You are on page 1of 20


Real-World Guide

Intel Security Technology for the Cloud
How IT Managers Can Protect Data and Infrastructure and Meet Compliance Demands

Why You Should Read This Document This guide provides an introduction to how Intel security technologies work together at key enforcement points throughout the cloud, including usage cases that take advantage of: • Hardware-based and software technologies that use cryptography to protect data and secure connections • Hardware-based technologies to strengthen identity and access management and secure clients that access the cloud • API-level controls via a service gateway to protect edge systems and applications • Trusted compute pools to validate platform integrity and provide data to security information and event manager (SIEM) and governance, risk management, and compliance (GRC) dashboards for auditing and compliance purposes


Real-World Guide

Intel Security Technology for the Cloud
How IT Managers Can Protect Data and Infrastructure and Meet Compliance Demands

in Process.Contents 3 Introduction: The Cloud Security Landscape 2012 5 Protecting Data—in Motion. and in Data Centers • Identity and Access Management to Secure Clients • Service Gateways for API-Level Controls • Trusted Compute Pools to Establish Trust 11 Security Compliance in the Cloud • Automating Compliance Built on Trusted Compute Pools 13 Next Steps: Cloud Security Considerations Checklist 14 Intel Resources for Learning More 17 Endnotes . and at Rest • Cryptography for Data Protection 7 Securing Infrastructure—for Clients. at the Edge.

Introduction: The Cloud Security Landscape 2012 As cloud adoption continues.1 Yet for many organizations. Security is a big priority for Intel. by 2015 the majority of IT departments will be using private or hybrid clouds. They give detailed instructions on how to install and configure a particular cloud solution using Intel® Xeon® processor-based servers and other Intel and Intel partner technologies. tested cloud security reference architectures based on realworld IT requirements. Intel Cloud Builders also provides education and an online forum for discussion of technical issues. Intel’s attention has been focused on this specific area for some time. 3 Intel IT Center Real-World Guide | Cloud Security . According to Gartner. We even have a good idea of what specific security concerns are on their minds. Our own research backs up what other surveys and analyst predictions have determined. best practices. Proven Security Reference Architectures: Intel® Cloud Builders Our Intel® Cloud Builders program provides proven.2 And we know what IT wants the industry to do in order for them to gain confidence in cloud security. We know that IT organizations worry about cloud security. especially those with sensitive data and workloads or highly regulated environments. so does the evolution of data center infrastructure. gaining full benefits from the cloud is partly limited by security concerns. and tools and technologies to strengthen cloud environments and help organizations realize greater agility and cost savings in more and more use cases.

at the edge. making the environment L difficult to audit for proof of compliance to security regulations. Clouds lack transparency. and compromise of the hypervisor can in turn potentially compromise shared physical resources. and we provide perspectives on the data center. • ublic clouds. Shared technology. and cybercriminals use rootkit attacks to infect system components such as hypervisors. To comply. • ess control. and other components. edge systems. The Purpose of This Real-World Guide This document is part of the “real-world guide” series from the Intel® IT Center. Commonly cited examples of government acts with security enforcement requirements include the Federal Risk and Authorization Management Program (FedRAMP) in the United States and the Data Protection Act in the United Kingdom. • Secured infrastructure. and at rest • Securing infrastructure—for clients. • irtualization. Shared technology. and operating systems and can hide malware that operates in the background and spreads throughout a cloud environment. Stealth and control are the objectives of these attacks. Increased Risk from Platform Attacks One other item—not on the above list but critically important to understand—is the growing trend for platform attacks.Cloud Security Challenges Cloud environments bring new security challenges. These usage models apply to private and public clouds. Stealthy attacks on data center infrastructure are difficult to detect with traditional antivirus products. • ultitenancy. in process. • obile access. European Union (EU) regulations require certain data to remain only in the EU. creating third-party dependencies for data protection. were never designed for strong compartmentalization. M graphics processing units (GPUs). Its purpose is to make it easy for you to understand how Intel’s various security technologies work together to provide security at key enforcement points throughout the cloud. Bring Your Own Device (BYOD) programs are M driving containerization of applications through hardware and operating system functions. We’ll step through specific usage models that address the challenges analysts and other experts have identified as the most important for cloud security and provide details on how the technologies work. Boundaries between the data center and cloud P providers are blurred in public clouds. Cybercriminals are expanding their attack targets from just software to sophisticated attacks on the platform itself. as well as standards such as the Payment Card Industry (PCI) Security Standards. disk partitions. • ack of visibility. Safeguarding data and attesting to its location D is a huge issue worldwide. leading to expensive liability and loss of reputation. and the expectation of ubiquitous access via a variety of endpoint devices make the cloud an inviting playground for attacks on both data and infrastructure. The demand A for compliance to regulations is often a growing cost for companies. The dynamic environment of the cloud extends the L perimeter of the enterprise beyond the data center. organizations need to be able to monitor and attest that security policies are being set and enforced. BIOS. memory. • uditing to meet compliance requirements. making it more difficult to enforce security controls. and endpoint devices that access the cloud. and in data centers • Security compliance in the cloud 4 Intel IT Center Real-World Guide | Cloud Security . For example. Organizations are facing greater risks of losing sensitive data and intellectual property. The growing use of virtual machines (VMs) V aggregates the security risks of various application components and services onto a single physical server platform. such as CPU caches. The usage models in this guide fall into three areas: • Protecting data—in motion. • ata location. the aggregation of various application components and services onto a single physical server platform in the cloud.

and in all Ultrabook™ devices. Intel AES-NI and the OpenSSL enhancements deliver significant performance gains. Intel AES-NI also provides strengthening against side-channel attacks by performing decryption and encryption completely in the hardware without the need for software lookup tables. making pervasive encryption possible with workloads where it was previously unfeasible. stronger. disk.Protecting Data—in Motion. Intel Security Technology Role Call • Intel Advanced Encryption Standard New Instructions (Intel AES-NI) • OpenSSL* library enhancements - Intel’s RSAX - Intel’s Function Stitching Why This Is Important Intel AES-NI delivers faster. Four of the new instructions accelerate the encryption/decryption of a round. which can slow down performance. Security protocols Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) are used to assure safe communications over networks and are widely used for applications such as secure web browsing (HTTPS). Intel AES-NI can accelerate performance up to 10 times faster than a software-only AES solution. more affordable data protection. This section covers the usage model Cryptography for Data Protection. including network. where personal or business-critical information moves beyond the traditional boundaries of the data center. What You Need to Know Cryptography has long been recognized as a best practice for protecting data through encryption. Intel AES-NI is available on Intel® Xeon® processors. Intel AES-NI increases encryption speed via a set of seven new instructions that accelerate parts of the AES4 algorithm encryption and decryption execution. and more efficient. This is an increasingly critical capability in shared technology environments like the cloud. Encryption renders data useless in the event that it is leaked or stolen. and file encryption solutions. A wide range of leading software solutions take advantage of Intel AES-NI to secure transactions. 5 Intel IT Center Real-World Guide | Cloud Security . performance can be affected. Intel AES-NI decrypts data up to 33 times faster. making encryption practical. On the other side of the process.6 The new AES-NI instruction set executes several compute-intensive parts of the AES algorithm using significantly fewer clock cycles than a software solution. select Intel® Core™ processors. in Process. Cryptography for Data Protection You can safeguard data as it moves throughout the cloud. For a complete list of applications. and at Rest Data protection is a fundamental security concern for cloud computing. Find out more about Intel AES-NI. Intel’s enhancements to OpenSSL provide fast. encryption and decryption (making the data useful again) come with a “penalty tax”— the process uses complex algorithms to protect the data. However. which accelerates applications doing block cipher encryption.5. visit Intel AES-NI Ecosystem Update. where multiple workloads could have visibility into subsystems used in computing encryption routines. The seventh helps in carry-less multiplication. How Intel® AES-NI and OpenSSL* Work Intel AES-NI Intel AES-NI3 provides performance benefits that make encryption faster and more efficient for data transport and storage workloads. When moving encrypted data through connections. secure connections that transfer encrypted data securely while virtually eliminating performance issues. Clouds also use cryptographic protocols to secure browser access to the user portal and transfer encrypted data. minimizing vulnerabilities with cryptography to encrypt data and establish secure connections for data transfer. Intel® Core™ vPro™ processors7. and two new instructions generate round keys. Combined. Intel AES-NI can be used in any of the growing set of optimized applications that use the AES standard.

5 times8. The Intel enhancement to the RSAX implementation features a reduction method based on folding. Rather than encrypting and authenticating data serially. Intel’s Function Stitching interleaves instructions from these two algorithms. OpenSSL can be used to secure web transactions through services such as Gmail*.8 times performance improvement for secure web servers. RSAX can accelerate the time to initiate an SSL session by up to 1. each followed by a reduction step. providing a better user experience and increasing the number of simultaneous sessions your server can handle. a computer security standard developed by the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP). Function Stitching can result in up to 4.Intel OpenSSL Enhancements The SSL and TLS protocols involve two compute-intensive phases—session initiation and bulk data transfer. Bits and Pieces Intel cryptography technologies accelerate encryptionrelated tasks: With Intel® AES-NI: Encryption is up to 10 times faster.9 OpenSSL is certified for FIPS 140-2. The standard approaches to executing the RSA algorithm involve a series of computation-heavy steps—a series of squaring or multiplication steps. executing them simultaneously. multiplatform security library. This better utilizes execution resources and improves bulk data buffer performance because execution units that would otherwise be idle when executing a single algorithm— due to either data dependencies or instruction latencies—can be used to execute instructions from the other algorithm. e-commerce.6 With Intel’s OpenSSL* enhancements: • ntel’s RSAX can accelerate the time to initiate an SSL I session by up to 1. RSAX is a unique implementation of the popular RSA algorithm (RSA-1024 bit implementation) that produces significantly better performance than previous OpenSSL implementations.9 More about Intel Data Protection Technologies 6 Intel IT Center Real-World Guide | Cloud Security .5 times. Any software that uses OpenSSL can automatically take advantage of these Intel advancements. and Facebook* to safeguard connections on Intel architecture. coupled with an extensively optimized key-size-specific assembler implementation. Intel has contributed to two advanced library functions that optimize implementations of cryptographic communications functions for both session initiation and bulk data transfer phases: • Intel’s RSAX.8 times I performance improvement for secure web servers when combined with RSAX and Intel AES-NI.8 • ntel’s Function Stitching can result in up to 4. Intel works closely with OpenSSL. and vice versa. a popular open-source. • Intel’s Function Stitching: Bulk data buffers use two algorithms for encryption and authentication. Combined with RSAX and Intel AES-NI.

certificate authorities. and all Ultrabook devices. audit capabilities. such as choosing easy-to-remember. The six-digit number is generated every 30 seconds from an embedded processor or the Manageability Engine (ME) on the computer motherboard. These threats are difficult to detect with traditional antivirus products. Plus. Enterprises already using public key infrastructure (PKI) to protect their access points can strengthen authentication with Intel IPT with PKI. it operates in isolation from the operating system for added security. two-factor authentication directly into PCs based on Intel processors. digital signature. This six-digit number is available on demand and valid only for a brief period of time. PKI is a system of digital certificates. performing the operations that link the computer to a validated site and ensuring strong authentication. This section includes three usage models for securing infrastructure against these attacks at three key enforcement points: • Identity and Access Management to Secure Clients • Service Gateways for API-Level Controls • Trusted Compute Pools to Establish Trust • Intel IPT with OTP. eliminating the need for a separate physical token. Keeping them straight often leads to poor security practices. Intel IPT with PKI offers a greater level of security and eliminates the additional cost of supporting traditional smart card or token storage options. Intel IPT embeds a PKI certificate in the chipset to authenticate the user and server to each other and to encrypt and digitally sign documents. 3rd generation Intel Core vPro processors. Availability: IPT with OTP is available in select 2nd gen Intel Core processor-based PCs. Similar to the OTP credential. For example. and integrity checking of endpoint devices. at the Edge. potentially weak passwords or writing them down where they can be easily compromised. Symantec. Account or service hijacking is one of the top threats identified by the Cloud Security Alliance10 and provides a channel for attacks on data and infrastructure. BIOS. By providing hardwarebased security. Why This Is Important To counter these practices. and operating systems and can hide in the background and spread through a cloud environment. Intel IPT provides two ways to protect web site and network access points by validating legitimate users logging in from a trusted platform. including strong authentication. The ME is a controlled area of the chipset and tamper-proof. Algorithms developed by independent software vendors and Intel partners such as McAfee. In the case of Intel IPT. and Vasco run in the ME. token generation is built into the hardware. WiFi network access. rootkit attacks infect system components such as hypervisors. Intel Security Technology Role Call • Intel Identity Protection Technology (Intel IPT)11 How Intel IPT Works Intel IPT builds tamper-resistant. and other registered authorities that verify and authenticate the validity of each partner involved in logging on to your network via VPN for e-mail encryption. cloud environments need more sophisticated identity and access management policies that protect against unauthorized users. and in Data Centers The trend for cybercriminals to target the platform and infrastructure with stealthy threats such as rootkit attacks and other stealthy attacks is increasing. Identity and Access Management to Secure Clients What You Need to Know Business users typically have 12 user names and password pairs. • IPT with PKI.Securing Infrastructure—for Clients. Two-factor authentication using a one-time password (OTP) combines a user name and password combination with an additional one-time credential in the form of a six-digit number. or software as a service (SaaS) applications. and all Ultrabook devices. 7 Intel IT Center Real-World Guide | Cloud Security . Availability: IPT with PKI is available in select 2nd gen Intel Core processor-based PCs. 3rd generation Intel Core vPro processors.

service information leakage. JavaScript* object notation (JSON).0. logging. driving the need for greater application-level security. APIs are subject to attacks such as malicious code injections. or any legacy protocol such as electronic data interchange (EDI). Intel Security Role Call • Intel Expressway Service Gateway (Intel ESG) More about API Controls How Intel ESG Works Intel ESG is a highly scalable software appliance that provides a single point of entry and control for all API traffic. Find out more about Intel Cloud Identity and API Security. Service Gateways for API-Level Controls What You Need to Know APIs—where cloud communication between applications is orchestrated—are increasingly exposed to third parties and mobile requests. or “service gateways. It can also accelerate offload functions such as protocol bridging. API gateways. or deployment. and more. verify transactions. Common protocols include representational state transfer (REST). generated by the graphics hardware using mouse clicks. and specific format conversions for regulated applications. encryption. which is invisible to the operating system. Intel IPT provides protected transaction I display (PTD) capabilities that enable PCs to display and collect user transaction information while protecting against attack. as well as middleware and auditing and monitoring infrastructure. Encrypted I/O technology runs below the operating system to prevent tampering. stripping out sensitive information. The service gateway authenticates APIs at the network edge against existing enterprise identity and access management systems. Find out more about Intel IPT. Availability: Intel IPT with PTD is available with 3rd generation Intel Core vPro processors and all Ultrabook devices. which does not scale in cloud environments with hundreds of application endpoints and disparate developer teams. denial-ofservice attacks. They offer a centralized way for IT and developer teams to collaborate on how security policy is created and enforced for the cloud. Intel Expressway Tokenization Broker delivers compliance for managing credit card primary account number (PAN) data and personally identifiable information such as medical records by tokenizing data. data snooping. it enables IT to develop a standards-based policy enforcement point at a network edge. it never gets exposed to the software layer—only the user in front of the screen. such as the Healthcare Insurance Portability and Accountability Act (HIPAA). As such. Because the display screen is part of the processor’s integrated graphics.” are becoming increasingly important as a way to securely scale consumption of cloud services. The first point of contact to cloud data center infrastructure goes through Intel ESG as a proxy. simple object access protocol (SOAP).Intel IPT offers a third additional hardware-based technology that complements either OTP or PKI technologies to further secure transactions from malware attacks: • ntel IPT with PTD. Intel ESG supports 0Auth 2. This enables businesses and web sites to confirm user presence. and encrypting data. Intel ESG enables you to control how APIs are exposed and consumed with auditing. and metering. and protect PC displays from screen scraping and keyloggers. which is emerging as the standard authentication and authorization method for RESTful web services and APIs. A specialized PCI Data Security Standard (PCI DSS) compliance version of the service gateway is available for use in certain industries. Users input a secure personal identification number (PIN). Why This Is Important API-level controls provide a measure of protection for departmental and edge system infrastructure and reduce the risk of attack on applications. This is in contrast to custom coding management for each API within every application. regardless of protocol 8 Intel IT Center Real-World Guide | Cloud Security .

Intel Security Role Call • Intel Trusted Execution Technology (Intel TXT) • Intel Virtualization Technology (Intel VT) • ntel Virtualization Technology FlexMigration (Intel VT FlexMigration) I More about Establishing Trust 9 Intel IT Center Real-World Guide | Cloud Security . permitting a verifiably secure installation. With trusted compute pools. launch. including measured firmware. and respond quickly to attacks and minimize damage. Traditional approaches to protecting data and platform—firewalls. Intel TXT increases protection by allowing greater control of the launch stack through a measured launch environment (MLE) and enabling isolation in the boot process. Intel TXT also extends the Virtual Machine Extensions (VMX) environment of Intel VT13. physical separation. The root of trust extends a chain of trust through critical controlling software layers. and compliance (GRC) dashboards. and isolation—can’t work effectively in the cloud. but also as part of the data center operations and security provided by cloud service providers. Intel TXT establishes trust by establishing a root of trust. BIOS. Trusted compute pools that aggregate a group of servers under a single set of security policies can validate platform integrity of cloud infrastructure and provide data for auditing and compliance purposes to security and information event management (SIEM) and governance. Intel TXT stores this root of trust in the TPM to be read by the hypervisor for future comparison and evaluation. and use of a hypervisor or operating system. • oot of trust. chipset. Why This Is Important Establishing trust at the hardware level can make platforms more resistant to software attacks. This enforces application and data isolation on the system. enabling trusted compute pools in virtualized and cloud environments.Trusted Compute Pools to Establish Trust What You Need to Know Cloud computing has elastic boundaries that can push the perimeter of the enterprise far beyond the data center. and protects against unauthorized direct memory accesses (DMAs). prove that host software is good through integrity checking. reduces the attack surfaces of shared environments. Intel TXT makes an initial measurement of the preR operating system environment and establishes a server’s beginning “known good state” or root of trust. administrators can make decisions about how much to expose data and workloads. A hardware-based root of trust is extremely difficult to defeat or subvert and provides an excellent foundation against increasingly sophisticated malware attacks. and third-party Trusted Platform Modules (TPMs) to better resist software attacks and to make platforms more robust. How These Technologies Work Intel TXT12 is found in Intel Xeon processors and uses the processor. and hypervisor virtualization. verifying launch. risk. and supporting compliance. Trusted compute pools are an important part of cloud security practices—in your own private cloud. This root of trust provides the necessary underpinnings for successful evaluation of the computing platform and its protection.

• ore than two-thirds of that group worry specifically M about rootkit hypervisor attacks or other attacks on the cloud server environment. VM1a VM2a VM1b VM2b VM3a VM3b App OS App OS App OS App OS App OS App OS Hypervisor Hardware Hypervisor Hardware Hypervisor Hardware 10 Intel IT Center Real-World Guide | Cloud Security . Once a known good environment is validated. For example.• aunch verification. Trusted compute pools substantially reduce the security risks of using remote or virtualized infrastructure by preventing a compromised VM from one physical host from compromising another. Source: Peer Research: Cloud Security Insights for IT Strategic Planning. In this environment. Integrity-checking data provided by Intel C TXT is available for audit purposes and can be used with GRC or SIEM dashboards for further reporting on the controls in place in your IT or cloud environment. measuring the code of the hypervisor and comparing it to a known good value. • ompliance monitoring. Bits and Pieces IT managers worry about infrastructure vulnerabilities— particularly in public it-center/cloud-security/peer-research/applt Protected VM Migration Trusted pools prevent a compromised virtual machine (VM) from one physical host from compromising another host. Get more about Intel TXT. launch integrity data can be used to provide a useful control point for virtualized workloads. • Trusted compute pools. Intel (September 2011). • he good news: 78 percent believe that hardware-based T measures can deliver a higher level of security. Launch can be blocked if the measurements do not match. stopping the launch of unrecognized software and enforcing known good launch-time configurations. Intel VT FlexMigration can safely migrate live VMs. you can establish and enforce policies defining that critical workloads or sensitive data be deployed only onto trusted platforms. Groups of servers each running Intel TXT and aggregated under the same set of security policies are called trusted compute pools. intel. In a recent Intel survey: • lmost 60 percent are either extremely or very concerned A about the security of the provider’s infrastructure when asked about outsourcing to a cloud service provider. Intel TXT checks the hypervisor integrity at L start-up.

as can gathering the incidents and responses these controls report. where organizations must rely on assurances supplied by their cloud service providers. policy management. Complying with requirements for keeping systems and data secure continues to be a major cost consideration for companies.Security Compliance in the Cloud The regulatory environment is becoming increasingly more complex. and public cloud environments with assurances rooted in hardware and verifiable up through the hypervisor. This information provides the visibility required to assess compliance to security requirements. tested solutions. Compliance solutions can leverage trusted compute pools to provide visibility into security enforcement in the cloud virtualized infrastructure. By automating security audits and compliance. both the cost and risk to organizations can be significantly reduced. today’s cloud auditing processes are highly manual—requiring substantial effort and cost. Trusted compute pools can provide the foundation for building improved security compliance capabilities in private. The first of these will be available in late 2012. Why This Is Important Checking that various security controls are in place and executing can be automated. This level of transparency and auditability is especially important in hybrid and public clouds. This section includes a usage model for automating compliance built on trusted compute pools. Key security criteria include: • Access control • Auditability • Regulatory standards and compliance • Hardware infrastructure Visit Intel Cloud Finder at intelcloudfinder. and reporting layers. 11 Intel IT Center Real-World Guide | Cloud Security .com. Automating Compliance Built on Trusted Compute Pools What You Need to Know The penalties for noncompliance can be significant. and reporting and verification layers. Plus. Intel is working with leading providers at each layer of the security stack to create proven. Intel® Cloud Finder Intel® Cloud Finder is a registry of service providers that use Intel technology and can help you find cloud services providers who meet key criteria for high-performance cloud solutions in security and other technology categories. policy management. cloud orchestration. cloud orchestration. Trusted compute pools can provide the foundation for automating security compliance in the cloud-virtualized environment from the hardware up through the hypervisor. hybrid.

Depending on the implementation. restricting or allowing VM. Intel TXT can also make the results of its integrity checks available to policy management and SIEM and GRC solutions for audit and security management purposes. and use trusted compute pools. thus managing the virtualized data center. Virtualization and cloud management software that can identify these “known good” systems can then assign sensitive workloads and data to these systems more selectively. this layer may also create trusted compute pools. so that they can create. • Security policy management software: In this layer. or data migration based on platform security or trust profiles. various solutions may specialize in the compliance requirements for specific business verticals with built-in policy templates to help implementation. sensitive workload. • ecurity information and event management (SIEM) software: S SIEM software creates a general security control point that aggregates the event and information reports from various security applications and activities into a database that can be queried— including the status of trusted compute pools. Again. VMware* vSphere* is an example of a leading hypervisor that incorporates the robust features supporting Intel TXT. this layer may be used to create trusted compute pools. a machine that has verified integrity and is known to be running the expected operating environment. These results are used to validate a server’s known good status. Administrators can use this information to create new or refine existing polices for use by the policy engine. Various policy engines also may specialize in the compliance requirements for specific business verticals with built-in policy templates to help implementation.Intel Security Role Call • Intel TXT • oftware solutions built to utilize trusted compute pools running S Intel TXT How These Technologies Work Intel TXT12 provides launch-time verification that a specific physical server boots cleanly against a prescribed launch environment signature and can be trusted—for instance. The hypervisor can then securely share this information with other layers of the software solution stack. More about Trusted Compute Pools 12 Intel IT Center Real-World Guide | Cloud Security . • loud orchestration software: This software sits above the C hypervisor and manages operations and resources across various hypervisors. Here’s how Intel TXT works throughout the possible layers of defined solution stacks to establish trust and verify adherence to security standards: • ypervisor software: The hypervisor invokes Intel TXT to make H a launch-time measurement. software can set policies that dictate how trusted compute pools will be used—for example. often utilizing the information gathered by an SIEM solution. The GRC software may also query the infrastructure to make sure policies are active and in place. Depending on the implementation. risk management. • overnance. and compliance (GRC) software: G GRC software produces specific audit and compliance reports. monitor.

but you W worry about performance?  ow are connections that transfer encrypted data secured? H Compliance  an you demonstrate security policy enforcement to comply C with regulatory demands for your industry?  How are attacks monitored and documented? 13 Intel IT Center Real-World Guide | Cloud Security . including planning guides. white papers.Next Steps: Cloud Security Considerations Checklist Security should be part of your planning for a cloud. whether you are building an internal private cloud or outsourcing some or all of your workloads to a public cloud provider. and reference architectures. Use this checklist to help you identify potential vulnerabilities to inform your security practices. Intel has developed resources to help you build security into your cloud environment. Infrastructure Protection  hat cloud access and identity management controls are W in place?  oes infrastructure include security built into the hardware? D  ow is identity managed and authenticated? H  Is two-factor authentication utilized?  o you have a service gateway in place to enforce API security? D  an you validate the integrity of the server platform? C  an your systems establish a root of trust? C  o you manage a trusted platform of pooled resources for D virtualized and other shared services? Threat Assessment  Is your data center under increasing attack from malware and other cyberthreats?  ave you ever experienced a serious breach? H  ave you resisted moving sensitive workloads to the cloud H because of security concerns? Data Protection  ow much of your data is encrypted? H  Is your encryption solution software-only?  ould you like to increase your use of encryption.

(Length: 4:04 min. (Length: 2:34 Improving OpenSSL Performance In this white paper.html Intel® Expressway Service Gateway This product brief describes the capabilities and features offered by Intel Intel® Trusted Execution Technology This white paper describes how IT can use Intel TXT as a powerful. as well as examining several usage models: secure transactions. Intel architects describe Intel’s enhancements to OpenSSL and the performance gains associated with using them to secure connections for encrypted data traffic.pdf Securing the Enterprise with Intel® AES-NI This white paper describes the seven new instructions built into Intel AES-NI that can accelerate encryption. enterprise applications.) intel. mediating. hardware-based building block to secure IT solutions by addressing security threats to physical and virtualized infrastructure. and dynamically scaling services for control at the network edge. (Length: 3:34 http://download. securing.pdf [Intel] Service Gateway Animation Overview This video animation demonstrates how Intel Expressway Service Gateway protects APIs from attack by integrating.Intel Resources for Learning More About Data Protection Technologies Secure Cloud with High Performing Intel Data Protection Technologies This video animation features cryptographic technologies from Intel that accelerate data encryption and the communication of encrypted data via secure 14 Intel IT Center Real-World Guide | Cloud Security . About Infrastructure Protection Technologies Enhancing Security with Intel® Trusted Execution Technology This animation describes the security issues facing today’s data centers and describes how Intel TXT can provide hardware-based protection for clients and data center infrastructure in virtualized environments.) youtube. and full-disk including Intel AES-NI and Intel enhancements to the OpenSSL security library.) intel.

intelcloudbuilders. and efficient cloud infrastructure. improve security and efficiency. intel. an online forum to discuss technical issues.Intel Cloud Computing Ecosystem Intel® Cloud Builders: Proven Guidance to Build and Optimize Cloud Infrastructure This landing page provides access to resources provided as part of Intel Cloud Builders. Each reference architecture in this online library is based on real-world IT requirements and provides detailed instruction for how to install and configure a particular cloud solution using Intel Xeon processor-based servers and Intel® Cloud Finder Intel Cloud Finder is an online resource to help you identify and locate cloud service providers that will meet your needs—including 15 Intel IT Center Real-World Guide | Cloud Security . This landing page provides access to a detailed search tool. and a wide portfolio of proven reference architecture solutions from a broad range of leading systems and solutions Cloud Computing Infrastructure: Cloud Builders Reference Architecture Library Explore proven cloud-building reference architectures developed by leading systems and solutions providers to help solve key IT challenges. intelcloudfinder. a cross-industry initiative to build more simplified. secure. and simplify your data center. a quick search. and guidance for choosing a cloud provider. Intel Cloud Builders provides best practices.

with a standard way of determining where every cloud provider stands. and security as a service. application security.Additional Resources Open Data Center AllianceSM Usage: Provider Assurance Rev.1 This usage model document outlines the granular specification needed from every solution provider to enable security in multitenant shared infrastructure. Top Threats to Cloud Computing. identity and access traditional security. and disaster It uses a tiered model of gold. virtualization. opendatacenteralliance. https://cloudsecurityalliance. and platinum classifications for differentiation of service delivery to enable competitive offerings with trade-off features. 1. legal contracts and electronic discovery. including cloud computing architecture. In addition to general guidance. There are implications at each level of stringency. It is designed to provide organizations with needed context to assist them in making informed riskmanagement decisions based on their specific cloud deployment strategies.0 This CSA 2010 report catalogs best practices for managing seven threats in the cloud environment. incident response.v1. compliance and audit management.0 This Cloud Security Alliance (CSA) guide contains in-depth information to help you conduct a risk assessment of initial cloud risks and make informed decisions about how you can adopt cloud computing services and technologies. governance and enterprise risk management. bronze. silver.pdf Security Guidance for Critical Areas of Focus in Cloud Computing.0. the document covers 14 critical domains. encryption and key management.%201. business continuity. interoperability and portability.pdf 16 Intel IT Center Real-World Guide | Cloud Security . information management and data security. data center operations.1_Final. https://cloudsecurityalliance. v1.

You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases. http://research.2. 36 MB RAM) without Intel IPP. Availability of features and results will depend upon the setup and configuration of your hardware. software. To learn more.55x acceleration of time to initiate an SSL session per published white paper Improving OpenSSL Performance. Intel Core i7-600 Mobile Processor Series. Intel (October 2011). 36 MB RAM) using Intel IPP and IT including the performance of that product when combined with other products.pcworld. Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. compared with the Intel Xeon processor X5560 (2. AES-NI is available on Intel Xeon processors.2 with Transparent Data Encryption (TDE) AES-256 shows as much as a S 10x speedup when inserting 1 million rows 30 times into an empty table on the Intel Xeon processor X5680 (3. as well as non-Intel software to execute the instructions in the correct sequence. consult your reseller or system manufacturer. For availability.0. RV2A811182011. http://download. software.8x performance improvement for secure web servers when combined with Intel AES-NI and RSAX per published white paper Improving OpenSSL Performance. intel. What’s Holding Back the Cloud? Intel Survey on Increasing IT Professionals’ Confidence in Cloud operations. Intel (May 2012) .Endnotes 1 The Road Map from Virtualization to Cloud Computing. Gartner RAS Core Research Note G00210845 (March 2011). personal data. It is widely used to T protect network For more information. and corporate IT Any change to any of those factors may cause the results to vary.33 GHz. http://download. Intel vPro technology is sophisticated and requires setup and activation.html Intel AES-NI requires a computer system with an AES-NI–enabled processor. Up to 1. he Advanced Encryption Standard (AES) is an encryption standard first adopted by the U. Performance tests such as SYSmark* and MobileMark* are measured using specific computer systems. see intel. Intel Core i5-600 Desktop Processor Up to 4.pdf 2 3 4 5 6 7 8 9 17 Intel IT Center Real-World Guide | Cloud Security .93 GHz. ource: Testing with Oracle* Database Enterprise Edition 11. components.S. and functions. government in 2001. Intel (October 2011). visit intel. and Intel Core i5-500 Mobile Processor

v1. firmware. visit http://ipt. software. a chipset. Requires an Intel Identity Protection Technology–enabled system. Cloud Security Alliance (2010). including a 2nd gen or 3rd gen Intel Core processor. Intel TXT also requires the system to contain a TPM v1. visit intel. For more information. visit intel. Intel assumes no liability for lost or stolen data or systems or any resulting damages. or other benefits will vary depending on hardware and software Functionality. Intel Trusted Execution Technology (Intel TXT) requires a computer system with Intel Virtualization Technology. For more information. Authenticated Code Modules. https://cloudsecurityalliance.pdf No system can provide absolute security under all and a participating web site. 11 12 13 18 Intel IT Center Real-World Guide | Cloud Security . Consult your PC manufacturer. No computer system can provide absolute security under all conditions. Intel Virtualization Technology (Intel VT) requires a computer system with an enabled Intel processor and BIOS and a virtual machine monitor (VMM). Consult your system manufacturer. For more information. Software applications may not be compatible with all operating an Intel TXT–enabled processor and BIOS.0.10 Top Threats to Cloud Computing. and an Intel TXT–compatible measured launched environment (MLE) performance. an enabled chipset. v1.

More from the Intel® IT Center Real-World Guide: Intel Security Technology for the Cloud is brought to you by the Intel® IT Center. SPECIFICATION. and vendor round tables to help you implement key projects • Real-world case studies that show how your peers have tackled the same challenges you face • Information on how Intel’s own IT organization is implementing cloud.. INCLUDING ANY WARRANTY OF MERCHANTABILITY. Intel vPro. security. Intel Core. relating to use of this information. including liability for infringement of any property rights. Intel disclaims all liability. Active Directory is a registered trademark of Microsoft Corporation in the United States and/or other countries. Intel Sponsors of Tomorrow. Intel’s program for IT professionals. the Intel Sponsors of Tomorrow. OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY PROPOSAL. fluff-free information to help IT pros implement strategic projects on their agenda. by estoppel or otherwise. Share with Colleagues This paper is for informational purposes only. the Intel logo. 1112/RF/ME/PDF-USA 327973-001 Sponsors of Tomorrow. cloud. Intel. All rights reserved. data center design. Visit the Intel IT Center for: • Planning guides. and client and infrastructure security. Oracle and JavaScript are registered trademarks of Oracle and/or its affiliates. Copyright © 2012 Intel Corporation. and Xeon are trademarks of Intel Corporation in the U. The Intel IT Center is designed to provide straightforward. NONINFRINGEMENT. No license.S. OR SAMPLE. Ultrabook. and other strategic initiatives • Information on events where you can hear from Intel product experts as well as from Intel’s own IT professionals Learn more at intel. express or implied. peer research. *Other names and brands may be claimed as the property of others. and/or other countries. virtualization. FITNESS FOR ANY PARTICULAR PURPOSE.™ . THIS DOCUMENT IS PROVIDED “AS IS” WITH NO WARRANTIES logo. including virtualization. to any intellectual property rights is granted herein.