As very well explained in the paper on negotiating cloud contracts by Stanford Technology Law Review (see also the blog Cloud Computing Contracts) cloud computing users can “have regulatory or other legal obligations and may need to demonstrate compliance to regulators”. Data location and data and data transfers are one of the most important data protection law concerns. Especially customers in the European Union and European Economic Area have these kinds of concerns. That is because “The Data Protection Directive requires controllers to choose processors providing ‘sufficient guarantees’ regarding security measures for processing, and to ensure compliance with those measures. This may be difficult without more transparency regarding providers’ systems, data center locations and transmissions.”
This leads to security and privacy concerns with allowing unrestricted workload migration to and from and within the cloud. Because the requirements of laws and/or internal regulations an organization may decide that it needs to restrict which cloud servers it uses based on their location. Determining the approximate physical location of an object (workload or a cloud computing server) is generally known as geolocation.
To fulfill the security needs of the customer Cloud computing services needs a secure geolocation that can be enforced through management and operational controls that are scalable and can be automated. The ultimate goal is to be able to use trusted geolocation for deploying and migrating cloud workloads between cloud servers within a cloud. The question is how to enforce and monitor geolocation restrictions for cloud servers.
The National Institute of Standards and Technology (NIST) recently published a draft report on this topic: ‘ Trusted Geolocation in the Cloud: Proof of Concept Implementation’ . Based on the concept of Trusted Compute Pools the report gives a description of the requirements and the implementation of a proof of concept (a mix of Intel, VMware and RSA technology).
The NIST authors defines Trusted Compute Pools as “physical or logical groupings of computing hardware in a data center that are tagged with specific and varying security policies”, and were “the access and execution of apps and workloads are monitored, controlled, audited, etc.”
The Trusted Compute Pool is based on three principles of operation:
- Create a part of the cloud to meet the specific and varying security requirements of users.
- Control access to that cloud so that the right applications get deployed there.
- Enable audits of that part of the cloud so that users can verify compliance.
With this the cloud computing provider must be able to create and use trusted geolocation for deploying and migrating cloud workloads between cloud servers within a cloud.
If this concept, as proposed by NIST, is successful it would solve a huge cloud computing issue and when used it could make the negotiation and contracting of cloud computing services much easier.