Courtesy: Microchip
Choosing Secure Data Centers in a Complex Cybersecurity Landscape
Among the most compelling reasons for any organization to own its own data center is to exert complete control of its data. Keeping data proprietary is predicated on keeping it safe, however, and cyber security is getting progressively more difficult as data center technology becomes more complex and security threats become more sophisticated.
It is also true that large data centers are becoming costlier to own and operate, but even among those that can afford to run their own, fewer choose to do so. The bigger challenge, even for those that otherwise have adequate resources, is that cyber security requires relentless attention, ceaseless investment in the latest technologies and techniques and—especially in recent years—coordination with all the other companies in the data center business.
That level of commitment is getting harder to maintain, especially when it keeps getting easier and more economical to contract directly with data centers or subscribe to cloud services.
So, when it is time to select a data center or cloud provider to do business with, how can an organization assure itself it is choosing a partner that will keep its data safe and secure?
There is no definitive checklist of questions, and data centers won’t have many definitive answers either. The practice of cyber security is always evolving, so being aware of how security in the data center business is evolving is good preparation for figuring out what questions to ask.
Open Systems and Security
The shift to open compute systems makes it crucial to ask about conformance to cyber security standards and recommended practices.
Customers in electronics markets tend to prefer open systems because that allows the mixing and matching of equipment from different vendors. Open technologies create the opportunity to assemble best-in-class subsystems and components, with the expectation of achieving the best possible system performance.
However, moving to open systems risks compromising security. In a closed system, the lead vendor controls all aspects of the system and is in position to adopt (or impose) a security strategy that works across the entire system.
In a market that has open systems, it is rare that any company involved is in a position to dictate much of anything, let alone a unified approach to security that will work across a heterogeneous network of equipment from multiple vendors.
Instead, vendors and customers must coordinate on security. That means agreeing on technologies and techniques—agreeing on standards and recommendations for best practices.
Prevailing Standards and Recommendations
The Open Compute Project (OCP) has emerged as the leading forum for open systems in data centers and other compute environments. The trade group’s members include most major data center operators and most of the leading vendors in that market.
The OCP always understood the risks of moving from proprietary technology to open systems. The trade group’s security committee set the following goals:
- Remove redundant effort required by other projects to create their own security solutions
- Provide standard hardware and software security implementations
- Provide flexible solutions that will work across different types of IT equipment
- Standardize components required for hardware-based software security
- Improve security across the entire cloud computing industry through open standards
- Use existing and emerging standards where appropriate
The OCP proposed a way of assuring that every component in the server is validated even before the server boots—a “Hardware Secure Boot.” Every subsystem that could be added to the server should be equipped with some fundamental element—some immutable firmware—that can be trusted implicitly and be the basis for verifying, validating and/or authorizing that piece of equipment. This element can also represent a so-called root of trust, which all subsequent system checks can be based on.
The proposal is formalized in the Platform Firmware Resiliency Guidelines (SP 800-193) published by the National Institute of Standards and Technology’s (NIST) Computer Security Resource Center (CSRC) in 2018.
Similar concerns about the integrity of data center equipment informs NIST’s Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161), which sets out recommendations to mitigate the risks associated with products and services that may potentially contain malicious functionality, are counterfeit or are vulnerable due to poor manufacturing and development practices within the supply chain.
This is a start. There are other cyber security guidelines to become familiar with. OCP and NIST are reliable sources of additional information.
More to Be Done
The industry is making progress toward industry-wide cyber security goals, such as those enumerated by OCP. It is important to note that data centers continue to thwart the overwhelming majority of cyber-attacks because they and their vendors have been coordinating on cyber defense.
That said, while vendors agree that security should be normalized across the industry, they also view cyber security as an area where they can differentiate, which they do by implementing security technology and measures in different ways and competing with each other with attempts to exceed OCF recommendations.
Consequently, the market remains fragmented, and it is difficult to pull together systems from different vendors and have them interoperate from a security perspective.
Thus, a company looking for a data center or cloud vendor will want to inquire about its strategy for implementing cyber security in an open systems environment. How is it implementing standard hardware and software security solutions? Which vendors is the data center relying on, and how do they implement cybersecurity? Do the data centre’s solutions work across the IT systems you have implemented?
Microchip Security
We at Microchip understand we have a vital role in cyber security by making products that help customers conform to these and other guidelines.
We believe there are four levels of security in data centers. There is device authenticity, as described above. There is ensuring the code being run on these devices are authentic. Another is verifying data addresses—making sure that data isn’t being hijacked. Finally, there is verifying data being read from and written to storage devices.
The products in our security portfolio are designed to cover all of these concerns. They include:
- Platform Root of Trust Controllers
- Microprocessors with Integrated Security
- Microcontrollers with Integrated Security
- Secure FPGAs
- Secure Authentication
- Trust Platforms