Trusted Geolocation in the Cloud

Current Status

This project is currently seeking technology vendors and service providers to participate in the development of multiple implementations. Please see our Federal Register notice for more information and download the Trusted Geolocation in the Cloud project description (PDF) for full project details.

If you have any questions or suggestions or interest in collaborating in this project, please email the team at trusted-cloud-nccoe@nist.gov.

Summary

While cloud computing offers businesses and other organizations cost savings and flexibility, these shared resources can introduce security and privacy challenges. Enterprises that use cloud services want to be assured that:

  • the cloud compute platform hosting their workload has not been modified or tampered
  • sensitive workloads on a multi-tenancy cloud platform are isolated within a logically defined environment from the workloads of competing companies 
  • workload migration occurs only between trusted clusters and within trusted data centers 
  • cloud servers are located in their preferred regions or home countries so that the cloud provider is subject to the same data security and privacy laws 

Building on the work done within NIST IR 7904 Trusted Geolocation in the Cloud: Proof of Concept Implementation, this project will expand upon the security capabilities provided by trusted compute pools and include:

  • Data protection and encryption key management enforcement focused on trust-based and geolocation-based homogeneous secure migration within a single cloud platform
  • Persistent data flow segmentation before and after the trust-based and geolocation-based homogeneous secure migration within a single cloud platform
  • Industry sector compliance enforcement for regulated workloads before and after the trust-based and geolocation-based homogeneous secure migration
  • Trust-based and geolocation-based homogeneous and policy enforcement in a secure cloud bursting across two cloud platforms

These additional capabilities will not only provide assurances that workloads in the cloud on running on trusted hardware and in a trusted geolocation, but also improve the protections for the data in the workloads and flowing between workloads. The goal of the project is to also extend all of these capabilities into a hybrid cloud scenario.