National Institute of Standards and Technology releases 3 guidelines: Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments, Hardware Enabled Security: Machine Identity Management and Protection and Hardware-Enabled Security:Policy-Based Governance in Trusted Container Platforms

April 22, 2022 |

Yesterday the National Institute of Standards (“NIST”) released Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments, Hardware-Enabled Security: Policy-Based Governance in Trusted Container Platforms and Hardware Enabled Security: Machine Identity Management and Protection and Hardware-Enabled Security:Policy-Based Governance in Trusted Container Platforms.

The guides are highly technical but include useful practical methodologies on cyber security.  They are a valuable resource.  In Australia there is nothing equivalent at this level of detail. 

Trusted Cloud

The abstract provides:

A cloud workload is an abstraction of the actual instance of a functional application that is virtualized or containerized to include compute, storage, and network resources. Organizations need to be able to monitor, track, apply, and enforce their security and privacy policies on their cloud workloads, based on business requirements, in a consistent, repeatable, and automated way. The goal of this project is to develop a trusted cloud solution that will demonstrate how trusted compute pools leveraging hardware roots of trust can provide the necessary security capabilities. These capabilities not only provide assurance that cloud workloads are running on trusted hardware and in a trusted geolocation or logical boundary, but also improve the protections for the data in the workloads and in the data flows between workloads. The example solution leverages modern commercial off-the-shelf technology and cloud services to address lifting and shifting a typical multi-tier application between an organization-controlled private cloud and a hybrid/public cloud over the internet.

The NIST identifies the threats and solutions as follows:

Threat against Cloud Infrastructure

Threat/Attack Type


Addressed by Solution

Threats Against Cloud Infrastructure

Physical threat against data center (e.g., natural disaster, cooling system failure)

A regional power outage necessitates shutting down servers at one data center location.

Have adequate environmental controls in place for the data center, such as backup power, heating and cooling mechanisms, and fire detection and suppression systems. Be prepared to automatically shift workloads to another suitable location at any time. The enterprise data center infrastructure team or cloud service operators are responsible for providing these mechanisms.

Tampering with server firmware (e.g., Basic Input/Output System [BIOS])

An unapproved change management control or a malicious insider gains physical access to a server in the data center and alters its BIOS configuration to disable its security protections.

Use physical security controls to restrict data center access to authorized personnel only. Monitor data center access at all times. Detect changes by taking an integrity measurement of the BIOS at boot and comparing it with a previous measurement taken in a “clean room” environment and configured as a good known BIOS.

Threat against Cloud Workload Storage, Execution and Use

Threat/Attack Type


Addressed by Solution

Threats Against Cloud Workload Storage, Execution, and Use

Running a cloud workload within an untrusted environment or location

A cloud administrator may respond to an impending maintenance disruption by moving workloads to cloud servers in other locations.

Allow cloud workloads to execute only on a physical server that is known to be good (i.e., not tampered with) and is within an authorized geolocation.

Unauthorized access from one workload to another within a cloud

A user of one workload connects to another organization’s workload and exploits vulnerabilities in it to gain unauthorized access.

Establish network boundaries through dedicated virtual local area networks (VLANs) leveraging automated access control lists (ACLs). Use Institute of Electrical and Electronics Engineers (IEEE) 802.1Q VLAN tagging for network traffic within the cloud data center so that only traffic tagged with a server’s unique VLAN identifier is routed to or from that server.

Unauthorized movement within the cloud environment from a compromised cloud workload (e.g., lateral movement)

A cloud workload is compromised, and the attacker has full privileged access to the system. The attacker tries to move laterally to discover sensitive resources and escalate privileges to gain greater access to the environment.

Use software-defined technology and user privilege segmentation to allowlist the network communications and access rights.

Intentional or accidental exposure of sensitive data

An administrator copies a cloud workload file to an unauthorized location.

Encrypt cloud workloads at rest. Use end-to- end encryption with mutual authentication when moving a workload from one location to another.

Unauthorized access to files containing sensitive data

A malicious insider misuses OS access to copy a file.

Scan filesystems for sensitive data, categorize the discovered files, monitor all access to those files, and report on that access. Enforce access controls that prevent different cloud provider administrators of workloads from accessing sensitive applications and data drives.

The vulnerabilities of concern are:

The primary areas of concern are :

  • software flaws and misconfigurations at all levels of the architecture:
  • low-level services (compute, storage, network), V
  • MMs, OSs, and applications, including cloud workload management, VMM management, and other management tools.
  • the need to ensure that the same security policies are being enforced within both clouds for the workloads to eliminate some vulnerabilities and mitigate others.

There four main components that comprise the trusted cloud build are:

  • HSM component: It utilizes HSMs to store sensitive keys within the environment. One set of HSMs is used for the domain’s root and issuing Transport Layer Security (TLS) certificate authorities (CAs), while another HSM is used to protect keys that are used to encrypt workloads. The HSM component is deployed in the private cloud at the NCCoE.
  • Management component: The single management console is used to operate the virtual infrastructure hosting the tenant workloads. At a minimum, each management component consists of hardware utilizing Intel processors, VMware running the virtualization stack, HyTrust providing the asset tagging policy enforcement aspect, and RSA providing network-visibility, dashboard, and reporting capabilities. The management components on each site are connected through the IPsec VPN to represent one logical management element.
  • Compute component: Both sites of the hybrid cloud include similar compute components. The compute components host the tenant workload VMs. Asset tagging is provisioned on the compute servers so that policy can be assigned and enforced to ensure that tenant workloads reside on servers that meet specific regulatory compliance requirements. At a minimum, each compute component consists of hardware utilizing Intel processors and VMware running the virtualization stack. The compute components on each site are connected through the IPsec VPN so that workloads can be migrated between the two sites.
  • Workload component: Both sites of the hybrid cloud have similar workload components. The workload components include VMs, data storage, and networks owned and operated by the tenant and data Policies are applied to the workloads to ensure that they can run only on servers that meet specific requirements, such as asset tag policies.


Hardware-Enabled Security: Policy-Based Governance in Trusted Container Platforms

The abstract provides:

In today’s cloud data centers and edge computing, attack surfaces have significantly increased, cyber attacks are industrialized, and most security control implementations are not coherent or consistent. The foundation of any data center or edge computing security strategy should be securing the platform on which data and workloads will be executed and accessed. The physical platform represents the foundation for any layered security approach and provides the initial protections to help ensure that higher-layer security controls can be trusted. This report explains an approach based on hardware-enabled security techniques and technologies for safeguarding container deployments in multi-tenant cloud environments. It also describes a prototype implementation of the approach intended to be a blueprint or template for the general security community.

The principles of operation are to:

  1. Create a part of the cloud to meet the specific and varying security requirements of
  2. Control access to that portion of the cloud so that the correct applications (workloads) get deployed
  3. Enable audits of that portion of the cloud so that users can verify
  4. Encrypt workload images and ensure only specific servers can decrypt
  5. Ensure that only specific applications with location-based restriction enforcement can access sensitive data.

Leave a Reply