Intel® Security Libraries for Data Center (Intel® SecL - DC)

Building trust, secure, and controlled cloud, with hardware root of trust.

Introduction

Cloud computing has become an inevitable trend for consumers, enterprise, and other entities. Hybrid cloud adoption grew 3X in 20171. According to Gartner, by 2020, a corporate with “no-cloud” policy will be as rare as a “No-Internet” policy is today1. However, security risks in the cloud is still the #1 barrier for broader cloud adoption.

Hardware-based cloud security solutions provide a higher level of protection as compared to software only security measures. There are many Intel platform security technologies, which can be used to secure customers data in the cloud. Unfortunately our customers have found adopting and deploying these technologies at a broad scale challenging, due to the lack of solution integration and deployment tools available. In order to overcome these challenges Intel® Security Libraries for Data Centers (Intel® SecL - DC) was created in order to aid our customers in adopting and deploying Intel Security features, rooted in silicon, at a massive scale. Intel® SecL - DC consists of software components providing end-to-end cloud security solutions with integrated libraries. Users have the flexibility to either develop their customized security solutions with the provided libraries, or deploy the software components in their existing infrastructure.

Establish Platform Trust and Boundaries in the Cloud

Intel® SecL - DC addresses the fundamental security concerns cloud subscribers are faced with when they move their applications or workloads to the cloud which are:

  1. How to identify if the server can be trusted?
  2. How can they control where the workloads can be landed?
  3. How does the Cloud Service Provider (CSP) guard against advanced malware threats?

These fundamental security problems are mitigated by leveraging the hardware security features available on Intel® Xeon® platforms. Intel® SecL - DC builds a trustworthy solution to enable cloud subscribers to land their applications securely in the cloud. Based on these foundational technologies, Intel® SecL - DC helps provide a higher level of protections to applications and data in the cloud.

Hardware Rooted Chain of Trust

Security solutions built on top of hardware security technologies have many advantages compared with purely software-based security solutions. They typically provide stronger security and better performance. For example, hardware security modules (HSM’s) have been widely deployed to protect encryption keys as they provide the highest level of key protection. Unfortunately, HSM's are very expensive and difficult to quickly integrate into a data center. Therefore, a balanced solution is needed to leverage the advantages from both sides.

Intel® SecL - DC is designed to leverage the platform hardware security features and provide an easy to use deployment model and pre-validated security usages for cloud service providers or ISVs to integrate with their existing cloud infrastructure. There are many security technologies in Intel platforms. Intel® SecL - DC builds libraries and components rooted from these hardware technologies and enables users to discover, and effortlessly deploy these technologies at scale.

Intel® SecL - DC Architecture

Intel® SecL - DC provides a flexible architecture with easy integration and deployment as one of the goals. The architecture has two primary aspects:

1. A set of libraries that provide core security functions that provide easy of software APIs. This provides the flexibilities for customers who wish to develop their customized solution.

2. A list of components and services that provide ready to use REST APIs with the libraries included.

These components and services go through Intel standard SDL development and QA testing, which means all Intel® SecL - DC components and libraries have been pre-validated and tested; therefore, they can be easily integrated by end customers with existing cloud OS's such as OpenStack* to shorten their solutions time to market. Each of the libraries and components provide standard APIs and are self-contained to provide well-defined functions and services. Furthermore, users will have great flexibility to choose a library, component, or list of components to integrate with their cloud infrastructure for improved security.

Solution Architecture

The basic solution architecture for Intel® SecL - DC is illustrated in the following diagram. There are mainly two components, one is the trust agent deployed on the node. The second component, is the verification service that can be deployed on a physical or virtual machine or as a container in the cloud. The Intel® SecL - DC trust agent supports Linux and Windows. The verification service supports the verification of nodes with Linux, Windows, and VMware ESX* servers. However, there will be no Intel® SecL - DC trust agent to be deployed on an ESX host. The two components trust agent and verification service includes serval libraries that provide fundamental functions that Independent Security Vendors (ISVs) or developers can pick and choose for their customized solutions.

Intel® SecL - DC Architecture

As mentioned earlier, Intel® SecL - DC resolves the two fundamental security challenges in the cloud: “trust and data sovereignty control”. Intel® SecL - DC can identify if a host in the data center or cloud can be trusted. The trust is based on the underlying platform security technologies utilizing Intel® Trusted Execution Technology (Intel® TXT) and Trusted Platform Module (TPM) building trust and measurement from hardware all the way up through the software stack. The trust agent running on the host in the operating system (OS) level can securely collect the trust measurement and sends the host manifest including the measurement and log to the verification service, based on a request. The host verification service then verifies the host manifest against its established trust policies (represented as flavor in XML format). If the host manifest matches a defined flavor, the host is identified as trusted with a SAML report that can be consumed by other cloud management software such as orchestrators.

The internal architecture for Intel® SecL - DC trust agent and verification service is illustrated in the diagram below with verification on the left and trust agent on the right side. Each component is a running service that provides secure REST APIs for communication. In the verification service, there are several libraries integrated including the flavor library, verifier library, SAM library, and host connector library. Trust agent integrates platform info library and TpmProvider library. Besides the libraries, each component will include other integration code that drives the flow and interfaces among the libraries. The details of the libraries will be discussed in the section below.

Intel® SecL–DC Components and Libraries

A fundamental barrier for the adoption of security solution in a data center or cloud is the ease of use and management flexibility. Many security solutions provide security benefits, but often their deployment is a nightmare for end users. Intel® SecL - DC’s architecture design was started with the management flexibility as one of its goals.

First, the trust agent can be deployed with flexibility (as part of host OS provisioned time, or installed later) and provisioned (TPM provisioning and attestation service provisioning) at a later phase, or the deployment and provisioning can be done at the same time.

Second, the verification service provides greater flexibility of the host trust policy (whitelist) management. The whitelist is represented in XML format (called flavor in Intel® SecL - DC). The Trusted BIOS version and their expected measurement can be defined as flavors, and trusted OS versions and their expected measurement can be defined as OS flavors. Or the combination of BIOS and OS can be defined as a flavor for a specific host.

Third, the matching policy for identifying if a host (expected BIOS or OS version) is trusted can be flexibly defined as well. The matching policy can be defined as a flavor group; each group can have its own matching policy. When a host is registered, the host can be associated with a flavor group that has it group policy. For example, if a cloud administrator only cares if the BIOS is trusted, he can create a flavor group that only defines the BIOS flavor to be matched. Or if he wants to apply a host specific policy, he can create a flavor group for each host and have host specific policy to apply to that specific host.

For data sovereignty, Intel® SecL - DC supports the provision of asset tag information to the managed hosts through the REST APIs provided using the trust agent and verification service. After provisioning, the trust agent can present the asset tag information as part of the host manifest report to the verification at request. The verification service can attest the host integrity and the asset information and present the verified information as a SAML report.

Cloud Orchestrator Integration

Intel® SecL - DC can be easily integrated into existing cloud infrastructure to solve challenging cloud trust and data sovereignty issues. Intel® SecL - DC provides secure REST APIs and plug-ins for integration. The following diagram illustrates how Intel® SecL - DC can be integrated with OpenStack*.

In the upper right corner of Figure 3. Intel® SecL - DC Cloud Integration Architecture, we have the cloud orchestrator (OpenStack*) which manages the hosts as hypervisors and schedules the workload (virtual machines). The relationship is represented as the orange dotted lines. In order to provide a flexible and minimized footprint in the existing cloud infrastructure, another component “Intel® SecL - DC attestation hub” is introduced. Its role is to pull the host SAML reports (including host trust status and asset tag information) and push such information to the cloud orchestrator as flavors or treats (depending the release of OpenStack*).

With the trust status and asset tag information provided to the cloud orchestrator, the cloud scheduler can schedule its workload based on host information and the VM launching policy. The policy can specify whether the workload should be scheduled to a trust hosts and location where it should be. Workload policy can be specified by the cloud administrator or attached to a VM image metadata. In the latter case, every VM launched from the image with trust and location policy needs to be schedule to a host that meets the requirement.

Intel® SecL - DC Cloud Integration Architecture

Libraries

The following table list the libraries Intel® SecL - DC currently provides. There are two categories of libraries: one is the library that should be deployed on the platform (node/server) to collect platform information and support TPM access on different OS (Linux and Windows). The other category is the library on the verification service side that helps define, manage, and verify host status with the trust policy (flavor).

Libraries

Description

Service Libraries

Host Connector (HCL)

Connects to different types of host (Linux, Windows, ESX) to retrieve host and TPM quote information

Flavor Library (FVL)

Manages whitelist value and host registration in flavor format (XML)

Verifier Library (VFL)

Verifies if a host is trusted by comparing the host manifest retrieved from a host and defined flavors (policy)

Privacy CA (PCL)

Generates and manage certificates for TPM AIK certificate, binding, and signing certificates

SAML Generator (SGL)

Generates attestation reports for host or VM attestation status in SAML format

 

TDT Service

 

Platform Libraries

PlatformInfo (PIL)

Collect host hardware information (TXT, TPM type or version, etc.) and OS information

TpmProvider (TPL)

Provides a coherent APIs for basic TPM functions to support host attestation, regards of TPM version (PTT), or type dTPM, and OS

TDT Library  

These libraries provide standard application programming interfaces (APIs) for developer to integrate into their products.

Validated Use Cases in Intel® SecL - DC V1

The Initial release of Intel® Security Libraries for Data Centers (Intel® SecL - DC) provides the three integrated and validated primary security use cases, which are platform integrity attestation, data sovereignty, and threat detection. Future Intel® SecL - DC releases, will be aligned with new platform launches in order to enable new security technologies rooted in Intel silicon. Now let’s take a closer look at these three integrated security use cases included in the initial release.

Platform Integrity

Trust in the cloud is fundamental for cloud adoption. The base use case that Intel® SecL - DC supports is to identify a list of servers that are trusted based on user defined flavors. This trust identification is based on Intel® TXT technology that builds the root of trust for measurement from hardware. Intel® SecL - DC provides a flexible scheme to define the trust flavor and attestation of servers as we discussed in the architecture above.

Data Sovereignty

Intel® SecL - DC provides the trusted asset tag provisioning and attestation for data sovereignty solution. Each managed host is provisioned with an asset tag certificate that includes the host information and other asset tag information such as geo-location. The asset tag certificate can be generated by the verification service using provided REST APIs and the hash of the certificate is provisioned to each individual host and stored in the TPM (version 1.2 or 2.0) NVRAM. When the host reboots, the hash of the asset tag certificate is extended to the TPM PCR. This information is passed along with other host manifest details to the verification service for verification. If the verification succeeds, the detailed asset tag information is included in the SAML report for the cloud orchestrator for workload placement based on workload policy.

Intel® Threat Detection Technology (Intel® TDT)

Intel® Threat Detection Technology (Intel® TDT) uses low level CPU telemetry data to perform early detection of advanced malware threats. Intel® TDT provides open sourced APIs for ISVs and our customers to integrate HW based threat detection capability in their security solutions with minimum overhead. Furthermore, Intel® TDT uses advanced machine learning based classification and modeling algorithms to learn system behaviors and profile threats. Upon detection of suspicious activity at runtime notifications are generated for further investigation and remediation by the security application (Figure 3). The TDT APIs, telemetry framework, and ML pipeline also provide ISVs the opportunity to build their own heuristics to address additional threats of interest.

Intel® TDT Advance Platform Telemetry Software Stack

Building on Past Efforts

Prior to Intel® SecL - DC, Open Cloud Integrity Technology (Open CIT) was released as an open source project that supports some of the base features of Intel® SecL - DC; although as premium features. Intel® SecL - DC is built from the learnings of our work on Open CIT but brings improved internal architecture, better alignment with platform security technologies, a more feature rich solution, ease of deployment along with fully integrated, and validated key customer workload usages.

Conclusion

Intel® SecL - DC addresses major security concerns of customers looking to secure their workloads in the cloud. The flexible architecture of Intel® SecL - DC enables ISVs and CSPs to easily integrate advanced platform security technologies which are rooted in Intel silicon to provide an unparalleled level of security. The initial release includes the integrated security usages: Platform Attestation, Data Sovereignty, and Intel® Threat Detection Technology (Intel® TDT). Future releases of Intel® SecL - DC will provide more advanced cloud security solutions to address data protection, in-memory protection, application protection, etc. Intel® SecL - DC is released under the free BSD license and continues to build upon the strong open community foundation laid by its predecessor Open CIT. Intel® Security Libraries for Data Centers (Intel® SecL - DC) builds on the foundation laid by Open CIT usages but adds advanced threat detection capabilities thanks to Intel® Threat Detection Technology (Intel® TDT).