From: GCN
By William Jackson
When agencies move IT workloads to the cloud, they often gain flexibility and efficiency, but do the owners of the data know where their data is? They should.
The “cloud,” of course, isn’t any kind of cloud, but servers at many large data centers scattered around the country or the world, as we are reminded whenever a cloud provider loses service. And agencies must ensure that these resources are being maintained in an appropriate and secure environment.
The National Institute of Standards and Technology has produced a scheme to provide this assurance through continuous monitoring of the location and condition of the cloud platforms being used. The blueprint for what is called trusted geolocation, laid out in draft NIST Interagency Report 7904, can help determine whether data is where it is supposed to be in rapidly changing environments and whether cloud providers are meeting contractual requirements for the security of the platform.
The goal of Trusted Geolocation in the Cloud: Proof of Concept Implementation is “to improve the security of cloud computing and accelerate the adoption of cloud computing technologies by establishing an automated hardware root of trust method for enforcing and monitoring geolocation restrictions for cloud servers.”
Cloud service providers to federal agencies must meet security requirements under the Federal Information Security Management Act, and the General Services Administration has established the Federal Risk and Authorization Management Program (FedRAMP) to certify that baseline requirements are met. But the challenge remains of making sure that workloads are being carried out on certified servers and that they have not migrated offshore.
“People are very concerned about this,” said Murugiah Souppaya, co-author of the NIST report. Cloud environments now can be plagued by a lack of transparency for customers. “We believe having a technology stack that supports this from a continuous monitoring perspective would be helpful.”
Contracts are vehicles for expressing technical requirements, said Matt Scholl, deputy chief of NIST’s Computer Security Division. The scheme for trusted geolocation provides a method for enforcing those requirements.
Leave a Reply