Trustworthy Geographically Fenced Hybrid Clouds

Adoption of hybrid clouds by enterprises has been hampered by the inability of current hybrid cloud infrastructures to provide scalable and efficient mechanisms (1) to ensure the trustworthiness and integrity of the software stack executing a hybrid application workload, or (2) to enforce governmental privacy, data jurisdiction and audit regulations by ensuring that remote data and computation do not cross specified geographic boundaries. This paper presents our vision of trustworthy geographically fenced hybrid clouds (TGHC), a generic, scalable and extensible middleware system to automatically bridge the gap between applications with their integrity and geo-fencing policies, and raw hardware infrastructure. It describes TGHCs modularly, by (a) outlining the challenges in certifying the trustworthiness of cloud computing infrastructures and in geo-fencing computation, including scalability limitations of existing solutions, (b) presenting scalable mechanisms to transform bare metal servers into trusted IaaS computing pools through integrity measurement, management and monitoring that leverage open, off-the-shelf hardware technologies like Intel TPM, (c) introducing workload specification languages to specify integrity and geo-fencing policies on hybrid workloads, and (d) extending IaaS systems to ensure that workload bursting from private data centers to public clouds uses trusted computing pools and respects geographic boundaries during initial placement of virtual machines (VMs) and further migration. We also present early results from our implementation illustrating the feasibility of our proposed architecture, and outline future research challenges in engineering and effectively using TGHCs.