be executed. The physical platform provides the initial protections to help ensure that higher-layer security controls can be trusted.

Exploring methods to better secure cloud workloads in hybrid cloud IaaS environments

Building on previous NIST work documented in NISTIR 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation, the NCCoE is developing a trusted cloud solution that will demonstrate how trusted compute pools leveraging hardware roots of trust can provide the necessary security capabilities. These capabilities will not only provide assurance that cloud workloads are running on trusted hardware and within a trusted geolocation or logical boundary, but also will improve the protections for the data in the workloads and the data flows between workloads.
Status: Finalized Guidance

Upon review, we recognize that this NIST/NCCoE publication contains potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

NIST SP 1800-19: Complete Guide (PDF)Web Version NIST SP 1800-19: Complete Guide (PDF)
NIST SP 1800-19: Complete Guide (HTML)Web Version NIST SP 1800-19: Complete Guide (HTML)
NIST SP 1800-19A: Executive SummaryDocument Version NIST SP 1800-19A: Executive Summary
NIST SP 1800-19B: Approach, Architecture, and Security CharacteristicsDocument Version NIST SP 1800-19B: Approach, Architecture, and Security Characteristics

Project Abstract

A cloud workload is an abstraction of the actual instance of a functional application that is virtualized or containerized to include compute, storage, and network resources. Organizations need to be able to monitor, track, apply, and enforce their security and privacy policies on their cloud workloads based on business requirements, in a consistent, repeatable, and automated way.

The goal of this project is to develop a trusted cloud solution that will demonstrate how trusted compute pools leveraging hardware roots of trust can provide the necessary security capabilities. These capabilities not only provide assurance that cloud workloads are running on trusted hardware and within a trusted geolocation or logical boundary, but also improve the protections for the data in the workloads and in the data flows between workloads.

When complete, the example solution will leverage modern commercial off-the-shelf technology and cloud services to address a particular use case scenario: lifting and shifting a typical multi-tier application between an organization-controlled private cloud and a hybrid/public cloud over the internet.

Organizations need to be able to monitor, track, apply, and enforce their security and privacy policies on their cloud workloads based on business requirements, in a consistent, repeatable, and automated way.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

 

Supplemental Resources

In today’s cloud data centers and edge computing, attack surfaces have significantly increased, attacking has become industrialized, and most security control implementations are not coherent or consistent. The foundation to any data center or edge computing security strategy should be securing the platform on which data and workloads will be executed and accessed. The physical platform represents the first layer for any layered security approach and provides the initial protections to help ensure that higher-layer security controls can be trusted.

The NCCoE has developed the following additional resources to support this.

Upon review, we recognize that some of these NIST/NCCoE publications contain potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

NISTIR 8320 Hardware-Enabled Security: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases

This report examines hardware-enabled security techniques and technologies that can improve platform security and data protection for cloud data centers and edge computing. NISTIR 8320 replaces the draft cybersecurity white paper, Hardware-Enabled Security for Server Platforms, which was released in April 2020. It has been updated to include additional capabilities and examples of technology.

NISTIR 8320A Hardware-Enabled Security: Container Platform Security Prototype

This report explains an approach based on hardware-enabled security techniques and technologies for safeguarding container deployments in multi-tenant cloud environments. It also describes a proof-of-concept implementation of the approach—a prototype—that is intended to be a blueprint or template for the general security community.

NISTIR 8320B Hardware-Enabled Security: Policy-Based Governance in Trusted Container Platforms

This report explains an approach for safeguarding container deployments in multi-tenant cloud environments, as well as a prototype implementation of the approach. This approach builds on the one from NISTIR 8320A by adding container image encryption and data access policies using different technology components.

Draft NISTIR 8320C Hardware-Enabled Security: Machine Identity Management and Protection

This report presents an effective approach for overcoming security challenges associated with creating, managing, and protecting machine identities throughout their lifecycle. It describes a proof-of-concept implementation, a prototype, that addresses those challenges. The report is intended to be a blueprint or template that the general security community can use to validate and utilize the described implementation.

NISTIR 7904 Trusted Geolocation in the Cloud: Proof of Concept Implementation

This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. It then describes a proof-of-concept implementation that was designed to address those challenges. The publication provides sufficient details so that organizations can reproduce the proof of concept if desired.

Metal arrow pointing upward