security (p.3-4): ...We have selected six specific areas of the cloud computing environment where equipment and software implementing TCG specifications can provide substantial security improvements [Hanna and Molina, 2010]. 1 - Securing data at rest: Cryptographic encryption is certainly the best practice and in many U.S. states and countries worldwide, it’s the law for securing data at rest at the cloud provider. Fortunately, hard drive manufacturers are now shipping self-encrypting drives that implement the TCG’s Trusted Storage standards. Self-encrypting drives build encryption hardware into the drive, providing automated encryption with minimal cost or performance impact. Software encryption can also be used, but it is slower and less secure since the encryption key can be copied off the machine without detection. 2 - Securing data in transit: Encryption techniques should also be used for data in transit. In addition, authentication and integrity protection ensure that data only goes where the customer wants it to go and is not modified in transit. Well-established protocols such as SSL/TLS should be used here. The tricky part is strong authentication, as described next.
3 - Authentication: User authentication is often the primary basis for access control, keeping the bad guys out while allowing authorized users in with a minimum of fuss. In the cloud environment, authentication and access control are more important than ever since the cloud and all of its data are accessible to anyone over the Internet. The TPM can easily provide stronger authentication than username and passwords. TCG’s IF-MAP standard allows for real-time communication between the cloud provider and the customer about authorized users and other security issues. When a user is fired or reassigned, the customer’s identity management system can notify the cloud provider in real-time so that the user’s cloud access can be modified or revoked within seconds. If the fired user is logged into the cloud, they can be immediately disconnected. Trusted Computing enables authentication of client PCs and other devices, which also is critical to ensuring security in cloud computing. 4 - Separation between customers: One of the more obvious cloud concerns is separation between a cloud provider’s users (who may be competing companies or even hackers) to avoid inadvertent or intentional access to sensitive information. Typically a cloud provider would use virtual machines (VMs) and a hypervisor to separate customers. TCG technologies can provide significant security improvements for VM and virtual network separation. In addition, the TPM can provide hardware-based verification of hypervisor and VM integrity. The TNC architecture and standards can provide strong network separation and security. 5 - Cloud legal and regulatory issues: To verify that a cloud provider has strong policies and practices that address legal and regulatory issues, each customer must have its legal and regulatory experts inspect cloud provider policies and practices to ensure their adequacy. The issues to be considered include data security and export, compliance, auditing, data retention and destruction, and legal discovery. In the areas of data retention and deletion, Trusted Storage and TPM access techniques can play a key role in limiting access to data. 6 - Incident response: As part of expecting the unexpected, customers need to plan for the possibility of cloud provider security breaches or user misbehavior. An automated response or at least automated notification is the best solution. TCG’s IF-MAP (Metadata Access Protocol) specification enables the integration of different security systems and provides real-time notification of incidents and of user misbehavior. (†1156)