Cloud computing trust-based security
Trusted Computing Group, which develops industry standards for hardware-based security rooted in trust, announced an effort to extend the concept of trust to cloud-based computing. The effort will be led by the organization’s new Trusted Multi-Tenant Infrastructure work group.
TCG also has updated to its IF-MAP (Metadata Access Protocol) used to enable standardized data sharing among a wide variety of devices and applications, including cloud security.
Multi-tenant infrastructure refers to unrelated users of shared computing infrastructure and is a fundamental characteristic of cloud computing. The new work group will develop a framework for enabling trust in the cloud. Targeting vendors, providers, consumers and integrators of multi-tenant infrastructure services, the framework will:
- Help assess the trustworthiness of provider systems
- Enable real-time assessment of compliance as part of the provisioning process
- Provide implementation guidance
- Identify and address gaps in standards to enable trust.
The actual framework will consist of policies, best practices, standards and conformance criteria that will be used by product vendors and by integrators and IT users to create and evaluate multi-tenant infrastructure. TCG expects to deliver the first parts of the framework in early 2011, and it will be available free of charge.
Trusted Multi-Tenant Infrastructure work group participants include AMD, CESG (UK National Technical Authority for Information Assurance), HP, IBM, Infoblox, Juniper Networks, Microsoft, Wave Systems, and others.
Hundreds of millions of enterprise PCs and servers use the ISO-standard Trusted Platform Module, which provides a hardware root of trust and is used for authentication and to protect keys, certificates and passwords. TCG specifications also define a “chain of trust” architecture for attestation of trusted platform properties. Both will be comprehended in the new work group’s efforts.
TCG’s IF-MAP, or Metadata Access Protocol, is based on a powerful publish/subscribe model. IF-MAP is being used today to support network security applications using equipment from different vendors, and is expected to be used in cloud computing to enable real-time communication among devices including network infrastructure devices and servers. It also has been used to integrate physical security devices, supervisory control and data acquisition (SCADA) networks and unified communications platforms.
The updated IF-MAP specification, version 2.0, adds new capabilities to the powerful publish/subscribe client/server protocol, designed to make IF-MAP more directly compatible with existing, vendor-specific approaches. The new specification also makes it easier and faster for different industry groups to use the IF-MAP protocol by separating the base protocol from the metadata definitions that standardize how different types of information are represented.
The first such metadata specification, released along with version 2.0 of the IF-MAP base protocol, addresses network security, and covers a wide range of elements such as user identities, devices, network addresses, threats, events, and others. Other industry groups can use the flexible IF-MAP framework to define and ultimately standardize metadata for other cases, including factory automation, building automation, cloud computing, smart grid, and others.