With respect to adoption of virtual computerized environments, or cloud computing environments, security concerns are paramount. Conventional security implementations are not adequate to address the concern with virtualization.
To secure these virtual applications, a new security framework must be deployed—one that works within the virtualization layer of the data center, connects it to the physical data center, and addresses additional requirements of scalable, multitenant environments.
Virtual Machines (VM) are often built as an operating systems or appliances to execute within a shared computer, network and storage infrastructure with a cloud service provider (CSP).
Virtual Machines can be configured to boot on a hypervisor operating system. This hypervisor operating system is designed to host guest operating systems on a shared hardware platform.
A Virtual Machine's data and execution of binaries (compiled applications) that manipulate the data on the disk operates under a trust model. This trust model is founded on the basis that the host is providing the virtual container to boot and execute machine instructions.
This trust model can lead to a number of false artifacts with respect to trust. For example, the hypervisor boot sequence from hardware implicitly trusts the BIOS that booted the operating system. Moreover, Intel's® TXT (Trusted Execution Technology) provides a cryptographic chip set (a Trusted Platform Module) to fingerprint and store a boot image in hardware, to compare each boot process against the previous known good fingerprint. The failed comparison results in the hardware exposing an API to the hypervisor to check the trust factor of the boot in a secure way to determine if the host computer or boot files have been tested by the hardware from the previous boot.
This TXT/TPM check is only done at hypervisor boot time. Therefore, a guest OS boot or start time is not privy to this check. The chain of trust assumes that the hypervisor trusts the boot process by checking with the hardware register; in this way, all guests can boot in a trusted state on the host without the requisite checks.
Virtual Machine migration from one host to another is supported by hypervisor using a method that is transparent to the guest OS; which can mean that the IP address, disk drives, data and running applications will be unaware and unable to detect the migration from one host to another. This situation within a CSP or enterprise means the running a Virtual Machine may be moved to an untrusted host without any method available to the guest OS to detect the migration of the trust status of the new host running the application code.
The security risk posed by the above capabilities means secured applications, even with encrypted file systems can have their run time functions moved to untrusted hosts that are now capable of manipulating the execution environment to the benefit of the untrusted host allowing potential data loss, calculation error injection, a new binary installed as trojan horse, root or administrator login attacks to comprise the guest OS, among other types of risk events.
The security risks are guest OS independent, and provides an obstacle to the adoption of highly secured applications from leveraging CSP's without a means to fully secure the boot and running execution of secured applications to detect and block, alert or prevent any operating state that would expose the guest OS VM from security attacks when executing within a CSP or secure enterprise infrastructure. Therefore, there is a need for a system and method for creating a trusted cloud security architecture.