Piston Cloud Computing Boosts OpenStack Security

A key feature Piston is pushing forward in version 3.5 of its OpenStack cloud distribution is support for Intel's Trusted Execution Technology.

Piston Cloud OpenStack security

Piston Cloud Computing today announced version 3.5 of its OpenStack cloud distribution, aimed at providing users with a new secure on-ramp to the cloud.

Piston was co-founded by Joshua McKenty, who previously worked at NASA and was one of the key engineers that helped get the OpenStack Project started at the space agency. The Piston OpenStack 3.5 release follows the upstream OpenStack project's Icehouse release, which debuted in April.

A key feature Piston is pushing forward in its release is support for Intel's Trusted Execution Technology (TXT), which brings hardware-supported security to the virtual world.

What Piston has done in its 3.5 release, McKenty said, is taken advantage of code that Intel has already contributed into the open-source OpenStack Project. That code includes the ability to launch virtual machines into a validated server target.

In addition, work had to be done at the operating system level to help perform the initial enrollment process for secure servers, he said. In Piston OpenStack 3.5, the secure server enrollment process has been integrated in a consistent manner with how the platform already enables system scale-out and upgrades.

"The theory with the way the TXT gateway works is that you get your operating system into a running state that can include a virtualization hypervisor and a set of processes," McKenty told eWEEK.

The running processes can be cryptographically signed by a Trusted Platform Module (TPM), a hardware module for security that works with Intel TXT. The TXT gateway can then be configured to enable a given server to operate a set of processes that have been cryptographically signed and validated.

The TXT model can be extended all the way up into the OpenStack dashboard and used to validate virtual machine placement, McKenty said.

"So when you launch virtual machines, you can make sure that they land and are executed on the server host, which the underlying orchestration system expects," McKenty said. "It really is intended to help prevent a man-in-the-middle virtual machine launch."

In a potential man-in-the-middle virtual machine attack, a VM is diverted from its intended target and launched on a poisoned or malicious host server.

OpenStack Calculator

In addition to the OpenStack 3.5 release, Piston is also introducing a total-cost-of-ownership (TCO) calculator to help people figure out whether running in a public Amazon Web Services (AWS) cloud or in a private Piston OpenStack cloud is more cost-effective.

The TCO calculator is a long time coming, according to McKenty. "We did one of these calculators when I was at NASA to do full cost accounting and bill the Whitehouse," he said. "We have increasingly seen FUD [fear, uncertainty and doubt] around AWS and the cost of the public cloud versus the private cloud, so it made sense to have this calculator."

The TCO calculator includes labor, server and software costs as well as estimates of power and data center costs. With the calculator, McKenty's goal is to help demonstrate to organizations that the public cloud isn't necessarily a cheaper option than running a private OpenStack cloud deployment.

"For almost everyone who is serious about OpenStack, running a private cloud is seriously a better way to do it," McKenty said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.