Trusted Computing Group Eyes Cloud Security Framework
The Trusted Computing Group Monday announced a working group aimed at publishing a framework for cloud computing security that could serve as a blueprint for service providers, their customers and vendors building security products.
Mon, September 13, 2010
Network World — The Trusted Computing Group Monday announced a working group aimed at publishing an open standards framework for cloud computing security that could serve as a blueprint for service providers, their customers and vendors building security products.
Known as the Trusted Multi-Tenant Infrastructure Work Group, there are about 50 TCG members participating, including HP, IBM (IBM), AMD (AMD) and Microsoft. The group also will receive input from U.S. Defense Department representatives and the U.K. government, according to sources. TCG has in all about 110 members that have worked over the years on standards-based initiatives in the area of trusted computing, including "Trusted Network Connect" and the "Trusted Platform Module."
The latest plan is intended to put forward a security framework for cloud computing, including private, public and hybrid cloud environments as well as virtualized and non-virtualized ones. "Multi-tenant security is really an end-to-end security requirement," says Eric Visnyak, information assurance architect at BAE Systems, which is participating in the new group. "We need to validate policy requirements in dedicated and shared infrastructure."
The Trusted Multi-Tenant Infrastructure Work Group will make use of existing open standards to define end-to-end security, both virtual and physical, in a cloud-computing environment, including capabilities such as encryption and integrity monitoring, Visnyak says. TCG wants to publish its framework document later this year in draft form to receive public input, so that a final revision can be in place early next year.
The goal is to create a framework document for cloud-computing security that will not only serve as a baseline for security compliance and auditing, but also might also encourage the introduction of new products.
Visnyak acknowledges that other organizations, including the Cloud Security Alliance and the National Institute of Standards and Technology (NIST), are also weighing in on the important topic of cloud-computing security, and there's the potential for division on the issues. But he says TCG is in touch with both the Cloud Security Alliance and NIST to try to avoid creating schisms.
In other news, TCG Monday said it's releasing the second version of its IF-MAP (Metadata Access Protocol) specification. According to TCG, IF-MAP describes database services with information (metadata) about systems and users currently connected to the network.
Rick Kagan, executive vice president and general manager at Infoblox, says IF-MAP 2.0 adds a so-called "notify" operation to enable an IF-MAP server to support message-bus functionality in addition to publish/subscribe database functionality. The new standard also includes details on location and device characteristics. IF-MAP is intended to replace the "point-to-point brittle custom agents and collectors" the industry often relies on today to collect information, Kagan says. Turning instead to IF-MAP's application-based server approach can also help in integrating physical and network security, he adds.
Products supporting IF-MAP include Great Bay's Beacon endpoint profiler, Juniper Networks’ (JNPR); Unified Access Control and SSL VPN appliances, Infoblox Core Network Services Appliances and Orchestration (IF-MAP) Server, plus others.
Read more about data center in Network World's Data Center section.