Email this Article Email   

CHIPS Articles: Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service Environments

Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service Environments
Comments invited for Draft SP 1800-19B
By CHIPS Magazine - November 27, 2018
The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), recognizes the need to address security and privacy challenges for the use of shared cloud services in hybrid cloud architectures, and has launched a project to resolve these issues.

The aim is to improve the security of cloud computing and accelerate the adoption of cloud computing technologies by establishing an automated hardware root of trust method for enforcing and monitoring geolocation restrictions for cloud servers, according to the NIST release.

According to NCCOE, “A hardware root of trust is an inherently trusted combination of hardware and firmware that maintains the integrity of the geolocation information and the platform. Once the cloud platform has been proven to be trustworthy and to comply with a defined geolocation policy, then other use properties can be instantiated to support additional security capabilities that are built on this foundational hardware root of trust. These capabilities can include restricting workloads to running on trusted hardware in a trusted location; restricting communications between workloads; ensure workload data is protected at rest; applying security policies to workloads; and leveraging these capabilities across a hybrid cloud.” The project will result in a freely available NIST Cybersecurity Practice Guide.

The project is using commercially available technologies to develop a cybersecurity reference design that can be implemented to increase security and privacy for cloud workloads on hybrid cloud platforms, NIST said.

The project will demonstrate how the implementation and use of trusted compute pools not only will provide assurance that workloads in the cloud are running on trusted hardware and are in a trusted geolocation, but also will improve the protections for the data within workloads and flowing between workloads.

A cloud workload is an abstraction of the actual instance of a functional application that is virtualized or containerized to include compute, storage, and network resources. Organizations need to be able to monitor, track, apply, and enforce their security and privacy policies on their cloud workloads, based on business requirements, in a consistent, repeatable and automated way.

The goal of this project is to develop a trusted cloud solution that will demonstrate how trusted compute pools leveraging hardware roots of trust can provide the necessary security capabilities. These capabilities not only provide assurance that cloud workloads are running on trusted hardware and in a trusted geolocation or logical boundary, but also improve the protections for the data in the workloads and in the data flows between workloads. The example solution leverages modern commercial off-the-shelf technology and cloud services to address a particular use case scenario: lifting and shifting a typical multi-tier application between an organization-controlled private cloud and a hybrid/public cloud over the internet.

NCCoE is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity challenges. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries or broad, cross-sector technology challenges. Working with technology partners—from Fortune 50 market leaders to smaller companies specializing in IT security — the NCCoE develops modular, easily adaptable example cybersecurity solutions demonstrating how to apply standards and best practices using commercially available technology. Information is available at:

Comments are due Jan. 11, 2019 and can be emailed to:

Planning Note (11/20/2018): 11/20/18 - 1/11/19: Comment Period for Volume B: Approach, Architecture, and Security Characteristics [Prelim. Draft 1] This preliminary draft is stable but has some gaps in its content that will be addressed in the next draft.

SP 1800-19B (Preliminary Draft 1)

Supplemental Material:
Submit Comments on 1800-19B (other)
SP 1800-19A (Preliminary Draft 1) (pdf)
Project Homepage (other)

Authors: Michael Bartock (NIST), Murugiah Souppaya (NIST), Karen Scarfone (NIST), Daniel Carroll (Dell/EMC), Robert Masten (Dell/EMC), Gina Scinta (Gemalto), Paul Massis (Gemalto), Hemma Prafullchandra (HyTrust), Jason Malnar (HyTrust), Harmeet Singh (IBM), Raghuram Yeluri (Intel), Tim Shea (RSA), Michael Dalton (RSA), Anthony Dukes (VMware), Carlos Phoenix (VMware), Brenda Swarts (VMware)

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer