SlideShare a Scribd company logo

Trust and Cloud computing, removing the need for the consumer to trust their provider

Download as PPTX, PDF
David Wallom, profile picture
David Wallom

Trusted computing and remote attestation techniques can be used to build trust in cloud computing by creating a "chain of trust" from the hardware to cloud services and data. This allows users to verify that only authorized applications and services are accessing data and resources as intended, without needing to unconditionally trust the cloud provider. The solution involves using trusted computing mechanisms like TPMs to attest different components in the cloud infrastructure and ensure only expected software configurations are present. It also proposes using a distributed open attestation service to periodically examine cloud nodes and verify their configurations remain intact, helping address issues of resilience and scalability for attestation.

Technology
1 of 24
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Trust and Cloud computing, removing the need for the consumer to trust their provider Prof David Wallom University of Oxford
Overview • The problem – Drivers of cloud adoption – Threats forming barriers to adoption – Trust and the stakeholders in the cloud – Building trust through regulation – Trusted products within a marketplace • The solution – Trusted Computing – Chain of trust – OAT – Trusted Appliances, Applications and user data
Problem…
Trust and Cloud computing, removing the need for the consumer to trust their provider
Trust and Cloud computing, removing the need for the consumer to trust their provider
7 Cloud Computing security risks
Trust at the Last Mile • Problem for high value instantly usable data and services – Critical data or keys are still exposed inside the cloud at the final steps – Still require customers unconditional trust of their CSP – Value may be great enough that traditional blackmail/bribery may be enough to gain access
Cloud (IaaS) and Security cloud infrastructure Storage (Object) Storage (Block) Host VM Host VM … Users • AAI: management, storage APIs. • VMs: security groups (layer 2/3), firewall, VPN. • OS: admin policies, monitoring, auditing, patches, etc. • HW: physical security • How can users trust the origin and identity of the cloud infrastructure software stack? • How can users trust the origin and identity of VMs, Block Storage, Storage Objects?
“What is really going on inside the cloud?”
New Industries Around Security and Trust
Building trust through regulation
Building trust by building brands
Recap • Cloud already affects all our lives, it will soon affect extremely high value parts of our lives even more • Security, Trust and Privacy still great concerns • The very thing that makes cloud great (of not caring about the innards) also causes some of our headaches • Regulation may be well meaning when introduced but ultimately doesn’t improve the user experience as it by def. limits some functions or capabilities • Providing improved consumer information may allow us to build reputation systems but there is nothing to stop them being subverted and having to use clean branded appliances each time will cause operational headaches. • We must trust our cloud provider, completely! • We don’t really know whats going on within the cloud • We are worried we may lose our data
A solution
Trusted Computing • What it is: A set of specifications proposed by the Trusted Computing Group (TCG) for implementing a remotely verifiable infrastructure. • What it does and what it does not: It enables a challenger to remotely verify the genuine configurations of a platform. It provides no guarantee on the security properties of the platform, but leaves the challengers to determine the properties by mapping the configurations to a predefined security properties repository. • TPM: A cost-effective secure hardware, providing tamper-proof capabilities for storing and reporting the platform’s configuration, together with other supporting capabilities, such as secure key management. • Integrity and attestation: The integrity of a platform is defined as its capability to behave as expected. In general implementation, integrity is interpreted as whether only expected software components with expected configurations have been loaded on the target platform. Remote Attestations are performed to examine the integrity of a remote platform. • Strengths and limitations: Trust Computing mechanisms are built upon the tamper-proof hardware. However, complexities in managing the expected platform configurations have inhibited the widespread adoption of Trusted Computing.
Extend the Trusted Platform to the cloud • Reassure customers that the cloud infrastructure is strong enough to defend against attackers or malicious users. • Enables a mechanism by which the properties of the cloud service components and third-party extensions can be continuously inspected and examined.
Trusted Computing and Cloud Computing User verifiable Chain of Trust = Attestation result of Storage + Attestation result of Host + Attestation result of VM …but in the cloud the hardware components can change… HW/TPM Host Controller Hypervisor Virtual Machine vTPM Virtual Machine vTPM Virtual Machine vTPM HW/TPM Storage Controller Storage Service 12 3 123
Open Attestation (OAT) as a Trusted Third Party …but what about resilience and scalability?
Porridge (Distributed OAT) • High frequency platform verification • Application whitelisting • Verifiable Logging
Attesting Cloud Services • VM attestation – Know exactly the status of your system, its how you left it! • Centralized Attestation Service – A service to periodically examining all the cloud nodes and recording their configurations; – Customers attest the delegates to make sure the attestation service is correctly running. – Supporting dynamic VM migration attesting both source and destination to ensure continual validity • Property-based Access Controls – Customers define the access control policies to their data or keys based on the properties of the accessing cloud applications and the underlying hosting infrastructure. – Whitelisting application software within a cloud instance
Trusted Data Processing • To ensure that customer data is not abused by their CSP when outsourced to the cloud infrastructure for processing or storage. • TDP ensures customers that their data is only decrypted by their applications, having the predefined states, and being deployed on the part of the cloud satisfying predefined SLA.
Trusted Data Exchanging • To ensure that Customer Data is not abused by other customers when shared on a common infrastructure to achieve cooperative computations. • TDP ensures a Data Provider that every piece of data is processed only by applications with predetermined properties.
Conclusion • Trust is still highlighted as a significant barrier to cloud adoption in high value usecases • Traditional security still requires users to trust their CSP • Regulation may aim for a secure business as usual, it doesn’t support you when things go wrong • Utilising Trusted Computing and remote attestation builds a chain of trust – Hardware -> Cloud Host -> Hypervisor -> VM -> application software + Data – Support application and data whitelisting to ensure only those with permission can use services or capabilities • Only registered and verified hosts can run high value applications • Only registered and verifies services can access high value data • Extending existing Trusted Third Party capabilities to support multiple trusted Service Providers providing externally verifiable measurement of cloud located services • We are removing the need to trust your cloud provider by building cryptographically secure cloud
Thank You!

More Related Content

PPTX
Trust and Cloud computing, removing the need for the consumer to trust their ...
David Wallom
 
PDF
E magic case study
Allyssa1Davis
 
PPTX
3433 IBM messaging security why securing your environment is important-feb2...
Robert Parker
 
PPTX
Ame 2269 ibm mq high availability
Andrew Schofield
 
PPTX
Managed Service Provider Deployment Options for SolarWinds Network & Server M...
SolarWinds
 
PPT
IBM Integration Bus & WebSphere MQ - High Availability & Disaster Recovery
Rob Convery
 
PPTX
6421 b Module-07
Bibekananada Jena
 
PPSX
VMware: my jsme “software defined”
MarketingArrowECS_CZ
 
Trust and Cloud computing, removing the need for the consumer to trust their ...
David Wallom
 
E magic case study
Allyssa1Davis
 
3433 IBM messaging security why securing your environment is important-feb2...
Robert Parker
 
Ame 2269 ibm mq high availability
Andrew Schofield
 
Managed Service Provider Deployment Options for SolarWinds Network & Server M...
SolarWinds
 
IBM Integration Bus & WebSphere MQ - High Availability & Disaster Recovery
Rob Convery
 
6421 b Module-07
Bibekananada Jena
 
VMware: my jsme “software defined”
MarketingArrowECS_CZ
 

What's hot (20)

PDF
Encoding Enhancers Woolpack virtualization services
Aditi Shrivastava
 
PDF
Ad Hoc Automation is an Expensive Mistake
BMC Software
 
PDF
DATA STORAGE REPLICATION aCelera and WAN Series Solution Brief
Array Networks
 
PPTX
Understanding mq deployment choices and use cases
Leif Davidsen
 
PPTX
CompTIA Security Plus Overview
Joseph Holbrook, Chief Learning Officer (CLO)
 
PPTX
[DSBW Spring 2009] Unit 05: Web Architectures
Carles Farré
 
PDF
Expanding your options with the MQ Appliance
Anthony Beardsmore
 
PPSX
Flex Cloud Hosting - Reduce server sprawl and optimize server utilization
Mike Ricca
 
PPT
Performance testing virtualized systems v5
Mentora
 
PPTX
2.13.14 v mware software defined data center (sddc) in 2014 slide deck
McOWLMarketing
 
PDF
Stratus Fault-Tolerant Cloud Infrastructure Software for NFV using OpenStack
Ali Kafel
 
PPTX
Aruba Rightsizing Your Network
hypknight
 
PPT
Cross selling 5
Sen Nathan
 
PPT
Session #107 - AMSI Hosting Options
webhostingguy
 
PDF
Cloud computing aws -key services
Selvaraj Kesavan
 
PDF
Troubleshooting and debugging Citrix Receiver for iOS and Android
Citrix
 
PPT
Why Security Teams should care about VMware
JJDiGeronimo
 
PPT
A Summary of Hosting Packages
StuMitchellmw
 
PDF
Whitepaper Exchange 2007 Changes, Resilience And Storage Management
Alan McSweeney
 
PDF
Ensuring Rock-Solid Unified Endpoint Management
Quest
 
Encoding Enhancers Woolpack virtualization services
Aditi Shrivastava
 
Ad Hoc Automation is an Expensive Mistake
BMC Software
 
DATA STORAGE REPLICATION aCelera and WAN Series Solution Brief
Array Networks
 
Understanding mq deployment choices and use cases
Leif Davidsen
 
CompTIA Security Plus Overview
Joseph Holbrook, Chief Learning Officer (CLO)
 
[DSBW Spring 2009] Unit 05: Web Architectures
Carles Farré
 
Expanding your options with the MQ Appliance
Anthony Beardsmore
 
Flex Cloud Hosting - Reduce server sprawl and optimize server utilization
Mike Ricca
 
Performance testing virtualized systems v5
Mentora
 
2.13.14 v mware software defined data center (sddc) in 2014 slide deck
McOWLMarketing
 
Stratus Fault-Tolerant Cloud Infrastructure Software for NFV using OpenStack
Ali Kafel
 
Aruba Rightsizing Your Network
hypknight
 
Cross selling 5
Sen Nathan
 
Session #107 - AMSI Hosting Options
webhostingguy
 
Cloud computing aws -key services
Selvaraj Kesavan
 
Troubleshooting and debugging Citrix Receiver for iOS and Android
Citrix
 
Why Security Teams should care about VMware
JJDiGeronimo
 
A Summary of Hosting Packages
StuMitchellmw
 
Whitepaper Exchange 2007 Changes, Resilience And Storage Management
Alan McSweeney
 
Ensuring Rock-Solid Unified Endpoint Management
Quest
 
Ad

Viewers also liked (8)

DOCX
T-BROKER: A TRUST-AWARE SERVICE BROKERING SCHEME FOR MULTIPLE CLOUD COLLABORA...
I3E Technologies
 
PDF
Cloudarmor supporting reputation based trust management for cloud services
Shakas Technologies
 
PDF
Cloud armor supporting reputation based trust management for cloud services
ieeepondy
 
DOCX
Cloudarmor supporting reputation based trust management for cloud services
Shakas Technologies
 
PPTX
Cryptography
Techprahlad
 
PPTX
multiple encryption in clouud computing
Rauf Wani
 
PPTX
Analysis of-security-algorithms-in-cloud-computing [autosaved]
Md. Fazla Rabbi
 
PPTX
Security Issues in Cloud Computing
Jyotika Pandey
 
T-BROKER: A TRUST-AWARE SERVICE BROKERING SCHEME FOR MULTIPLE CLOUD COLLABORA...
I3E Technologies
 
Cloudarmor supporting reputation based trust management for cloud services
Shakas Technologies
 
Cloud armor supporting reputation based trust management for cloud services
ieeepondy
 
Cloudarmor supporting reputation based trust management for cloud services
Shakas Technologies
 
Cryptography
Techprahlad
 
multiple encryption in clouud computing
Rauf Wani
 
Analysis of-security-algorithms-in-cloud-computing [autosaved]
Md. Fazla Rabbi
 
Security Issues in Cloud Computing
Jyotika Pandey
 
Ad

Similar to Trust and Cloud computing, removing the need for the consumer to trust their provider (20)

PPTX
Trust and Cloud Computing, removing the need to trust your cloud provider
David Wallom
 
PDF
Mikel berdufi university_of_camerino_thesis
Mikel Berdufi
 
PDF
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
SafeNet
 
PDF
IRJET- Model-Driven Platform for Service Security and Framework for Data ...
IRJET Journal
 
PPTX
Data security in cloud computing
Prince Chandu
 
PPTX
Transforming cloud security into an advantage
Moshe Ferber
 
PPT
Cloud security
Adeel Javaid
 
PPT
4831586.ppt
ahmad21315
 
PPT
security Issues of cloud computing
prachupanchal
 
PPTX
Erkan kahraman Security, Trust, Assurance - 20131106 - nordic it security s...
Erkan Kahraman
 
PPTX
Cloud Cmputing Security
Devyani Vaidya
 
PDF
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
idescitation
 
PDF
Overview of cloud computing architecture
eSAT Journals
 
PDF
B018211016
IOSR Journals
 
PPT
Security issue in cloud by himanshu tiwari
bhanu krishna
 
PPTX
2014 2nd me cloud conference trust in the cloud v01
promediakw
 
PPTX
Building and Operating Clouds
BMC Software
 
PPTX
Secure Cloud Issues
Devyani Vaidya
 
PPTX
Cloud computing security
Pratik Sharma
 
PDF
An Comparison with Property Based Resource Attestation to Secure Cloud Enviro...
cscpconf
 
Trust and Cloud Computing, removing the need to trust your cloud provider
David Wallom
 
Mikel berdufi university_of_camerino_thesis
Mikel Berdufi
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
SafeNet
 
IRJET- Model-Driven Platform for Service Security and Framework for Data ...
IRJET Journal
 
Data security in cloud computing
Prince Chandu
 
Transforming cloud security into an advantage
Moshe Ferber
 
Cloud security
Adeel Javaid
 
4831586.ppt
ahmad21315
 
security Issues of cloud computing
prachupanchal
 
Erkan kahraman Security, Trust, Assurance - 20131106 - nordic it security s...
Erkan Kahraman
 
Cloud Cmputing Security
Devyani Vaidya
 
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
idescitation
 
Overview of cloud computing architecture
eSAT Journals
 
B018211016
IOSR Journals
 
Security issue in cloud by himanshu tiwari
bhanu krishna
 
2014 2nd me cloud conference trust in the cloud v01
promediakw
 
Building and Operating Clouds
BMC Software
 
Secure Cloud Issues
Devyani Vaidya
 
Cloud computing security
Pratik Sharma
 
An Comparison with Property Based Resource Attestation to Secure Cloud Enviro...
cscpconf
 

More from David Wallom (20)

PPTX
Quantifying the impact of green leasing on energy use in a retail portfolio: ...
David Wallom
 
PPTX
The University of Oxford e-Research Centre
David Wallom
 
PPTX
Introduction to Cloud Computing
David Wallom
 
PPTX
Benefits of big data analytics in Smart Metering, ADEPT, WICKED and beyond
David Wallom
 
PPTX
Smarter Energy, Infrastruture service, consumtion analytics and applications
David Wallom
 
PPTX
The Climateprediction.net programme, big data climate modelling
David Wallom
 
PPTX
1990-2050 sulphur dioxide emissions data from ECLIPSE v5a for use in Met Offi...
David Wallom
 
PPTX
Supporting Research through "Desktop as a Service" models of e-infrastructure...
David Wallom
 
PPTX
e-Research & the art of linking Astrophysics to Deforestation
David Wallom
 
PPTX
Privacy and Security policies in the cloud
David Wallom
 
PPTX
Working with Earth Observation Data, INFORM and the IEA
David Wallom
 
PPTX
WICKED - Working with the data rich
David Wallom
 
PPTX
Mapping Priorities and Future Collaborations for you Projects
David Wallom
 
PPTX
CloudWatch: Mapping priorities and future collaboration for your project
David Wallom
 
PPTX
CloudWatch2 Adoption Deep Dive
David Wallom
 
PPTX
e-infrastructural needs to support informatics
David Wallom
 
PPTX
Generating Insight from Big Data
David Wallom
 
PPTX
International Forest Risk Model
David Wallom
 
PPTX
Generating Insight from Big Data in Energy and the Environment
David Wallom
 
PPTX
Smart Grid, Smart Metering and Cybersecurity
David Wallom
 
Quantifying the impact of green leasing on energy use in a retail portfolio: ...
David Wallom
 
The University of Oxford e-Research Centre
David Wallom
 
Introduction to Cloud Computing
David Wallom
 
Benefits of big data analytics in Smart Metering, ADEPT, WICKED and beyond
David Wallom
 
Smarter Energy, Infrastruture service, consumtion analytics and applications
David Wallom
 
The Climateprediction.net programme, big data climate modelling
David Wallom
 
1990-2050 sulphur dioxide emissions data from ECLIPSE v5a for use in Met Offi...
David Wallom
 
Supporting Research through "Desktop as a Service" models of e-infrastructure...
David Wallom
 
e-Research & the art of linking Astrophysics to Deforestation
David Wallom
 
Privacy and Security policies in the cloud
David Wallom
 
Working with Earth Observation Data, INFORM and the IEA
David Wallom
 
WICKED - Working with the data rich
David Wallom
 
Mapping Priorities and Future Collaborations for you Projects
David Wallom
 
CloudWatch: Mapping priorities and future collaboration for your project
David Wallom
 
CloudWatch2 Adoption Deep Dive
David Wallom
 
e-infrastructural needs to support informatics
David Wallom
 
Generating Insight from Big Data
David Wallom
 
International Forest Risk Model
David Wallom
 
Generating Insight from Big Data in Energy and the Environment
David Wallom
 
Smart Grid, Smart Metering and Cybersecurity
David Wallom
 

Recently uploaded (20)

PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PDF
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
The Future of AI & Machine Learning.pptx
pritsen4700
 

Trust and Cloud computing, removing the need for the consumer to trust their provider

  • 1. Trust and Cloud computing, removing the need for the consumer to trust their provider Prof David Wallom University of Oxford
  • 2. Overview • The problem – Drivers of cloud adoption – Threats forming barriers to adoption – Trust and the stakeholders in the cloud – Building trust through regulation – Trusted products within a marketplace • The solution – Trusted Computing – Chain of trust – OAT – Trusted Appliances, Applications and user data
  • 6. 7 Cloud Computing security risks
  • 7. Trust at the Last Mile • Problem for high value instantly usable data and services – Critical data or keys are still exposed inside the cloud at the final steps – Still require customers unconditional trust of their CSP – Value may be great enough that traditional blackmail/bribery may be enough to gain access
  • 8. Cloud (IaaS) and Security cloud infrastructure Storage (Object) Storage (Block) Host VM Host VM … Users • AAI: management, storage APIs. • VMs: security groups (layer 2/3), firewall, VPN. • OS: admin policies, monitoring, auditing, patches, etc. • HW: physical security • How can users trust the origin and identity of the cloud infrastructure software stack? • How can users trust the origin and identity of VMs, Block Storage, Storage Objects?
  • 9. “What is really going on inside the cloud?”
  • 10. New Industries Around Security and Trust
  • 12. Building trust by building brands
  • 13. Recap • Cloud already affects all our lives, it will soon affect extremely high value parts of our lives even more • Security, Trust and Privacy still great concerns • The very thing that makes cloud great (of not caring about the innards) also causes some of our headaches • Regulation may be well meaning when introduced but ultimately doesn’t improve the user experience as it by def. limits some functions or capabilities • Providing improved consumer information may allow us to build reputation systems but there is nothing to stop them being subverted and having to use clean branded appliances each time will cause operational headaches. • We must trust our cloud provider, completely! • We don’t really know whats going on within the cloud • We are worried we may lose our data
  • 15. Trusted Computing • What it is: A set of specifications proposed by the Trusted Computing Group (TCG) for implementing a remotely verifiable infrastructure. • What it does and what it does not: It enables a challenger to remotely verify the genuine configurations of a platform. It provides no guarantee on the security properties of the platform, but leaves the challengers to determine the properties by mapping the configurations to a predefined security properties repository. • TPM: A cost-effective secure hardware, providing tamper-proof capabilities for storing and reporting the platform’s configuration, together with other supporting capabilities, such as secure key management. • Integrity and attestation: The integrity of a platform is defined as its capability to behave as expected. In general implementation, integrity is interpreted as whether only expected software components with expected configurations have been loaded on the target platform. Remote Attestations are performed to examine the integrity of a remote platform. • Strengths and limitations: Trust Computing mechanisms are built upon the tamper-proof hardware. However, complexities in managing the expected platform configurations have inhibited the widespread adoption of Trusted Computing.
  • 16. Extend the Trusted Platform to the cloud • Reassure customers that the cloud infrastructure is strong enough to defend against attackers or malicious users. • Enables a mechanism by which the properties of the cloud service components and third-party extensions can be continuously inspected and examined.
  • 17. Trusted Computing and Cloud Computing User verifiable Chain of Trust = Attestation result of Storage + Attestation result of Host + Attestation result of VM …but in the cloud the hardware components can change… HW/TPM Host Controller Hypervisor Virtual Machine vTPM Virtual Machine vTPM Virtual Machine vTPM HW/TPM Storage Controller Storage Service 12 3 123
  • 18. Open Attestation (OAT) as a Trusted Third Party …but what about resilience and scalability?
  • 19. Porridge (Distributed OAT) • High frequency platform verification • Application whitelisting • Verifiable Logging
  • 20. Attesting Cloud Services • VM attestation – Know exactly the status of your system, its how you left it! • Centralized Attestation Service – A service to periodically examining all the cloud nodes and recording their configurations; – Customers attest the delegates to make sure the attestation service is correctly running. – Supporting dynamic VM migration attesting both source and destination to ensure continual validity • Property-based Access Controls – Customers define the access control policies to their data or keys based on the properties of the accessing cloud applications and the underlying hosting infrastructure. – Whitelisting application software within a cloud instance
  • 21. Trusted Data Processing • To ensure that customer data is not abused by their CSP when outsourced to the cloud infrastructure for processing or storage. • TDP ensures customers that their data is only decrypted by their applications, having the predefined states, and being deployed on the part of the cloud satisfying predefined SLA.
  • 22. Trusted Data Exchanging • To ensure that Customer Data is not abused by other customers when shared on a common infrastructure to achieve cooperative computations. • TDP ensures a Data Provider that every piece of data is processed only by applications with predetermined properties.
  • 23. Conclusion • Trust is still highlighted as a significant barrier to cloud adoption in high value usecases • Traditional security still requires users to trust their CSP • Regulation may aim for a secure business as usual, it doesn’t support you when things go wrong • Utilising Trusted Computing and remote attestation builds a chain of trust – Hardware -> Cloud Host -> Hypervisor -> VM -> application software + Data – Support application and data whitelisting to ensure only those with permission can use services or capabilities • Only registered and verified hosts can run high value applications • Only registered and verifies services can access high value data • Extending existing Trusted Third Party capabilities to support multiple trusted Service Providers providing externally verifiable measurement of cloud located services • We are removing the need to trust your cloud provider by building cryptographically secure cloud

Editor's Notes

  • #10: How to effectively verify “what is really going on inside the cloud”. Whether the acquired Cloud services are enforced; Whether only the acquired Cloud services are accessing customers’ data.
  • #16: 15
  • #18: Attestation of VMs: only expected programs with expected configuration files are loaded inside the VM. Attestation of Hosts: only the expected VM with the expected software stack has been instantiated. The VM the user is currently connecting to, is genuinely loaded by the genuine hypervisor. Attestation of Storage: the VM is binding to the expected virtual storage, and the state of the virtual storage can only be manipulated by an expected software stack. The virtual storage connected to the user’s VM is genuinely loaded and managed by the genuine Storage Management software with the specified parameters.