Intel Cloud Builders Guide: Cloud Design and Deployment on Intel Platforms

Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, and Xeon are registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others.

Intel® Cloud Builders Guide: Cloud Design

and Deployment on Intel ^® Platforms

Parallels* Security Monitoring and Service Catalog for Public

Cloud VPS Services

Intel® Cloud Builders Guide

Intel^® Xeon^® Processor 5600 Series

Parallels* Security Monitoring and Service Catalog for Public Cloud VPS Services Parallels, Inc.

Intel® Xeon® Processor 5600 Series

AUDIENCE AND PURPOSE

For Cloud Service Providers, infrastructure hosts, and Enterprise IT

administrators looking to enhance or build their public or private

cloud infrastructure, the decision to use a cloud for the delivery of

IT services needs to include a security strategy which protects the

various layers of the deployment. This document addresses the

key aspects of the usage model, Security Monitoring and Service

Catalog*, defined by the Open Data Center Alliance*. This

reference architecture presents a complete model of a Parallels*

Trusted Compute Pool deployment on Intel

Xeon

processor 5600

series servers, and addresses how to establish a trusted platform

on the physical server layer of a public or private cloud.

Since the creation and operation of a cloud requires integration

and customization to existing IT infrastructure and business

requirements, it is not expected that this guide can be used as-is.

For example, the adaptation to existing networks and the

identification of end-to-end security requirements are out of

scope for this guide. Therefore, it is expected that the user of this

guide will make appropriate adjustments to any deployment to

meet specific customer security requirements, especially given the

variations in threat levels and attack points that face users when

they operate in a public or private cloud usage model.

Table of Contents

Executive Summary ... 3

Introduction: Enable Mission-Critical and Enterprise Applications in the Public Cloud ... 3

Trusted Computing Starts with a Trusted and Encrypted Infrastructure ... 3

Intel

Trusted Execution Technology Overview... 4

Parallels* Public Cloud Compute Pool Implementation ... 5

Parallels Business and Operations Automation* Installation and Set-Up ...5

Define Trusted Compute Service Resources with POA* ...5

Define Trusted Compute Service Plans with PBA* ...6

Public Cloud Compute Pools Summary ... 8

Future Features ... 8

Glossary ... 8

Footnote ... 8

Intel® Cloud Builders Guide: Parallels* Security Monitoring and Service Catalog for Public Cloud VPS Services

3

Executive Summary

The adoption of cloud computing, whether public or private, injects a new level of security concerns when compared to standard enterprise compute models and architectures. Principal factors in the decision whether or not to deploy an IT service in a cloud traditionally include:

● Business continuity: The threshold of acceptable downtime due to security incidents

● Data compliance: When applications should be disqualified due to sensitive content

● Multi-tenancy: Decision of when sharing computing resources with others, potentially competitors, constitutes an unacceptable risk

● Complexity: Determination of when an application has too many interdependencies or vulnerabilities, which render it unfit for the cloud

● Migration: Potential complications due to security administration, including audits, key management, attestation, and configuration management

● Trust: Ability or inability to establish that the operating environment (i.e.

the Operating System and Virtual Machine Monitor) being run on a given set of physical servers is trusted code that has been measured and checked against a known trusted code state and capable of controlling, managing and protecting the platform workloads.

With new technologies and a complete end-to-end security model, these concerns can be addressed and the benefits of cloud infrastructures optimally reaped. The main area of focus for this guide is around the last area, where establishing that the operating environment has achieved a trusted boot on a set of physical servers to provide a more robust foundation for the deployment of secure multi-tenancy operations.

Introduction: Enable

Mission-Critical and

Enterprise Applications in

the Public Cloud

Under the current state of cloud

computing, there have been few practical approaches to examine a cloud service’s virtualization and hardware

implementation from a security

perspective in order to verify the service’s conformance or compliance to a standard.

Audit processes exist, but they are labor intensive, inconsistent, and non-scalable.

Due to the expense involved, these processes yield a static snapshot that is probably obsolete by the time it is delivered. Ideally, the audit would be done in real time, which is not realistic under previously deployed technology. Because of the concerns expressed above, many public cloud deployments to-date consist of non-core applications such as electronic mail, CRM for sales force automation, and Human Resource applications, such as job postings or expense reports. Cost factors will provide appreciable financial incentives for organizations to consider on-boarding core business processes and sensitive data to a private cloud. For this transformation to happen, proven (and auditable) security mechanisms need to exist that ensure a predefined level of integrity and protection for processes and data. Because public clouds are not under internal IT control, such cloud offerings are being held to a higher bar of security. As mentioned above, the monitoring capability needs to provide and work on real-time data. Static audit processes are too limited for cloud deployments as they are not dynamic enough to support the elastic nature of such services. Real-time flexible and configurable supervision is needed to assess the internal state of the infrastructure and its capability to meet the required service levels. Eventually, organizations which deploy cloud services will develop the visibility and controls needed to prove compliance for even their most critical data. At that point, these

organizations will realize the value of the cloud with the higher payoff of critical applications in terms of infrastructure substitution and migration away from specialized equipment and one-off, in- house applications. At the same time, they will provide greater visibility for what is possible today with most current

infrastructures. The first step to providing insight into infrastructure health is to be able to verify the configuration of a platform. Once the correctness of the platform state is determined, better decisions about what data or workloads are suitable for running on that platform can be made. Further, if many resources with proven “known good” controlling software are present, these resources can be aggregated into “pools” of like systems and this information and assurances of higher integrity can be used to manage the flow or dynamics of cloud-enabled

datacenters. One compelling use model is to create and identify pools of trusted platforms and restrict the deployment and movement of their more sensitive and confidential data to only the trusted platforms within the trusted pools.

Trusted Computing Starts

with a Trusted and

Encrypted Infrastructure

Information security cannot be

overemphasized as a consideration in cloud infrastructures. Support for security needs to form an uninterrupted chain from the application user interfaces, all the way down to the hardware infrastructures. Any gaps or interruptions in this logical chain will only create attack targets. Security mechanisms at the hardware level constitute necessary conditions to facilitate the implementation of secure conditions in the logical layers higher up.

Today, visibility into the lower layers of cloud infrastructures is almost absent. This condition represents a real obstacle to on- boarding high-value applications to an external infrastructure that provides no visibility. Technology is evolving that will

Intel® Cloud Builders Guide: Parallels* Security Monitoring and Service Catalog for Public Cloud VPS Services

allow Enterprise IT and managed service providers to monitor security conditions within a cloud’s physical and virtual infrastructure and the layers above. With increased visibility into the infrastructure, it will be possible for Enterprise IT and managed service providers to attain:

● Visibility into the security states of the hardware hosts.

● Delivery of automated reporting on the configuration of the physical and virtual infrastructure on the hosted machines.

● Ability to map measurements that verify platform configuration to security compliance and service levels.

● Multiple views, including logical views to track cloud resources use and to prevent improper use, such as co- residency of peer customers who are also competitors.

● Agile and flexible provisioning.

However, among each of these usage models, there is a requirement for compliance and standards. The use of the Trusted Computing Group* (TCG) compliant Trusted Platform Module* (TPM) and TCG- compliant encryption standards provides the flexibility and choice required as a foundation for cloud computing growth. In addition, the requirement of a device to initiate a tamper-resistant trusted boot provides assurance for IT managers.

Finally, the inclusion of a policy and console manager capable of the management of the virtual machine (VM) workloads and physical servers provides the visibility IT managers require. This is a model of how hardware and software can come together to form a more robust security foundation.

All of these drive the usage models and their required solution architectures. Given this background, VMware ESXi* (managed by the Hytrust Appliance*) has enabled the capability of trusted compute pools by leveraging Intel^® Trusted Execution Technology (Intel^® TXT) and presented a solution targeted for high-end private

clouds implementations to market in early 2011. This guide explores how cloud service providers can create trusted public cloud virtual private server (VPS) offerings by combining Parallels Automation* with VMware vSphere ESXi*. Using the Application Packaging Standard* (APS), Parallels system integration partner Softec* is building the linkages to enable Parallels public cloud automation to be controlled by the VMware virtual infrastructure, enabling workloads to be assigned to trusted computing resource pools or standard computing resource pools.

Intel

Trusted Execution

Technology Overview

Intel^® Trusted Execution Technology (Intel^® TXT)¹ is a set of enhanced hardware components designed to build and maintain a chain of trust to protect sensitive information from software-based attacks.

Intel^® TXT creates a measured launch environment (MLE) that enables an accurate comparison of all the critical elements of the launch environment against a known good source. Intel^® TXT creates a cryptographically unique identifier for each approved launch- enabled component, and then provides hardware-based enforcement mechanisms to block the launch of code that does not match the approved code. This hardware- based solution provides the foundation on which trusted platform solutions can be built to protect against the software-based attacks that threaten integrity,

confidentiality, reliability, and availability of systems. Such attacks, when successful, create costly downtime and remediation expenses, as well as potentially large costs related to data breaches. While intrusion detection and anti-virus remains a key function of security personnel via currently

Figure 1: Intel^® TXT with Virtual Machines available tools, Intel^® TXT enables a new base-level of server hardware hardening to be established. Intel^® TXT provides:

● Verified Launch: A hardware-based chain of trust that enables launch of the MLE into a “known good” state.

Changes to the MLE can be detected through cryptographic (hash-based or signed) measurements

● Launch Control Policy (LCP): A policy engine for the creation and

implementation of enforceable lists of

“known good,” or approved, executable code

● Secret Protection: Hardware-assisted methods that remove residual data at an improper MLE shutdown, which protects data from memory-snooping software and reset attacks

● Attestation: The ability to provide platform measurement credentials to local or remote users/systems to complete the trust verification process and support compliance and audit activities; 3^rd party ISVs like Parallels can added value to this underlying trust verification process by delivering an attestation system which manages a deployment of trusted servers.

For more technical details on the

implementation of trusted computing with VMware ESXi* and the Hytrust Appliance*, please see the following guide: Intel® Cloud Builders Guide: Cloud Design and

Deployment on Intel® Platforms.

Intel® Cloud Builders Guide: Parallels* Security Monitoring and Service Catalog for Public Cloud VPS Services

5

Parallels* Public Cloud Compute Pool Implementation

Parallels Business and Operations Automation* Installation and Set-Up

The first phase of setting-up a Parallels* Public Cloud Trusted Compute Pool requires Parallels Business Automation* (PBA*) and Parallels Operations Automation* (POA*) installation. This work is normally performed by Parallels Services and will not be covered by this guide.

The remainder of this section focuses on how to set up the standard and trusted VPS instances, not the VMware hardware nodes themselves (which is covered in the previously referenced Intel® Cloud Builders Guide).

Define Trusted Compute Service Resources with POA*

The first step to deploy a Public Cloud Trusted Compute Pool is to select the hardware node or nodes to be assigned to the new VPS resource being defined. This is accomplished by opening the POA* Service Director and then the VMware Manager*. For purposes of this guide, one node was selected, which is named “misclin01.rootvps.eu”, and it is assumed the selected hardware node is based on an Intel®

Xeon® processor 5600 series server with Intel® TXT enabled, running VMware ESXi* 4.1 Update 1 or higher with Hytrust Appliance*, see Intel® Cloud Builders Guide: Cloud Design and Deployment on Intel® Platforms for details.

Figure 2: POA* “VMware Manager” – VPS Hardware Nodes

Once the hardware node or nodes are identified, the next step is to create a virtual private server (VPS) service, which will be called

“trustedVM” with the POA* Add New VM function. This creates the service that is eventually linked to PBA*.

Figure 3: POA* “VMware Manager” – Add New VM VPS Service

Now that the new service, “trustedVM.rootvps.eu”, is created on the Intel® TXT enabled hardware node “misclin01.rootvps.eu”, it can be linked to a PBA* Service Plan that will be created in the next section of this guide. Using this same Add New VM feature, a standard compute resource pool also can be created. For the purposes of this guide, the hardware node is named “misclin02.rootvps.eu”, and is a server without Intel® TXT capabilities enabled. Note the name of the non-trusted VPS service is “standardVM.rootvps.eu”.

Figure 4: POA* “VMware Manager” – Add New VPS Service

Define Trusted Compute Service Plans with PBA*

To create a new service plan within PBA*, define a new Service Template using the “Product Director” function in the left-side navigation.

As a shortcut, the “SSL Certificates” template is used, which is the last item in the available list of templates in Figure 5 under the PBA Plan Manager > Service Templates

Intel® Cloud Builders Guide: Parallels* Security Monitoring and Service Catalog for Public Cloud VPS Services

7 Figure 5: PBA* Plan Manager – Service Template, Add New Service Template

To create a new service plan named “Trusted SSL Service Plan”, clone the SSL Certificates Template with the Clone Plan function.

Figure 6: PBA* Plan Manager – Service Plan: Clone Service Template

The next step in PBA* to create a new service plan is to open the “Plan Categories” function and create the Trusted VPS Hosting plan.

Figure 7: PBA* Category Manager – Clone Service Template

Now that the PBA* Service Plan and Service Category are created, the POA* “trustedVM.rootvps.eu” service resource (i.e. ESXi-based VM), which was created on the server resource “misclin01.rootvps.eu”, can be imported into PBA and linked to the newly-created Trusted VPS Hosting Plan. Once additional billing parameters are established, this enables a service provider to offer a “Trusted SSL” VPS instance on the service resource “trustedVM.rootvps.eu”.

Public Cloud Compute

Pools Summary

The are many additional steps to set-up a PBA* service plan during the installation and set-up process, and Parallels Services*

provides assistance for its customers. This summarized creation overview of a trusted service on a hardware node based on an Intel® Xeon® processor 5600 series server with Intel® TXT enabled, running VMware ESXi* 4.1 Update 1 or higher with Hytrust Appliance*, and the connection of that server to a PBA Trusted VPS Hosting Plan was outlined to provide a general guide of possibilities for public cloud service providers to create differentiated service offerings based on Trusted Compute Pools versus Standard Compute Pools. With the Trusted VPS Service Plan example, service providers are able to market the offering to select vertical industries which are concerned about running their SaaS applications on a public cloud. Trusted Compute Pools, running on Intel® Xeon®

processor 5600 series servers with Intel®

TXT enabled, leveraging VMware ESXi 4.1 Update 1 or higher with Hytrust Appliance, removes one of the barriers to providing more secure public cloud VPS service

offerings. In addition, by offering trusted service plans, such as the example Trusted VPS Service Plan detailed in this guide, service providers should be able to also deliver what would be a cost-prohibitive service at scale to small- and medium- businesses at prices significantly lower than a private cloud deployment in those same businesses.

Future Features

Note that because the Softec VMware APS* package is still under development, the user interface used in the development of this concept white paper is based on a generic virtual private server (VPS) deployment

Glossary

Hardware Node (or Node) is a server on which the VMware ESXi* 4.1 software is installed for hosting VPS VM instances Intel® Trusted Execution Technology (Intel® TXT): Intel^® Trusted Execution Technology (Intel^® TXT) is a set of enhanced hardware components designed to build and maintain a chain of trust to protect sensitive information from

software-based attacks. Formerly codenamed LaGrande Technology (LT) and LaGrande Technology Server Extensions (LT-SX)

Measured Launch Environment (MLE):

The environment measured and launched as a result of the GETSEC [SENTER]

instruction. This can be an Operating System, VMM, or any trusted code that supports Intel® Trusted Execution Technology.

TCG: Trusted Computing Group: Industry initiative for advancing computer security (http://www.trustedcomputinggroup.org) Trusted Platform Module (TPM) 1.2:

(Third-party silicon), a hardware device defined by the Trusted Compute Group that provides a set of security features used by Intel® Trusted Execution Technology

Footnote

1 Intel Trusted Execution Technology, http://www.intel.com/technology/security/

Intel® Cloud Builders Guide: Parallels* Security Monitoring and Service Catalog for Public Cloud VPS Services

9

To learn more about deployment of cloud solutions, visit www.intel.com/cloudbuilder

Disclaimers

∆ Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor family, not across different processor families. See www.intel.com/products/processor_number for details.

? Hyper-Threading Technology requires a computer system with an Intel processor supporting Hyper-Threading Technology and an HT Technology enabled chipset, BIOS and operating system. Performance will vary depending on the specific hardware and software you use. See

http://www.intel.com/info/hyperthreading/ for more information including details on which processors support HT Technology.

◊ Intel^® Virtualization Technology requires a computer system with an enabled Intel^® processor, BIOS, virtual machine monitor (VMM) and, for some uses, certain platform software enabled for it. Functionality, performance or other benefits will vary depending on hardware and software configurations and may require a BIOS update. Software applications may not be compatible with all operating systems. Please check with your application vendor.

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL^® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE

INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR.

Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked “reserved” or “undefined.” Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information.

The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel^® sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or by visiting Intel’s Web site at www.intel.com.

Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon, Xeon inside, Intelligent Power Node Manager, Dynamic Data Center Manager, Intel Cloud Builder, Virtualization Technology, VT Flex-Migration, and Hyper-Threading are trademarks of Intel Corporation in the U.S. and other countries.

Copyright © 2011 Parallels, Inc. The Parallels logo is registered trademark of Parallels, Inc.

*Other names and brands may be claimed as the property of others.

326064-001