Over the last few years, trends have introduced a new era of security, shifting industry focus from OS-level exploits to exploits in all layers, including down into firmware and hardware. But security is more than a single point in time – it’s in a continuous state of evolution and revolution. And to reach its full potential, systems need to be trustworthy, confidential computing ubiquitous, and security disruption-free. A tall order.
True security is driven by governance, processes, tools, and technologies, all impacting every stage of the product lifecycle. This requires a keen focus on building foundations of trust, protecting workloads and data anywhere, removing impediments to security, and leveraging solutions that are innovative and flexible. In this article, I'd like to dive into that second point – how we, as security professionals, can create disruption-free security by removing impediments to usability.
Security has historically demanded a tradeoff between usability and performance. But to achieve disruption-free security, there can be no compromise. A trustworthy and secure system with perfect protection of data is useless if it comes at the expense of system usability. As a result, the goal should be to reduce downtime, offload security to out-of-band elements, deploy highly optimized in-line security technologies that can enable security to happen without interrupting workstreams, and collaborate as a community. Let’s explore these four elements in more detail.
First, eliminating downtime. Security vulnerabilities will continue to evolve, and ongoing updates remain among the most foundational capabilities needed to maintain system security and performance. Every computer user understands the downtime that comes with installing updates. The ecosystem at large has recognized the importance of update delivery usability and automation in driving the adoption of critical updates. Yet, for many environments, there is no such thing as a convenient time to go offline to deploy updates, especially in hardware.
Recognizing the need for disruption-free alternatives, for example, hardware vendors are beginning to deliver reboot-free updates to firmware patches on data center CPUs. But vendors must continue to push the envelope and expand these capabilities to more platforms, patches, and discrete hardware (such as GPUs, memory, and storage). The goal is to say goodbye to reboot Wednesdays.
The second element is security offloading. Most security capabilities are executed within the physical execution element that processes user data. For example, video conferencing (with Zoom or in MS Teams) is a very CPU-intensive operation with the need for encoding and decoding in real time. This can potentially cause performance impacts to critical computing (such as lagging video conferencing, computer sluggishness that impacts screen sharing or multitasking, and more) due to interrupts, context switches, and execution of the security solution itself.
This is beginning to be solved through the introduction of active component root-of-trust or platform-level-root-of-trust that enables offloading of security functionality by having the necessary introspection and access capabilities to execute out-of-band from the traditional OS, and general compute function. This enables offloaded security technologies to have minimal impact on performance or usability of the main processing element while also providing a higher level of security through computing isolation. For example, with advances in threat detection being offloaded to the hardware level to be processed on a GPU, machine learning can be applied on hardware telemetry to identify patterns that might indicate a threat to the system. That insight can then be provided back to the OS and antimalware solution. By offloading that processing to the GPU (instead of keeping it centralized in the CPU or inside the OS), it minimizes the performance impacts of such robust analysis.
The third element is ubiquitous crypto. Cryptography is the foundation for many security best practices (including encryption to signatures to hashing). The industry must continue to invest in hardware-based cryptographic acceleration, including purpose-built crypto instruction sets that leverage optimized microcode flows. By increasing computational acceleration inside hardware (like CPUs) and combining it with closer offloading coordination with other discrete components (like GPUs or FPGAs), cryptography can become ubiquitous. The goal is cryptography without a performance impact, which would enable a future of full memory, data caches, and inter-component communications, all happening with cryptographic hardening.
The final element is industry engagement. Fostering the development of industry standards is a critical part of enabling the secure, interoperable, and scalable adoption of security technologies. Consortiums, standard bodies, and public-private partnerships all play a major role in creating disruption-free security in hardware by advancing a joint understanding of how new technologies should be designed. This also extends to engagement with policymakers and governments. Addressing security challenges requires the full ecosystem working together. This includes groups like the Trusted Computing Group, Open Computer Project, Distributed Management Task Force, International Standards Organization, Confidential Computing Consortium, and many more.
Mitigating security risk by harnessing the power of hardware is a constant journey of evolution and revolution. But the industry has made major advancements over the last five years (in addition to the four listed above) with innovations around hardware-based execution isolation, such as confidential computing, open source architectures (like RISC-V), and emerging deployment patterns such as containers. The four elements included in this article provide a strategic vision of where security powered by hardware is going. Working together, we can create a better ecosystem aimed at unleashing the full power of compute through security.
Stephanie Domas is Chief Security Technology Strategist at Intel.