Geo and Asset Tagging

While the cloud enables workloads and data to reside anywhere, users may be constrained to run their workloads and save their data in certain geographies due to regulatory reasons. This extends beyond trusting the cloud's hardware resources to be free of malware and rootkits. Extensions to Trusted Compute Pools (TCP) enable associating with hardware, at provision time, asset and geo-tags. Intel Trusted Execution Environment (TXT) or other measure launch environments (MLEs) facilitate measuring such provision time information into the Trusted Platform Module (TPM). Attestation services can be used to ascertain that these provision time meta data have not been tampered with.

Asset and Geo Tags can be used to:

1. Monitor and Enforce Customer Policies
   1. Control workload placement
   2. Control data storage
2. Meet Service level agreements (SLAs)
   1. Resource reservation at provision time. Useful in private, public and hybrid clouds. For example, in a private cloud, Finance and HR may not want Engineering to overrun their resources.
3. Provide Control and Visibility to Cloud End-users
   1. Display in dashboards asset/geo associations of VM and Data
   2. Generate audit logs of Hardware/VMs/data with asset/geo details.

Use Cases

Government Security Requirements

Governments may require that their workloads run and their data be saved only in certain geos. For instance, they may not want either to leave their sovereign territory, where embassies and international waters may be tolerable. A special case of an asset tag is a geo-tag that specifies where the machine is physically located.

Commerce

Retailers for taxation purposes -- either to avoid or reduce them (some US states have higher tax rates than others) or even gain special tax benefits (such as hosting sites in export only zones) may want to restrict and/or enforce where their workloads and data are stored in the cloud. Digital data in the form of video, audio, images, software, books are all data. Yet another use case is banking and governmental jurisdictions on the data.

Research Freedom

Companies may restrict what categories of research are carried out in different geos. For example stem cell research, drug discovery research fall into this category. Each government may have different policies around these tracts.

NIST ^{[1] [2]}. Intel is driving the effort to realize geo-tags and asset tags in TCP 1.5, where the measured launch execution will measure asset tags, and the associated attestation service shall determine that the measured values match registered whitelist values and that the certificate associated with the tags is authentic, and neither expired nor revoked. Attestation will establish that the provisioned information has not been tampered.

Nova Aggregates and Availability Zones

The partitioning, resource reservation, and fault tolerance benefits that Nova aggregates and availability zones bring have a lot in common with geo/asset tags. However, the main difference is that asset tags are provision time values, and move with the hardware resource. Re-purposing a machine is more easy via the command line with aggregates and availability zones but to modify asset tags would have to be more deliberate and require shutting down the machine. They are associated with a hardware root of trust and thus more valuable with respect to meeting regulatory requirements.

Further, the Attestation service could be independent of the cloud provider to increase credibility and regulatory requirements. In addition, geo-tags can be verified with about 90% accuracy by value of software techniques using the Internet Protocol (IP) address of the device being attested.

This blueprint details how asset and geo-tagging can be incorporated and taken advantage of in OpenStack clouds.

OpenStack Changes

Asset/Geo Tagging builds on the Trusted Compute Pools feature, covered in blueprint: trusted-computing-pools . Also see: details: TrustedComputingPools

Compute Node Provisioning

In addition to compute nodes being provisioned for trust, asset-tags and geo-tags may be assigned at the same time. These can be simple strings, "3 rd Floor, Expo Center, Hong Kong", or complex XML data providing sub-items such as GPS co-ordinates, postal address, and more.

Dashboard

1. Flavor Extra Specs, Volume Extra Specs The extra specs field readily supports specifying geo and other asset tag constraints.
2. Displaying VM and Volume geo/asset tag affiliations The Horizon UI for instance and volume lists could be extended to display in addition to current information, trusted and geo tags. For instance, it would be logical to add a little trusted seal if a compute node is trusted, and by extension a VM running on the same compute node. A country flag would be a good geo indicator.
3. Object listings

Could also contain geo indicators.

Nova Scheduler Filter

Asset /Geo Tag filters should be specified. They will be very similar to todays Aggregate and Availability filters with the distinction that the data they retrieve from the Attestation service may need to be parsed. For instance, geo-tag data may be retrieved as a json string or as XML. In the case of XML, the data may be comprised of a GPS element, a postal address element. The data so retrieved may need to be parsed if the filter requires match on country, or state and country. We recommend that filter code take a policy argument to determine what manner of parsing is required, and the extracted data then used to determine placement,

The same filter techniques are usable by the scheduler for volume placement and live migration of VMs. Object placement is a little more involved in the case of swift with its has code computation for object replica placement and re-balancing in the case of resources going offline.

Storage

Asset/Geo Tags are readily usable for block storage. Object storage in the context of Swift is a little more involved and shall be covered in a separate blueprint and be addressed in phase-2. This is chiefly because the functionality that computes hash codes to determine where to place the Swift replicas needs to be modified. Further Ring balance logic in the event of hardware and/or network failures needs to be modified. Last but not least, the Swift API for object put/get will need to be modified to specify geo/asset tag constraints.

Audit Tasks

Audit logs of VM and volume related CRUD activity could capture geo/asset tags. These would serve well compliance inspections. Further periodic audit reports of all cloud resources could also capture the geo/asset tags. Cloud asset particulars could also be saved in databases, along with configuration information about patches and upgrades. A sanity check would be that the reported asset/geo tags match what is in the database.

Attestation Service

The TCP 1.5 Attestation Service, which can understand asset and geo tags, needs to be integrated into the cloud installation. The Attestation service will provide an API which enables retrieving asset and geo tags from attested machines. These can be cached at the attestation service or even at the nova scheduler to speed scheduling decisions as long as the value cached is no older than some specifiable time window.

The simplest asset/geo tag is a string, while more complex variants are XML and json strings. A policy and a formatter to understand representations is required to facilitate match.

Overall Flow

The cloud user specifies by way of flavor extra-specs for instances and volumes any desired asset and geo-tags. These in turn are used to filter out the compute nodes/volume devices that are ineligible. In the context of object storage, data get and put requests would need additional tag arguments, in order to restrict where data is to be stored, and from where it could be retrieved.

Phased Release

Block Devices and VM placement can be supported in the first release. Object storage would happen in a second release because it touches upon both API changes and issues such as balancing rings in Swift.

1. ↑ http://csrc.nist.gov/groups/SMA/forum/documents/april2013presentations/forum_april_11_2013_bartock.pdf
2. ↑ http://csrc.nist.gov/publications/drafts/ir7904/draft_nistir_7904.pdf