PrivateCore vCage secures OpenStack servers in untrusted environments from persistent malware, malicious hardware devices, and insider threats. Private and public clouds can contain thousands of compute nodes spread across geographic boundaries and in remote locations. Compromising one compute node can jeopardize the security of the entire compute infrastructure. PrivateCore vCage protects that infrastructure from persistent threats, securing servers for sensitive applications on OpenStack infrastructure.
- Validates server integrity and counters advanced persistent threats (APTs) like rootkits and bootkits that can bypass traditional anti-virus software
- Secures the IT supply chain against malicious server hardware
- Prevents unauthorized physical access to data in use
- Increases visibility and control over server infrastructure
PrivateCore vCage technology provides a secure foundation for OpenStack computing by protecting servers and the virtual machines running on those servers. vCage software attests the integrity of the servers, hardens the environment to minimize the attack surface, and secures data-in-use (memory) with encryption.
The Risk: Persistent Malware and IT Supply Chain Compromise
Using OpenStack for cloud computing poses many security questions. How can you validate that servers are in a known, good state and not infected with advanced persistent threats (APTs) or compromised with malicious hardware? When handling sensitive workloads in a fluid pool of compute nodes, how can avoid having a compromised server infect other servers? How can you provide an audit trail to demonstrate to compliance auditors and customers that workloads run in trusted environments? With the scalability and speed of cloud computing comes the risk that servers which provide the compute foundation might be compromised
Want to see what vCage can do for you? Click here to download a trial version!
Server Attestation and Infrastructure Integrity
Server security starts with visibility into the software that is controlling the server hardware. vCage server attestation supports Intel hardware-based root of trust technology to remotely verify that vCage software is in full control over the server before trusting the server with any secret information. Enterprises and service providers can create trusted computing pools in the cloud knowing that they are running on servers for which the integrity of the server firmware, BIOS, hypervisor and operating system code has been verified.
Detects Advanced Persistent Threats (APTs)
sophisticated attackers want to retain control of a compromised server, and will go to great lengths to hide evidence of the compromise in non-volatile storage available on the server, including the BIOS, device firmware, and attached storage devices. vCage attestation ensures that servers are running only intended code, rather than modified code that was hidden by malware or an attacker. vCage attestation will flag any malicious persistent code and exclude the infected server from a compute pool until it is remediated.
Cryptographic Proof of Trustworthiness
The server attestation request received by the vCage hypervisor generates an attestation response which is signed by a key that has a chain of cryptographic proof to the trusted platform private key. The vCage Manager receives the proof and verifies it against a pre-enrolled public key belonging to the attested server.
Designed For Attestation
vCage hypervisor is packaged and designed for attesting the validity of server environments. Tight integration with vCage Manager enables a policy of acceptable software and configuration with a single API call.
The vCage hypervisor comes up it only accepts attestation requests from your infrastructure. vCage boot image is customized with a per deployment public key. The server will only authenticate and respond to owners of the matching private key, reducing the surface of non authenticated attacks, and preventing unnecessary information leak about the server software version and configuration to network adversaries. To address the per-deployment public key, the vCage hypervisor generate a session key pair on every boot of the server, and measures its public part as part of the server attestation process. Authenticating both the vCage server and the vCage Manager prevents first-mover-advantage attack, as well as man-in-the-middle attacks.
Servers typically require some secret information for purposes of identity and access. Sealing is the process of granting access to secrets contingent on server attestation. While it is possible to store such secrets within the trusted platform module, the vCage architecture implement sealing as a remote process, keeping the secrets protected in the vCage Manager. vCage Manager provides centralized management of the secrets, visibility into secret access by servers, as well as secure delivery of secrets over the encrypted channel between the vCage Manager and vCage servers.
Server attestation provides assurance that the server is clean and in control during boot. vCage provides protection at the infrastructure level protecting against logical attacks arriving over the network as well as from malicious local hardware devices attached to the host.
Controlled Device Driver Population Reduces Attack Surface
Device drivers are a frequently overlooked software interface that provide an attractive attack vector. Malicious hardware, or valid hardware that has been compromised, may be used as a launching platform for attacks against drivers and the corresponding infrastructure. The vCage hypervisor includes only the necessary device drivers to operate virtualized infrastructure, reducing attack surface to a minimum.
Direct Memory Access (DMA) Protection
While DMA serves an important role in improving the scalability and performance of a system by allowing hardware devices to access memory independently from the main CPU, the same interface allows malicious devices or compromised devices to read non-input-output (I/O) information from memory, which can include credentials and end-user information. Similarly, DMA can be used to modify the software that is executed by the main CPU and inject malware that can defeat existing software security controls. The vCage hypervisor utilizes runtime configurable hardware support methods such as Intel VT-d and Intel Trusted Execution Technology (TXT) to limit DMA access to area of the memory allocated for I/O operations.
Secure Kernel Patches and “GR Security”
The vCage hypervisor includes the latest tools and technologies available to the Linux kernel as a method limiting vulnerabilities that might still exist in the vCage hypervisor code base.
Device Communication Firewall
In addition to eliminating unnecessary device drivers from the vCage hypervisor kernel, vCage provides an additional logical firewall to allow the validation of input and output between device drivers and hardware devices.
Network Only Interfaces
The vCage hypervisor is designed to operate in environments where the person with access to the console is not the owner of the data being processed on the server. Consequently, the most secure way of interaction with the vCage hypervisor is over key based authentication network communication. Console access, human interaction devices, USBs, and other non-network interfaces are disabled by default.
Data In Use Encryption
While data may be protected in transit over networks and at rest on storage devices, there has been no solution to protect data in use. Encryption keys, certificates and sensitive data are left exposed in memory to unauthorized physical access attacks. When outsourcing compute infrastructure, service providers, admins, contractors, suppliers, and local governments have physical access to your server, and thus, to your most sensitive data. vCage full memory encryption limits clear text data to the CPU internal cache, and defeating memory extraction attacks.
The vCage hypervisor is designed with a proprietary memory management algorithm using a full KVM hypervisor that fits entirely inside the CPU Last Level Cache (also referred to as LLC or L3 Cache) of a modern Intel server CPU. The vCage hypervisor actively manages the CPU L3 cache, and serves as an encryption gateway to the main server memory. With vCage, the CPU and application view of the world is that memory in clear-text form, while an adversary views of the world see ciphertext. Main memory is always encrypted and no keys, data nor code can be extracted from server memory.
As a hypervisor, vCage provides hardware abstraction to the running applications and virtual machines. vCage provides a virtual clear-text memory representation to the running virtual machines, while the real physical memory is encrypted at all times. This transparency allows any application to be installed in a virtual machine and automatically benefit from the protection provided by vCage memory encryption. Any application that runs on the Linux KVM hypervisor can run on the vCage hypervisor with no need for new API calls or recompilation of the code.
Industry-standard AES Encryption
The vCage hypervisor utilizes the standard Advanced Encryption Standard (AES) encryption algorithm to protect any data stored in the server main memory modules. Utilizing the hardware cryptographic acceleration provided by Intel AES-NI allows the vCage hypervisor to achieve multi GB/s access rate to encrypted memory.
for organizations requiring non AES encryption algorithm to be used, vCage supports the insertion of alternate custom encryption modules that can be used for encrypting memory.
Virtual Machine (VM) Image Encryption
Virtual machine images are key building blocks for a secure compute infrastructure. Manipulating a virtual machine image while at rest can result in the insertion of malware into the execution environment which bypasses existing security measures. Likewise, secret information embedded within the virtual machine images, used for identity and access, can be revealed by reading a clear text copy of the virtual machine image. The vCage Manager, in combination of the vCage hypervisor, provides the encryption of virtual machine images stored at rest, protecting identity and access secrets, and maintaining the integrity of the virtual machine from offline code injection.
VM image Encryption
The vCage Manager allow the encryption of virtual machine images to protect secrets and maintain the integrity of virtual machines. Encryption keys for image encryption are stored on the vCage Manager, separating the encrypted image encryption key management.
OpenStack Attestation Integration
The vCage Manager integrates with the attestation capabilities of the vCage hypervisor and OpenStack. vCage releases the virtual machine image decryption keys only to an instance of the vCage hypervisor that has been successfully attested.
The OpenStack operational model provides a horizontal distribution of compute resources to deliver maximum scalability. While this design choice enables a highly scalable cloud environment, it also means that security is horizontally distributed. In the same way that one bad apple can spoil the barrel of apples, one compromised server can take down all the other nodes in the compute cluster. vCage brings security into an OpenStack environment, providing the assurance that compute nodes are secure and trustworthy. vCage uniquely addresses the need to protect the secrets and integrity of the OpenStack controller node which hosts the database and Keystone services which are critical to the security of an OpenStack deployment.
Trusted Compute Nodes
Packaged with pre-installed OpenStack management agents, vCage for OpenStack allows for rapid bring-up of trustworthy OpenStack compute nodes. Combined with vCage server attestation feature, OpenStack can automate the process of attesting new compute node with vCage before provisioning them into an OpenStack deployment. Providing visibility and control over the configuration and code running on every compute node in an OpenStack deployment is paramount to the security of an OpenStack deployment.
Encrypted Images on Glance
vCage natively supports the encryption of virtual machine images. With OpenStack image management integration (Glance), protecting secret identity and access credentials that resides within the virtual machines is easy to accomplish.
Flexible Deployment Options
vCage provides the best logical protection for compute infrastructures with multiple deployment options. Whether deployed on-premise, colocation or third party infrastructure, vCage provides an increased level of security to the infrastructure to create a trustworthy infrastructure that can be depended on by its tenant.