One of the more interesting announcements at the RSA 2010 conference last week was the availability of new capabilities for trusted execution in cloud/multi-tenet environments. The opportunity to secure cloud computing resources and provide a stable and sustainable secure virtual infrastructure can now be delivered to business units by CTOs and CISOs with the introduction and commercial availability of Intel’s Westmere processor.
Westmere is targeted for cloud computing environments, which now represent almost 90% of the market for Intel’s Xeon business segment. According to Intel, engineering for the Xeon segment is now primarily focused on security enhancements and capabilities at the processor level, whereas performance and energy efficiency were the targets during the last 15 years.
The 2 new security features included in the Westmere line are:
- Seven new encryption function calls that will deliver encryption and decryption up to nine-times faster with up to twice the SSL functions than in the past;
- Trusted execution technology (TXT) integrated in the processor, the chipset, and Intel motherboards.
Cloud computing is a fundamental shift in information technology use, creating a host of new security, compliance, and trust capabilities not seen before. Westmere can provide the foundation for trust in cloud computing, enabling multiple security scenarios.
One specific scenario showcased at RSA 2010, including integrations between Intel, EMC/RSA, and VMWare, demonstrated how a cloud service provider could report on trusted configuration of virtual infrastructure used by customer VMs, tying this trust to verifiable measurements in the hardware and hypervisor, VMware-hardening best practices, and capabilities for securely encapsulating application workloads.
Other scenarios include full disk-storage encryption, and database encryption acceleration, strong authentication, and security policy/VM/application portability. For example, if you’re using VMotion to dynamically move a workload between servers, you need the capability to enforce a policy that ensures the move to a server where the secure root of trust has been verified. If the VM is a non-trusted server, don't allow it to run its application workload on a trusted server, and vice-versa.
Action Item: Look for the right opportunities to embed trusted execution capability in your cloud/virtual infrastructure security architecture.
Footnotes: