A cloud workload is an abstraction of the actual instance of a functional application that is virtualized or containerized to include compute, storage, and network resources. Organizations need to be able to monitor, track, apply, and enforce their security and privacy policies on their cloud workloads based on business requirements, in a consistent, repeatable, and automated way.
The goal of this project is to develop a trusted cloud solution that will demonstrate how trusted compute pools leveraging hardware roots of trust can provide the necessary security capabilities. These capabilities not only provide assurance that cloud workloads are running on trusted hardware and within a trusted geolocation or logical boundary, but also improve the protections for the data in the workloads and in the data flows between workloads.
When complete, the example solution will leverage modern commercial off-the-shelf technology and cloud services to address a particular use case scenario: lifting and shifting a typical multi-tier application between an organization-controlled private cloud and a hybrid/public cloud over the internet.
Organizations need to be able to monitor, track, apply, and enforce their security and privacy policies on their cloud workloads based on business requirements, in a consistent, repeatable, and automated way.
Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.
In today’s cloud data centers and edge computing, attack surfaces have significantly increased, attacking has become industrialized, and most security control implementations are not coherent or consistent. The foundation to any data center or edge computing security strategy should be securing the platform on which data and workloads will be executed and accessed. The physical platform represents the first layer for any layered security approach and provides the initial protections to help ensure that higher-layer security controls can be trusted.
The NCCoE has developed the following additional resources to support this:
This report examines hardware-enabled security techniques and technologies that can improve platform security and data protection for cloud data centers and edge computing. NISTIR 8320 replaces the draft cybersecurity white paper, Hardware-Enabled Security for Server Platforms, which was released in April 2020. It has been updated to include additional capabilities and examples of technology.
This report explains an approach based on hardware-enabled security techniques and technologies for safeguarding container deployments in multi-tenant cloud environments. It also describes a proof-of-concept implementation of the approach—a prototype—that is intended to be a blueprint or template for the general security community.
This report explains an approach for safeguarding container deployments in multi-tenant cloud environments, as well as a prototype implementation of the approach. This approach builds on the one from NISTIR 8320A by adding container image encryption and data access policies using different technology components.
This report presents an effective approach for overcoming security challenges associated with creating, managing, and protecting machine identities throughout their lifecycle. It describes a proof-of-concept implementation, a prototype, that addresses those challenges. The report is intended to be a blueprint or template that the general security community can use to validate and utilize the described implementation.
This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. It then describes a proof-of-concept implementation that was designed to address those challenges. The publication provides sufficient details so that organizations can reproduce the proof of concept if desired.