IBM Brings Bare Metal Intel TXT Security to Cloud
The cloud isn't just about virtual servers. The physical layer and its security still matter, which is why IBM is using Intel's Trusted Execution Technology.
Intel's TXT is a trust mechanism that is part of the Xeon processor, enabling administrators to place workloads on trusted pools of hardware. Karna Bojjireddy, lead architect for Cloud Security and Strategy at IBM, explained to eSecurityPlanet that Intel TXT technologies have been available for some time, but getting the technology properly deployed in the cloud takes effort.
"To enable this feature and Trusted Platform Module, BIOS-level settings need to be changed," Bojjireddy said. "Softlayer has made changes to their Infrastructure Management System (IMS) to enable this feature through automation."
Intel TXT is available today on SoftLayer bare metal servers with Intel Xeon E5-2600 v2, Xeon E3-1200 v3 and Xeon E5-4600 powered servers. Bojjireddy added that more SoftLayer bare metal server configurations will be available with the technology in the future.
While IBM is now officially out of the x86 server business, that is not impacting IBM Softlayer's ability to use Intel silicon in the cloud. IBM completed a transaction this year to sell its x86 server division to Lenovo.
"Softlayer will continue using the servers they have been using, and this announcement doesn’t affect the IBM x86 servers," Bojjireddy said.
Deploying Intel TXT isn't just a checkbox item for IBM, but rather is intended to answer a critical security challenge. Bojjireddy said that cloud users are concerned about protecting workloads and data in the cloud as well as ensuring the trust and integrity of virtual machines launched in a cloud providers’ environment.
"Organizations need a method to securely place and use their workloads and data in the cloud," Bojjireddy said.
Intel TXT is similar in some respects to another technology known as UEFI Secure Boot. Both sets of technology load and verify signed firmware images as well as bootloaders, kernels and modules. There are, however, some key differences between Secure Boot and Intel TXT.
"If a signature verify fails during a UEFI Secure Boot, the boot process stops," Bojjireddy said. "This is because Secure Boot's signature checking process includes the act of both measuring the code and verifying that the digest is signed by a key you trust."
In contrast, Intel TXT only measures the code and stores its digest in the Trusted Platform Module (TPM) during the boot process. The verification step is left for a later time.
"A TPM's measurements are much more fine-grained than those being made by a Secure Boot system," Bojjireddy said. "It means it is easier to measure integrity of user applications running on an operating system with Intel TXT/TPM than with UEFI Secure Boot."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.
July 31, 2014
CrossIdea technology will give IBM more capabilities to evaluate and access risks.