Contents
4 Security Recommendation to Software Vendors
5 Recommendation to Cloud providers
OpenAttestation SDK is built based on Host Integrity at Startup (HIS) project developed by National Information Assurance research laboratory (NIARL) and Mount Wilson project by Intel to measure and report status of remote host platforms which contain a Trusted Platform Module (TPM).
The intended audiences of this document are Independent Software vendors (ISV), developers who are to integrate OpenAttestation SDK into ISV’s cloud management tools for product releases. Administrators who are to take advantage of remote host integrity checking capability for their cloud services by using ISV software packages which has OpenAttestation SDK integrated.
OpenAttestation SDK, by itself, is not a secured software or commercial ready product. It is expected that ISVs must enhance and integrate the SDK with their software stacks for security evaluation/validation cycles before production/distribution.
OpenAttestation SDK is software components to add cloud providers with capability of establishing hosts/clients integrity by remotely retrieve integrity reports saved in Hosts/Clients TPM.
The SDK is expected to be security enhanced, integrated with ISV’s cloud management software, and distributed/supported by ISV to cloud providers.
The integrated ISV software to be hosted and operated by cloud providers.
SDK does not add security enhancement to existing database or network infrastructure, rather it uses underlying infrastructure supported by ISVs and operated by cloud providers.
Attestation service is hosted by cloud providers, Hosts/Clients privacy is cloud providers or ISVs responsibility.
ISVs must follow industry security standards and recommendation to integrate OpenAttestation SDK with their software stack.
Cloud providers should follow industry security standards and recommendation to operate and maintain secured infrastructure.
Besides recommendation bellow, ISVs should follow industry security standards in integrating OpenAttestation into their software stacks.
OpenAttestation SDK exposing APIs, Integrity query API for management software to remotely query host(s) integrity and Whitelist API for administers to remotely setup/update good, know measurement data. Where these APIs should be access controlled from general users due to privacy and security purpose. To ensure access controls to APIs, ISV should perform following designs:
ISV should clearly document than a deployment should always setup web container’s 2-way SSL/TLS authentication between Access platforms and Attestation service in order to ensure controlled platforms can access to APIs. Fail to setup authentication, a cloud infrastructure’s privacy and security can be compromised.
ISV should work with Cloud provider to establish their credential control in accessing APIs. Note all the APIs requests to Attestation server has an authentication blob which enables ISV software to pass access credential to attestation service, which attestation service is only to pass to an ISV authentication specific validation service in SDK. It is ISV’s responsibility who integrates SDK should fully implement the validation service.
ISV should enhance HostAgent/TrustAgent installation package to be created into a secured smart media to keep attestation service keys within controlled, secured access environment.
Cloud providers should follow industry security standards in operates and maintain infrastructure.
Attestation infrastructure takes PrivacyCA approach to certificate Hosts TPM keys. Cloud providers should securely safe-keeping PrivacyCA and EKsigning Key pairs.
Attestation service installation:
Attestation service and management tools accessing API services are Root of Trust of overall cloud infrastructure -- Cloud provider must ensure these components are installed with underlying systems are in a trusted state.
Cloud provider must ensure the correct PrivacyCA certificate is installed into Appraiser.
Whitelist database must be kept in a secured, controlled environment.
HostAgent/TrustAgent, agent code to be installed into Hosts, installation must ensure:
Host is in a trusted state for Agent installation.
Agent must be installed by a trusted entity with auditable process.
EKsigningKey must not be installed into Host.