I am happy to announce that NIST IR 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation, has finally been completed. The “finally” warrants an explanation!
I first engaged with Tim Grance and Murugiah Souppaya of NIST in October of 2008, just a few weeks after I had joined HyTrust. A very special HyTrust advisor and personal friend, Becky Bace, introduced us and we have been working together (including many of our respective colleagues) on numerous efforts since.
Outside of key management, I had started discussing cloud computing definition and terminology with Tim and Peter Mell. The PCI Security Standards Council had formed a Virtualization Special Interest Group in 2009 to develop guidance around virtualization and the PCI Data Security Standard, where we were hoping to reference the NIST Cloud Computing definition. The draft definition was the most comprehensive and mature available at that time (if I recall correctly the draft was already at revision 14!).
In parallel, Intel and VMware reached out in July of 2009 to explore what HyTrust could do with its new API access to Trusted Execution Technology (TXT) measurements stored in a Trusted Platform Module (TPM). HyTrust worked with Jim Greene and Raghu Yeluri from Intel and Rich Brunner from VMware to prototype trust attestation of the BIOS and VMware hypervisor using Intel TXT. At IDF 2009, we demonstrated (for the first time ever!) enforcement of VM placement policies based on the security posture of the underlying infrastructure. This enabled organizations to restrict VMs to run only on trusted hosts, where the ‘Trust’ was determined at boot time and rooted in hardware. This became a foundational element to Boundary Controls where we can enforce data sovereignty, trusted compute pools and geolocation policies over VMs, and ensure that VMs can only be decrypted in a good known environment in the right geography.
“Trusted Geolocation in the Cloud” was one of the foundational building blocks when the National Cybersecurity Center of Excellence was established. Primarily because of this work HyTrust became a founding National Cybersecurity Excellence Partner (NCEP), and participated in the inaugural signing ceremony in April of 2013.
HyTrust has participated in many activities with NIST including Cloud Computing workshops, use-case definitions, review of early 800-125 drafts, continuous monitoring, crypto workshops, etc. For the NIST IR 7904, its been a long journey, many brilliant individuals have been involved in the effort (Thank you!), loads of innovations have taken place, numerous accolades have been won, and it is very gratifying to see the efforts of so many finally resulting in a published NIST Interagency Report, that everyone can leverage to implement Trusted Compute Pools and Geo-fencing.