[LINK] Geolocation of Au citizen data

stephen at melbpc.org.au stephen at melbpc.org.au
Tue Oct 1 22:10:44 AEST 2013 

Regarding the geolocation of Australian citizen-data, it'd be a great idea 
if our government encourages/mandates trusted geolocation for all our data.


Cisco, Intel push 'trusted geolocation in the Cloud'

Idea of growing importance because many countries have laws about how data 
about their citizens can be moved outside the country

Ellen Messmer (Network World) 30 Sep 2013 www.arnnet.com.au/article/527869/


Cisco and Intel say that companies wanting to make use of Infrastructure-
as-a-Service (IaaS) clouds should be aware that controls exist for keeping 
virtual workloads on servers within country borders.

This idea of "trusted geolocation in the Cloud" is of growing importance 
because many countries have laws about how can data about their citizens 
can be moved outside the country if at all, and businesses have their own 
reasons to restrict movement of data to certain places.

Cisco solutions architect, Kenneth Stavinoha, and Intel senior enterprise 
technologist, Paul Yates, recently spoke on the topic during a panel 
discussion at the ISC2 Conference in Chicago, along with HyTrust CTO Hemma 
Prafullchandra. 

The three advocated one type of geolocation method that can be set up 
through the Trusted Platform Module (TPM) security chip, which is based on 
a Trusted Computing Group standard.

"The decision to go to cloud is a risk," said Stavinoha, so there's a need 
for the enterprise to establish its own security controls. One way to do 
this is through hardware-based "root of trust" attestation via server-based 
TPM, he said.

TPM can be used to confirm the location of a host, the integrity of the 
hypervisor platform, and make sure workloads only get deployed to cloud 
servers with trusted platforms. Several vendors, including Dell, HP and 
IBM, have hardware-based TPM enabled today in their products, 
Prafullchandra pointed out.

Intel's Yates told the security professionals at the ISC2 session that the 
Intel-based Trusted Execution Technology (TXT) approach related to use of 
TPM chips can enable "trusted geolocation in the cloud" with the user 
setting restrictions on where workloads can run based on location.

While this TPM approach to geolocation is still fairly new, the National 
Institute of Standards and Technology has published a proof-of-concept 
document about one pilot project of cloud clusters based on use of Dell 
PowerEdge servers with Intel-based based CPUs, VMware ESXi, Dell PowerVault 
MD32001 for storage, and assorted Dell and VMware-based management nodes. 


The NIST publication, open to comments through the end of the year, is 
described as a template for the general security community to address 
"selected security challenges involving Infrastructure as a Service (IaaS) 
cloud computing technologies and geolocation.

http://csrc.nist.gov/publications/drafts/ir7904/draft_nistir_7904.pdf

"A common desire is to only use cloud servers physically located within the 
same country as the organization," NIST states in its "Trusted Geolocation 
in the Cloud: Proof of Concept Implementation (Draft)."

The NIST document says geolocation calls for determining the appropriate 
physical location of an object, such as a cloud computing server. NIST says 
while this can be accomplished in "many ways, with varying degrees of 
accuracy," the "traditional geolocation methods are not secured and they 
are enforced through management and operational controls that cannot be 
automated and scaled, and therefore traditional geolocation methods cannot 
be trusted to meet cloud security needs."

NIST states in its document that the automated hardware-based root-of-trust 
method for enforcing and monitoring geolocation restrictions for cloud 
servers is based on the idea that the user organization can set up unique 
identifier and platform metadata stored in tamperproof hardware as a way of 
confirming the location of a host.

The NIST document details how to set up the Intel-based TXT hardware 
components as well as VMware ESX clusters along with the RSA Archer eGRC 
governance and compliance management console, which presents a dashboard 
view of "trusted pools" and "untrusted pools."

NIST says, "the ultimate goal is to able to use trusted geolocation for 
deploying and mitigating cloud workloads between cloud servers within a 
cloud."

The approach based on hardware-assisted geolocation means, for example, 
that "you can say the workload is required to remain in the U.S. as long as 
the environment can enforce those labels," said HyTrust CTO Prafullchandra. 
She noted it's a way to have platform integrity and workload classification 
and placement based on data jurisdictions around the world.

--
Cheers,
Stephen

Message sent using MelbPC WebMail Server

More information about the Link mailing list