Why You Should Read This Document

This guide provides an introduction to how Intel security technologies work together at key enforcement points throughout the cloud, including usage cases that take advantage of:

• Hardware-based and software technologies that use cryptography to protect data and secure connections

• Hardware-based technologies to strengthen identity and access management and secure clients that access the cloud

• API-level controls via a service gateway to protect edge systems and applications

• Trusted compute pools to validate platform integrity and provide data to security information and event manager (SIEM) and governance, risk management, and compliance (GRC) dashboards for auditing and compliance purposes

Real-World Guide

Intel Security Technology for the Cloud How IT Managers Can Protect Data and Infrastructure and Meet Compliance Demands

NOVEMBER 2012

NOVEMBER 2012

Real-World Guide

Intel Security Technology for the Cloud How IT Managers Can Protect Data and Infrastructure and Meet Compliance Demands

Contents 3 Introduction: The Cloud Security Landscape 2012

5 Protecting Data—in Motion, in Process, and at Rest • Cryptography for Data Protection

7 Securing Infrastructure—for Clients, at the Edge, and in Data Centers • Identity and Access Management to Secure Clients

• Service Gateways for API-Level Controls

• Trusted Compute Pools to Establish Trust

11 Security Compliance in the Cloud • Automating Compliance Built on Trusted Compute Pools

13 Next Steps: Cloud Security Considerations Checklist

14 Intel Resources for Learning More

17 Endnotes

3 Intel IT Center Real-World Guide | Cloud Security

Introduction: The Cloud Security Landscape 2012

As cloud adoption continues, so does the evolution of data center infrastructure, best practices, and tools and technologies to strengthen cloud environments and help organizations realize greater agility and cost savings in more and more use cases. According to Gartner, by 2015 the majority of IT departments will be using private or hybrid clouds.1 Yet for many organizations, especially those with sensitive data and workloads or highly regulated environments, gaining fullbenefitsfromthecloudispartlylimitedbysecurityconcerns.

Security is a big priority for Intel. Our own research backs up what other surveys and analyst predictions have determined. We know that IT organizations worry about cloud security. We even have a goodideaofwhatspecificsecurityconcernsareontheirminds.2 And we know what IT wants the industry to do in order for them to gain confidenceincloudsecurity.Intel’sattentionhasbeenfocusedonthisspecificareaforsometime.

Proven Security Reference Architectures: Intel® Cloud Builders Our Intel® Cloud Builders program provides proven, tested cloud security reference architectures based on real-world IT requirements. They give detailed instructions on how to install and configure a particular cloud solution using Intel® Xeon® processor-based servers and other Intel and Intel partner technologies. Intel Cloud Builders also provides education and an online forum for discussion of technical issues.

4 Intel IT Center Real-World Guide | Cloud Security

Cloud Security ChallengesCloud environments bring new security challenges.

•Less control. The dynamic environment of the cloud extends the perimeter of the enterprise beyond the data center, making it more difficulttoenforcesecuritycontrols.

•Lack of visibility. Clouds lack transparency, making the environment difficulttoauditforproofofcompliancetosecurityregulations.

•Virtualization. The growing use of virtual machines (VMs) aggregates the security risks of various application components and services onto a single physical server platform.

•Multitenancy. Shared technology, such as CPU caches, graphics processing units (GPUs), disk partitions, memory, and other components, were never designed for strong compartmentalization, and compromise of the hypervisor can in turn potentially compromise shared physical resources.

•Data location. Safeguarding data and attesting to its location is a huge issue worldwide. For example, European Union (EU) regulations require certain data to remain only in the EU.

•Public clouds. Boundaries between the data center and cloud providers are blurred in public clouds, creating third-party dependencies for data protection.

• Secured infrastructure. Stealthy attacks on data center infrastructurearedifficulttodetectwithtraditionalantivirusproducts, and cybercriminals use rootkit attacks to infect system components such as hypervisors, BIOS, and operating systems and can hide malware that operates in the background and spreads throughout a cloud environment.

•Mobile access. Bring Your Own Device (BYOD) programs are driving containerization of applications through hardware and operating system functions.

•Auditing to meet compliance requirements. The demand for compliance to regulations is often a growing cost for companies. Commonly cited examples of government acts with security enforcement requirements include the Federal Risk and Authorization Management Program (FedRAMP) in the United States and the Data Protection Act in the United Kingdom, as well as standards such as the Payment Card Industry (PCI) Security Standards. To comply, organizations need to be able to monitor and attest that security policies are being set and enforced.

Increased Risk from Platform AttacksOne other item—not on the above list but critically important to understand—is the growing trend for platform attacks. Cybercriminals are expanding their attack targets from just software to sophisticated attacks on the platform itself. Stealth and control are the objectives of these attacks. Organizations are facing greater risks of losing sensitive data and intellectual property, leading to expensive liability and loss of reputation. Shared technology, the aggregation of various application components and services onto a single physical server platform in the cloud, and the expectation of ubiquitous access via a variety of endpoint devices make the cloud an inviting playground for attacks on both data and infrastructure.

The Purpose of This Real-World GuideThis document is part of the “real-world guide” series from the Intel® IT Center.ItspurposeistomakeiteasyforyoutounderstandhowIntel’svarious security technologies work together to provide security at key enforcementpointsthroughoutthecloud.We’llstepthroughspecificusage models that address the challenges analysts and other experts haveidentifiedasthemostimportantforcloudsecurityandprovidedetails on how the technologies work. These usage models apply to private and public clouds, and we provide perspectives on the data center, edge systems, and endpoint devices that access the cloud.

The usage models in this guide fall into three areas:

•Protectingdata—inmotion,inprocess,andatrest

•Securinginfrastructure—forclients,attheedge,andindatacenters

•Securitycomplianceinthecloud

5 Intel IT Center Real-World Guide | Cloud Security

Data protection is a fundamental security concern for cloud computing, where personal or business-critical information moves beyond the traditional boundaries of the data center. This section covers the usage model Cryptography for Data Protection.

Cryptography for Data ProtectionYou can safeguard data as it moves throughout the cloud, minimizing vulnerabilities with cryptography to encrypt data and establish secure connections for data transfer.

What You Need to KnowCryptography has long been recognized as a best practice for protecting data through encryption. Encryption renders data useless in the event that it is leaked or stolen. However, encryption and decryption (making the data useful again) come with a “penalty tax”—the process uses complex algorithms to protect the data, which can slow down performance.

Clouds also use cryptographic protocols to secure browser access to the user portal and transfer encrypted data. Security protocols Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) are used to assure safe communications over networks and are widely used for applications such as secure web browsing (HTTPS). When moving encrypted data through connections, performance can be affected.

Intel Security Technology Role Call •IntelAdvancedEncryptionStandardNewInstructions(IntelAES-NI)

•OpenSSL*libraryenhancements -Intel’sRSAX -Intel’sFunctionStitching

Why This Is ImportantIntel AES-NI delivers faster, more affordable data protection, making pervasive encryption possible with workloads where it was previously unfeasible.Intel’senhancementstoOpenSSLprovidefast,secureconnections that transfer encrypted data securely while virtually eliminating performance issues. Combined, Intel AES-NI and the OpenSSLenhancementsdeliversignificantperformancegains.

Protecting Data—in Motion, in Process, and at Rest

How Intel® AES-NI and OpenSSL* WorkIntel AES-NI

Intel AES-NI3providesperformancebenefitsthatmakeencryptionfasterandmoreefficientfordatatransportandstorageworkloads.Intel AES-NI also provides strengthening against side-channel attacks by performing decryption and encryption completely in the hardware without the need for software lookup tables. This is an increasingly critical capability in shared technology environments like the cloud, where multiple workloads could have visibility into subsystems used in computing encryption routines.

Intel AES-NI increases encryption speed via a set of seven new instructions that accelerate parts of the AES4 algorithm encryption and decryption execution. Intel AES-NI can accelerate performance up to 10 times faster than a software-only AES solution, making encryptionpractical,stronger,andmoreefficient.Ontheothersideof the process, Intel AES-NI decrypts data up to 33 times faster.5,6

The new AES-NI instruction set executes several compute-intensive partsoftheAESalgorithmusingsignificantlyfewerclockcyclesthan a software solution. Four of the new instructions accelerate the encryption/decryption of a round, and two new instructions generate round keys. The seventh helps in carry-less multiplication, which accelerates applications doing block cipher encryption.

Intel AES-NI can be used in any of the growing set of optimized applications that use the AES standard, including network, disk, andfileencryptionsolutions.Awiderangeofleadingsoftwaresolutions take advantage of Intel AES-NI to secure transactions. For a complete list of applications, visit Intel AES-NI Ecosystem Update.

Intel AES-NI is available on Intel® Xeon® processors, Intel® Core™ vPro™ processors7, select Intel® Core™ processors, and in all Ultrabook™ devices.

Find out more about Intel AES-NI.

6 Intel IT Center Real-World Guide | Cloud Security

Intel OpenSSL Enhancements

The SSL and TLS protocols involve two compute-intensive phases—session initiation and bulk data transfer. Intel works closely with OpenSSL, a popular open-source, multiplatform security library. OpenSSL can be used to secure web transactions through servicessuchasGmail*,e-commerce,andFacebook*tosafeguardconnections on Intel architecture.

Intel has contributed to two advanced library functions that optimize implementations of cryptographic communications functions for both session initiation and bulk data transfer phases:

• Intel’s RSAX. RSAX is a unique implementation of the popular RSA algorithm (RSA-1024 bit implementation) that produces significantlybetterperformancethanpreviousOpenSSLimplementations. The standard approaches to executing the RSA algorithm involve a series of computation-heavy steps—a series of squaring or multiplication steps, each followed by a reduction step. The Intel enhancement to the RSAX implementation features a reduction method based on folding, coupled with an extensively optimizedkey-size-specificassemblerimplementation. RSAX can accelerate the time to initiate an SSL session by up to 1.5 times8, providing a better user experience and increasing the number of simultaneous sessions your server can handle.

• Intel’s Function Stitching: Bulk data buffers use two algorithms for encryption and authentication. Rather than encrypting and authenticatingdataserially,Intel’sFunctionStitchinginterleavesinstructions from these two algorithms, executing them simultaneously. This better utilizes execution resources and improves bulk data buffer performance because execution units that would otherwise be idle when executing a single algorithm—due to either data dependencies or instruction latencies—can be used to execute instructions from the other algorithm, and vice versa. Combined with RSAX and Intel AES-NI, Function Stitching can result in up to 4.8 times performance improvement for secure web servers.9

OpenSSLiscertifiedforFIPS140-2,acomputersecuritystandarddeveloped by the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP). Any software that uses OpenSSL can automatically take advantage of these Intel advancements.

Bits and Pieces Intel cryptography technologies accelerate encryption-related tasks:

With Intel® AES-NI: Encryption is up to 10 times faster.6

WithIntel’sOpenSSL*enhancements:

•Intel’sRSAXcanacceleratethetimetoinitiateanSSLsession by up to 1.5 times.8

•Intel’sFunctionStitchingcanresultinupto4.8timesperformance improvement for secure web servers when combined with RSAX and Intel AES-NI.9

More about Intel Data Protection Technologies

7 Intel IT Center Real-World Guide | Cloud Security

The trend for cybercriminals to target the platform and infrastructure with stealthy threats such as rootkit attacks and other stealthy attacksisincreasing.Thesethreatsaredifficulttodetectwithtraditional antivirus products. For example, rootkit attacks infect system components such as hypervisors, BIOS, and operating systems and can hide in the background and spread through a cloud environment. This section includes three usage models for securing infrastructure against these attacks at three key enforcement points:

•IdentityandAccessManagementtoSecureClients •ServiceGatewaysforAPI-LevelControls •TrustedComputePoolstoEstablishTrust

Identity and Access Management to Secure ClientsWhat You Need to KnowBusiness users typically have 12 user names and password pairs. Keeping them straight often leads to poor security practices, such as choosing easy-to-remember, potentially weak passwords or writing them down where they can be easily compromised. Accountorservicehijackingisoneofthetopthreatsidentifiedbythe Cloud Security Alliance10 and provides a channel for attacks on data and infrastructure.

Why This Is ImportantTo counter these practices, cloud environments need more sophisticated identity and access management policies that protect against unauthorized users, including strong authentication, audit capabilities, and integrity checking of endpoint devices.

Intel Security Technology Role Call •IntelIdentityProtectionTechnology(IntelIPT)11

How Intel IPT Works Intel IPT builds tamper-resistant, two-factor authentication directly into PCs based on Intel processors.

Intel IPT provides two ways to protect web site and network access points by validating legitimate users logging in from a trusted platform.

Securing Infrastructure—for Clients, at the Edge, and in Data Centers

• Intel IPT with OTP. Two-factor authentication using a one-time password (OTP) combines a user name and password combination with an additional one-time credential in the form of a six-digit number. This six-digit number is available on demand and valid only for a brief period of time. In the case of Intel IPT, token generation is built into the hardware, eliminating the need for a separate physical token. The six-digit number is generated every 30 seconds from an embedded processor or the Manageability Engine (ME) on the computer motherboard. The ME is a controlled area of the chipset and tamper-proof. Plus, it operates in isolation from the operating system for added security. Algorithms developed by independent software vendors and Intel partners such as McAfee, Symantec, and Vasco run in the ME, performing the operations that link the computer to a validated site and ensuring strong authentication. Availability: IPT with OTP is available in select 2nd gen Intel Core processor-based PCs, 3rd generation Intel Core vPro processors, and all Ultrabook devices.

• IPT with PKI. Enterprises already using public key infrastructure (PKI) to protect their access points can strengthen authentication withIntelIPTwithPKI.PKIisasystemofdigitalcertificates,certificateauthorities,andotherregisteredauthoritiesthatverifyand authenticate the validity of each partner involved in logging on to your network via VPN for e-mail encryption, digital signature, WiFi network access, or software as a service (SaaS) applications. SimilartotheOTPcredential,IntelIPTembedsaPKIcertificateinthe chipset to authenticate the user and server to each other and to encrypt and digitally sign documents. By providing hardware-based security, Intel IPT with PKI offers a greater level of security and eliminates the additional cost of supporting traditional smart card or token storage options. Availability: IPT with PKI is available in select 2nd gen Intel Core processor-based PCs, 3rd generation Intel Core vPro processors, and all Ultrabook devices.

8 Intel IT Center Real-World Guide | Cloud Security

Intel IPT offers a third additional hardware-based technology that complements either OTP or PKI technologies to further secure transactions from malware attacks:

•Intel IPT with PTD. Intel IPT provides protected transaction display (PTD) capabilities that enable PCs to display and collect user transaction information while protecting against attack. Encrypted I/O technology runs below the operating system to prevent tampering. Because the display screen is part of the processor’sintegratedgraphics,itnevergetsexposedtothesoftware layer—only the user in front of the screen. Users input asecurepersonalidentificationnumber(PIN),generatedbythegraphics hardware using mouse clicks, which is invisible to the operating system. This enables businesses and web sites to confirmuserpresence,verifytransactions,andprotectPCdisplaysfrom screen scraping and keyloggers.

Availability: Intel IPT with PTD is available with 3rd generation Intel Core vPro processors and all Ultrabook devices.

Find out more about Intel IPT.

Service Gateways for API-Level Controls What You Need to KnowAPIs—where cloud communication between applications is orchestrated—are increasingly exposed to third parties and mobile requests, driving the need for greater application-level security. APIs are subject to attacks such as malicious code injections, denial-of-service attacks, service information leakage, data snooping, and more. API gateways, or “service gateways,” are becoming increasingly important as a way to securely scale consumption of cloud services. They offer a centralized way for IT and developer teams to collaborate on how security policy is created and enforced for the cloud.

Why This Is ImportantAPI-level controls provide a measure of protection for departmental and edge system infrastructure and reduce the risk of attack on applications.

Intel Security Role Call•IntelExpresswayServiceGateway(IntelESG)

How Intel ESG WorksIntel ESG is a highly scalable software appliance that provides a single pointofentryandcontrolforallAPItraffic,regardlessofprotocol

or deployment. As such, it enables IT to develop a standards-based policy enforcement point at a network edge.

Thefirstpointofcontacttoclouddatacenterinfrastructuregoesthrough Intel ESG as a proxy. This is in contrast to custom coding management for each API within every application, which does not scale in cloud environments with hundreds of application endpoints and disparate developer teams. Common protocols include representational state transfer (REST), simple object access protocol (SOAP),JavaScript*objectnotation(JSON),oranylegacyprotocolsuchas electronic data interchange (EDI).

The service gateway authenticates APIs at the network edge against existing enterprise identity and access management systems, as well as middleware and auditing and monitoring infrastructure. Intel ESG supports 0Auth 2.0, which is emerging as the standard authentication and authorization method for RESTful web services and APIs.

Intel ESG enables you to control how APIs are exposed and consumed withauditing,logging,andmetering.Itcanalsoaccelerateoffloadfunctionssuchasprotocolbridging,encryption,andspecificformatconversions for regulated applications, such as the Healthcare Insurance Portability and Accountability Act (HIPAA).

A specialized PCI Data Security Standard (PCI DSS) compliance version of the service gateway is available for use in certain industries. Intel Expressway Tokenization Broker delivers compliance for managing credit card primary account number (PAN) data and personally identifiableinformationsuchasmedicalrecordsbytokenizingdata,stripping out sensitive information, and encrypting data.

Find out more about Intel Cloud Identity and API Security.

More about API Controls

9 Intel IT Center Real-World Guide | Cloud Security

Trusted Compute Pools to Establish TrustWhat You Need to KnowCloud computing has elastic boundaries that can push the perimeter of the enterprise far beyond the data center. Traditional approaches toprotectingdataandplatform—firewalls,physicalseparation,andisolation—can’tworkeffectivelyinthecloud.

Why This Is ImportantEstablishing trust at the hardware level can make platforms more resistant to software attacks. Trusted compute pools that aggregate a group of servers under a single set of security policies can validate platform integrity of cloud infrastructure and provide data for auditing and compliance purposes to security and information event management (SIEM) and governance, risk, and compliance (GRC) dashboards.

With trusted compute pools, administrators can make decisions about how much to expose data and workloads, prove that host software is good through integrity checking, and respond quickly to attacks and minimize damage. Trusted compute pools are an important part of cloud security practices—in your own private cloud, but also as part of the data center operations and security provided by cloud service providers.

Intel Security Role Call•IntelTrustedExecutionTechnology(IntelTXT) •IntelVirtualizationTechnology(IntelVT) •IntelVirtualizationTechnologyFlexMigration(IntelVTFlexMigration)

How These Technologies WorkIntel TXT12 is found in Intel Xeon processors and uses the processor, chipset, and third-party Trusted Platform Modules (TPMs) to better resist software attacks and to make platforms more robust. Intel TXT increases protection by allowing greater control of the launch stack through a measured launch environment (MLE) and enabling isolation in the boot process.

Intel TXT also extends the Virtual Machine Extensions (VMX) environment of Intel VT13,permittingaverifiablysecureinstallation,launch, and use of a hypervisor or operating system. This enforces application and data isolation on the system, reduces the attack surfaces of shared environments, and protects against unauthorized direct memory accesses (DMAs).

Intel TXT establishes trust by establishing a root of trust, verifying launch, enabling trusted compute pools in virtualized and cloud environments, and supporting compliance.

•Root of trust. Intel TXT makes an initial measurement of the pre-operatingsystemenvironmentandestablishesaserver’sbeginning“known good state” or root of trust. This root of trust provides the necessary underpinnings for successful evaluation of the computing platform and its protection. A hardware-based root of trust is extremelydifficulttodefeatorsubvertandprovidesanexcellentfoundation against increasingly sophisticated malware attacks. The root of trust extends a chain of trust through critical controlling softwarelayers,includingmeasuredfirmware,BIOS,andhypervisorvirtualization. Intel TXT stores this root of trust in the TPM to be read by the hypervisor for future comparison and evaluation.

More about Establishing Trust

10 Intel IT Center Real-World Guide | Cloud Security

•Launch verification. Intel TXT checks the hypervisor integrity at start-up, measuring the code of the hypervisor and comparing it to a known good value. Launch can be blocked if the measurements do not match, stopping the launch of unrecognized software and enforcingknowngoodlaunch-timeconfigurations.

• Trusted compute pools. Groups of servers each running Intel TXT and aggregated under the same set of security policies are called trusted compute pools. In this environment, launch integrity data can be used to provide a useful control point for virtualized workloads. For example, you can establish and enforce policies definingthatcriticalworkloadsorsensitivedatabedeployedonly onto trusted platforms. Once a known good environment is validated, Intel VT FlexMigration can safely migrate live VMs. Trusted compute pools substantially reduce the security risks of using remote or virtualized infrastructure by preventing a compromised VM from one physical host from compromising another.

•Compliance monitoring. Integrity-checking data provided by Intel TXT is available for audit purposes and can be used with GRC or SIEM dashboards for further reporting on the controls in place in your IT or cloud environment.

Get more about Intel TXT.

Bits and Pieces IT managers worry about infrastructure vulnerabilities—particularly in public clouds. In a recent Intel survey:

•Almost60percentareeitherextremelyorveryconcernedaboutthesecurityoftheprovider’sinfrastructurewhenasked about outsourcing to a cloud service provider.

•Morethantwo-thirdsofthatgroupworryspecificallyabout rootkit hypervisor attacks or other attacks on the cloud server environment.

•Thegoodnews:78percentbelievethathardware-basedmeasures can deliver a higher level of security.

Source: Peer Research: Cloud Security Insights for IT Strategic Planning. Intel (September 2011). intel.com/content/dam/www/public/us/en/swf/pdfview/it-center/cloud-security/peer-research/applt

Protected VM Migration Trusted pools prevent a compromised virtual machine (VM) from one physical host from compromising another host.

VM1a VM2a

App

Hypervisor

Hardware

App

OS OS

VM1b VM2b

App

Hypervisor

Hardware

App

OS OS

VM3a VM3b

App

Hypervisor

Hardware

App

OS OS

11 Intel IT Center Real-World Guide | Cloud Security

The regulatory environment is becoming increasingly more complex. Complying with requirements for keeping systems and data secure continues to be a major cost consideration for companies. This section includes a usage model for automating compliance built on trusted compute pools.

Automating Compliance Built on Trusted Compute PoolsWhat You Need to KnowThepenaltiesfornoncompliancecanbesignificant.Plus,today’scloud auditing processes are highly manual—requiring substantial effort and cost. Trusted compute pools can provide the foundation for automating security compliance in the cloud-virtualized environment from the hardware up through the hypervisor, cloud orchestration,policymanagement,andreportingandverificationlayers. By automating security audits and compliance, both the cost andrisktoorganizationscanbesignificantlyreduced.

Intel is working with leading providers at each layer of the security stacktocreateproven,testedsolutions.Thefirstofthesewillbeavailable in late 2012.

Why This Is ImportantChecking that various security controls are in place and executing can be automated, as can gathering the incidents and responses these controls report. This information provides the visibility required to assess compliance to security requirements.

Trusted compute pools can provide the foundation for building improved security compliance capabilities in private, hybrid, and public cloudenvironmentswithassurancesrootedinhardwareandverifiableup through the hypervisor, cloud orchestration, policy management, and reporting layers. Compliance solutions can leverage trusted compute pools to provide visibility into security enforcement in the cloud virtualized infrastructure. This level of transparency and auditability is especially important in hybrid and public clouds, where organizations must rely on assurances supplied by their cloud service providers.

Security Compliance in the Cloud

Intel® Cloud Finder Intel® Cloud Finder is a registry of service providers that useInteltechnologyandcanhelpyoufindcloudservicesproviders who meet key criteria for high-performance cloud solutions in security and other technology categories. Key security criteria include:

•Accesscontrol •Auditability •Regulatorystandardsandcompliance •Hardwareinfrastructure

Visit Intel Cloud Finder at intelcloudfinder.com.

12 Intel IT Center Real-World Guide | Cloud Security

More about Trusted Compute Pools

Intel Security Role Call•IntelTXT•Softwaresolutionsbuilttoutilizetrustedcomputepoolsrunning

Intel TXT

How These Technologies WorkIntel TXT12provideslaunch-timeverificationthataspecificphysicalserver boots cleanly against a prescribed launch environment signature and can be trusted—for instance, a machine that has verifiedintegrityandisknowntoberunningtheexpectedoperatingenvironment. Virtualization and cloud management software that can identify these “known good” systems can then assign sensitive workloads and data to these systems more selectively. Intel TXT can also make the results of its integrity checks available to policy management and SIEM and GRC solutions for audit and security management purposes.

Here’showIntelTXTworksthroughoutthepossiblelayersofdefinedsolutionstackstoestablishtrustandverifyadherencetosecurity standards:

•Hypervisor software: The hypervisor invokes Intel TXT to make a launch-time measurement. These results are used to validate aserver’sknowngoodstatus.Thehypervisorcanthensecurelyshare this information with other layers of the software solution stack, so that they can create, monitor, and use trusted compute pools.VMware*vSphere*isanexampleofaleadinghypervisorthat incorporates the robust features supporting Intel TXT.

•Cloud orchestration software: This software sits above the hypervisor and manages operations and resources across various hypervisors, thus managing the virtualized data center. Depending on the implementation, this layer may be used to create trusted compute pools.

• Security policy management software: In this layer, software can set policies that dictate how trusted compute pools will be used—for example, restricting or allowing VM, sensitive workload, ordatamigrationbasedonplatformsecurityortrustprofiles.Depending on the implementation, this layer may also create trusted compute pools. Various policy engines also may specialize inthecompliancerequirementsforspecificbusinessverticalswithbuilt-in policy templates to help implementation.

•Security information and event management (SIEM) software: SIEM software creates a general security control point that aggregates the event and information reports from various security applications and activities into a database that can be queried—including the status of trusted compute pools.

•Governance, risk management, and compliance (GRC) software: GRCsoftwareproducesspecificauditandcompliancereports,often utilizing the information gathered by an SIEM solution. Administratorscanusethisinformationtocreateneworrefineexisting polices for use by the policy engine. The GRC software may also query the infrastructure to make sure policies are active and in place. Again, various solutions may specialize in the compliancerequirementsforspecificbusinessverticalswithbuilt-inpolicy templates to help implementation.

13 Intel IT Center Real-World Guide | Cloud Security

Security should be part of your planning for a cloud, whether you are building an internal private cloud or outsourcing some or all of your workloads to a public cloud provider. Intel has developed resources to help you build security into your cloud environment, including planning guides, white papers, and reference architectures. Use this checklist to help you identify potential vulnerabilities to inform your security practices.

Threat AssessmentIsyourdatacenterunderincreasingattackfrommalwareand

other cyberthreats?

Haveyoueverexperiencedaseriousbreach?

Haveyouresistedmovingsensitiveworkloadstothecloudbecause of security concerns?

Data ProtectionHowmuchofyourdataisencrypted?

Isyourencryptionsolutionsoftware-only?

Wouldyouliketoincreaseyouruseofencryption,butyouworry about performance?

Howareconnectionsthattransferencrypteddatasecured?

Next Steps: Cloud Security Considerations Checklist

Infrastructure ProtectionWhatcloudaccessandidentitymanagementcontrolsare

in place?

Doesinfrastructureincludesecuritybuiltintothehardware?

Howisidentitymanagedandauthenticated?

Istwo-factorauthenticationutilized?

DoyouhaveaservicegatewayinplacetoenforceAPIsecurity?

Canyouvalidatetheintegrityoftheserverplatform?

Canyoursystemsestablisharootoftrust?

Doyoumanageatrustedplatformofpooledresourcesforvirtualized and other shared services?

ComplianceCanyoudemonstratesecuritypolicyenforcementtocomply

with regulatory demands for your industry?

Howareattacksmonitoredanddocumented?

14 Intel IT Center Real-World Guide | Cloud Security

Intel Resources for Learning More

About Data Protection Technologies

About Infrastructure Protection Technologies

Secure Cloud with High Performing Intel Data Protection Technologies This video animation features cryptographic technologies from Intel that accelerate data encryption and the communication of encrypted data via secure connections, including Intel AES-NI and Intel enhancements to the OpenSSL security library. (Length: 3:34 min.) youtube.com/watch?v=I0ALeQjS7FA&feature=youtu.be

Improving OpenSSL Performance Inthiswhitepaper,IntelarchitectsdescribeIntel’senhancementstoOpenSSLandtheperformancegainsassociatedwithusingthemtosecureconnectionsforencrypteddatatraffic. http://download.intel.com/design/intarch/papers/326232.pdf

Securing the Enterprise with Intel® AES-NI This white paper describes the seven new instructions built into Intel AES-NI that can accelerate encryption, as well as examining several usage models: secure transactions, enterprise applications, and full-disk encryption. intel.com/content/dam/doc/white-paper/enterprise-security-aes-ni-white-paper.pdf

Enhancing Security with Intel® Trusted Execution Technology Thisanimationdescribesthesecurityissuesfacingtoday’sdatacentersanddescribeshowIntelTXTcanprovide hardware-based protection for clients and data center infrastructure in virtualized environments. (Length: 4:04 min.) intel.com/content/www/us/en/cloud-computing/cloud-computing-enhancing-server-cloud-security-brief.html

Intel® Expressway Service Gateway This product brief describes the capabilities and features offered by Intel ESG. http://info.intel.com/rs/intel/images/Intel_ServiceGateway_Data_Sheet.pdf

[Intel] Service Gateway Animation Overview This video animation demonstrates how Intel Expressway Service Gateway protects APIs from attack by integrating, mediating, securing, and dynamically scaling services for control at the network edge. (Length: 2:34 min.) http://software.intel.com/en-us/articles/service-gateway-animated-overview/

Intel® Trusted Execution Technology This white paper describes how IT can use Intel TXT as a powerful, hardware-based building block to secure IT solutions by addressing security threats to physical and virtualized infrastructure. intel.com/content/www/us/en/trusted-execution-technology/trusted-execution-technology-security-paper.html

15 Intel IT Center Real-World Guide | Cloud Security

Intel Cloud Computing Ecosystem

Intel® Cloud Builders: Proven Guidance to Build and Optimize Cloud Infrastructure This landing page provides access to resources provided as part of Intel Cloud Builders, a cross-industry initiativetobuildmoresimplified,secure,andefficientcloudinfrastructure.IntelCloudBuildersprovidesbest practices, an online forum to discuss technical issues, and a wide portfolio of proven reference architecture solutions from a broad range of leading systems and solutions providers. intel.com/content/www/us/en/cloud-computing/cloud-builders-provide-proven-advice.html

Intel® Cloud Finder Intel Cloud Finder is an online resource to help you identify and locate cloud service providers that will meet your needs—including security. This landing page provides access to a detailed search tool, a quick search, and guidance for choosing a cloud provider. intelcloudfinder.com/

Cloud Computing Infrastructure: Cloud Builders Reference Architecture Library Explore proven cloud-building reference architectures developed by leading systems and solutions providerstohelpsolvekeyITchallenges,improvesecurityandefficiency,andsimplifyyourdatacenter. Each reference architecture in this online library is based on real-world IT requirements and providesdetailedinstructionforhowtoinstallandconfigureaparticularcloudsolutionusingIntelXeonprocessor-based servers and technologies. intelcloudbuilders.com/library

16 Intel IT Center Real-World Guide | Cloud Security

Open Data Center AllianceSM Usage: Provider Assurance Rev. 1.1 Thisusagemodeldocumentoutlinesthegranularspecificationneededfromeverysolutionproviderto enable security in multitenant shared infrastructure. It uses a tiered model of gold, silver, bronze, andplatinumclassificationsfordifferentiationofservicedeliverytoenablecompetitiveofferingswithtrade-off features. There are implications at each level of stringency, with a standard way of determining where every cloud provider stands. opendatacenteralliance.org/docs/ODCA_ProviderAssurance_Rev.%201.1_Final.pdf

Security Guidance for Critical Areas of Focus in Cloud Computing, v3.0 This Cloud Security Alliance (CSA) guide contains in-depth information to help you conduct a risk assessment of initial cloud risks and make informed decisions about how you can adopt cloud computing services and technologies. In addition to general guidance, the document covers 14 critical domains, including cloud computing architecture; governance and enterprise risk management; legal contracts and electronic discovery; compliance and audit management; information management and data security; interoperability and portability; traditional security, business continuity, and disaster recovery; data center operations; incident response; application security; encryption and key management; identity and access management; virtualization; and security as a service. https://cloudsecurityalliance.org/research/security-guidance/

Top Threats to Cloud Computing, v1.0 This CSA 2010 report catalogs best practices for managing seven threats in the cloud environment. It is designed to provide organizations with needed context to assist them in making informed risk-managementdecisionsbasedontheirspecificclouddeploymentstrategies. https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

Additional Resources

17 Intel IT Center Real-World Guide | Cloud Security

Endnotes

1 The Road Map from Virtualization to Cloud Computing. Gartner RAS Core Research Note G00210845 (March 2011). RV2A811182011. http://research.pcworld.com/content14839.

2 What’s Holding Back the Cloud? Intel Survey on Increasing IT Professionals’ Confidence in Cloud Security. Intel (May 2012) . intel.com/content/www/us/en/cloud-computing/whats-holding-back-the-cloud-peer-research-report.html

3 Intel AES-NI requires a computer system with an AES-NI–enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. AES-NI is available on Intel Xeon processors, Intel Core i5-600 Desktop Processor Series, Intel Core i7-600 Mobile Processor Series, and Intel Core i5-500 Mobile Processor Series. For availability, consult your reseller or system manufacturer. For more information, see intel.com/content/www/us/en/architecture-and-technology/advanced-encryption-standard--aes-/data-protection-aes-general-technology.html.

4TheAdvancedEncryptionStandard(AES)isanencryptionstandardfirstadoptedbytheU.S.governmentin2001.Itiswidelyusedtoprotectnetworktraffic,personaldata,andcorporateITinfrastructures.

5 Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance testssuchasSYSmark*andMobileMark*aremeasuredusingspecificcomputersystems,components,software,operations,andfunctions.Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products.

6Source:TestingwithOracle*DatabaseEnterpriseEdition11.2.0.2withTransparentDataEncryption(TDE)AES-256showsasmuchasa10x speedup when inserting 1 million rows 30 times into an empty table on the Intel Xeon processor X5680 (3.33 GHz, 36 MB RAM) using Intel IPP routines, compared with the Intel Xeon processor X5560 (2.93 GHz, 36 MB RAM) without Intel IPP.

7 Intel vPro technology is sophisticated and requires setup and activation. Availability of features and results will depend upon the setup and configurationofyourhardware,software,andITenvironment.Tolearnmore,visitintel.com/technology/vpro.

8 Up to 1.55x acceleration of time to initiate an SSL session per published white paper Improving OpenSSL Performance. Intel (October 2011). http://download.intel.com/design/intarch/papers/326232.pdf

9 Up to 4.8x performance improvement for secure web servers when combined with Intel AES-NI and RSAX per published white paper Improving OpenSSL Performance. Intel (October 2011). http://download.intel.com/design/intarch/papers/326232.pdf

18 Intel IT Center Real-World Guide | Cloud Security

10 Top Threats to Cloud Computing, v1.0. Cloud Security Alliance (2010). https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

11 No system can provide absolute security under all conditions. Requires an Intel Identity Protection Technology–enabled system, including a 2nd genor3rdgenIntelCoreprocessor,anenabledchipset,firmware,software,andaparticipatingwebsite.Consultyoursystemmanufacturer.Intel assumes no liability for lost or stolen data or systems or any resulting damages. For more information, visit http://ipt.intel.com.

12 No computer system can provide absolute security under all conditions. Intel Trusted Execution Technology (Intel TXT) requires a computer system with Intel Virtualization Technology, an Intel TXT–enabled processor and BIOS, a chipset, Authenticated Code Modules, and an Intel TXT–compatible measured launched environment (MLE). Intel TXT also requires the system to contain a TPM v1.s. For more information, visit intel.com/technology/security.

13 Intel Virtualization Technology (Intel VT) requires a computer system with an enabled Intel processor and BIOS and a virtual machine monitor (VMM).Functionality,performance,orotherbenefitswillvarydependingonhardwareandsoftwareconfigurations.Softwareapplicationsmaynot be compatible with all operating systems. Consult your PC manufacturer. For more information, visit intel.com/go/virtualization.

Sponsors of Tomorrow.™Sponsors of Tomorrow.™

This paper is for informational purposes only. THIS DOCUMENT IS PROVIDED “AS IS” WITH NO WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY

OF MERCHANTABILITY, NONINFRINGEMENT, FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY

PROPOSAL, SPECIFICATION, OR SAMPLE. Intel disclaims all liability, including liability for infringement of any property rights, relating to use of this

information. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted herein.

Copyright © 2012 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel Core, Intel Sponsors of Tomorrow., the Intel Sponsors of Tomorrow. logo,

Intel vPro, Ultrabook, and Xeon are trademarks of Intel Corporation in the U.S. and/or other countries.

*Othernamesandbrandsmaybeclaimedasthepropertyofothers.

Active Directory is a registered trademark of Microsoft Corporation in the United States and/or other countries.

OracleandJavaScriptareregisteredtrademarksofOracleand/oritsaffiliates.

1112/RF/ME/PDF-USA 327973-001

Share with Colleagues

More from the Intel® IT Center Real-World Guide: Intel Security Technology for the CloudisbroughttoyoubytheIntel®ITCenter,Intel’sprogramforITprofessionals.TheIntelITCenterisdesignedtoprovidestraightforward,fluff-freeinformationtohelpITprosimplementstrategicprojectsontheiragenda, including virtualization, data center design, cloud, and client and infrastructure security. Visit the Intel IT Center for:

•Planningguides,peerresearch,andvendorroundtablestohelpyouimplementkeyprojects

•Real-worldcasestudiesthatshowhowyourpeershavetackledthesamechallengesyouface

•InformationonhowIntel’sownITorganizationisimplementingcloud,virtualization,security,andotherstrategicinitiatives

•InformationoneventswhereyoucanhearfromIntelproductexpertsaswellasfromIntel’sownITprofessionals

Learn more at intel.com/ITCenter.