Trusted Geolocation in the Cloud | NCCoE of NIST

Trusted Geolocation in the Cloud; Mike Bartock, Murugiah Souppaya (NIST); National Cybersecurity Center of Excellence (NCCoE), National Institute of Standards and Technology (NIST); 2017-05-11; 16 pages; landing;

Abstract

The motivation behind this Building Block is to improve the security of cloud computing and accelerate the adoption of cloud computing technologies by establishing an automated hardware root of trust method for enforcing and monitoring geolocation restrictions for cloud servers. A hardware root of trust is an inherently trusted combination of hardware and firmware that maintains the integrity of the geolocation information and the platform. Once the cloud platform has been attested to be trustworthy and to comply with a defined geolocation policy, then other use properties can be instantiated to support additional security capabilities that are built on this foundational hardware root of trust. These capabilities can include restricting workloads to running on trusted hardware in a trusted location; restricting communications between workloads; ensure workload data is protected at rest; applying security policies to workloads; and leveraging these capabilities across a hybrid cloud. This project will result in a freely available NIST Cybersecurity Practice Guide.

Table of Contents

  1. Executive
    • Purpose
    • Background
  2. Scenarios
  3. Security Characteristics
    • Stage 1
      Platform Attestation and Safer Hypervisor or Operating System Launch
    • Stage 2
      Trust-Based Homogeneous Secure Migration within a Single Cloud Platform
    • Stage 3
      Trust-Based and Geolocation-Based Homogeneous Secure Migration within a Single Cloud Platform
    • Stage 4
      Data Protection and Encryption Key Management Enforcement Based on Trust-Based and Geolocation-Based Homogeneous Secure Migration within a Single Cloud Platform
    • Stage 5
      Persistent Data Flow Segmentation Before and After the Trust-Based and Geolocation-Based Homogeneous Secure Migration within a Single Cloud Platform
    • Stage 6
      Industry Sector Compliance Enforcement for Regulated Workloads Before and After the Trust-Based and Geolocation-Based Homogeneous Secure Migration
    • Stage 7
      Trust-Based and Geolocation-Based Homogeneous and Policy Enforcement in a Secure Cloud Bursting across Two Cloud Platforms
  4. Relevant Standards and Guidance
  5. Component List

YAML | YAML Ain’t Markup Language

yaml.org

Related

Selected

libdouble-conversion

double-conversion (waitman/libdouble-conversion)

Synopsis: This project (double-conversion) provides binary-decimal and decimal-binary routines for IEEE doubles. The library consists of efficient conversion routines that have been extracted from the V8 JavaScript engine. The code has been refactored and improved so that it can be used more easily in other projects.

google-glog

The glog library implements application-level logging. This library provides logging APIs based on C++-style streams and various helper macros.

glog-0.3.3


google-gflags

The gflags package contains a library that implements commandline flags processing. As such it’s a replacement for getopt(). It has increased flexibility, including built-in support for C++ types like string, and the ability to define flags in the source file in which they’re used.

gflags-2.1.1