2019 will be a “defining year at the intersection of physical and cybersecurity,” according to Chris Wilder, senior analyst at Moor Insights and Strategy. It’s easy to see why. As the collection, storage, and processing of data explodes within data centers, across networks, and at the intelligent edge, the threat of loss or misuse of that data increases, too.
Cyberattacks are moving down the layers of the system stack, and software-only security is no longer sufficient to prevent intrusions. McAfee Labs outlines the rise of attacks in 2019, noting that cybercriminals are increasingly collaborating, leading to new methods for exploitation and better efficiencies when targeting Cloud and IoT vulnerabilities. That being said, not all data breaches are deliberate acts by cybercriminals. In fact, the Identity Theft Resource Center suggests that IT misconfigurations (e.g., accidental web/internet exposure or employee error/negligence, etc.) account for a sizeable portion as well. The bottom line is, organizations, from governments to enterprise, need a robust data protection strategy built securely on a root of trust established at the silicon layer.
2nd Generation Intel® Xeon® Scalable Processors
Intel has built security technologies into our platforms for many processor generations. But in some cases, their value is only recently starting to be recognized now that data breaches are becoming much more extensive and pervasive. For today’s cloud services, platform integrity and data sovereignty are essential. Rooted in silicon, Intel security technologies help create a trusted foundation that protects a wide array of potential attack surfaces. Hardware-based security built directly into the foundation of the platform has never been more important, and with the release of 2nd Generation Intel® Xeon® Scalable processors, it has never been more broadly available, including:
- Intel® Trusted Execution Technology (Intel® TXT): Provides the necessary underpinnings to evaluate the computing platform and its security. Each time a server boots, Intel TXT measures the boot environment (BIOS, OS, hypervisor, etc.) as it launches.
- Intel® Boot Guard: Provides a hardware-based root of trust measurement and verification of the first portion of BIOS code executed out of reset, helping reduce the chances of malware exploiting the hardware or software components on a platform.
- Intel® AES New Instructions(Intel® AES-NI) Accelerators: Encryption instruction set in the CPU that accelerates Advanced Encryption Standard (AES) algorithm processing to give your IT environment faster, more affordable data protection, thus providing greater security.
Deploy Security at Cloud Scale with Intel® Security Libraries for Data Center
Hardware-based security features require consistent ways to discover, attest and utilize them across the various layers of management and software stacks. This has to happen with consistent interfaces, programmatically to enable automation. To enable this, we are launching Intel® Security Libraries for Data Center (Intel® SecL-DC) in conjunction with the release of 2nd Generation Intel Xeon Scalable processors. Intel SecL-DC is designed to simplify the integration and deployment of hardware-rooted Intel security technologies at cloud scale by bringing optimized programming interfaces and management tools for many Intel security technologies together in one easier-to-use set of libraries and tools compatible with cloud environments like OpenStack*, Docker*, and Kubernetes* Extensions. Using declarative policies, the Orchestration software can evaluate the security assertions provided by Intel SecL-DC to control the placement and migration of workloads on the various DC/Cloud availability zones.
The first release of Intel SecL-DC supports three primary security usages:
- Platform Integrity: Intel’s work in platform integrity builds on our Intel® Cloud Integrity Technology (Intel® CIT), which helps ensure cloud workloads run on trusted, unaltered servers and virtual machines that have not been tampered with. Customers want integrity assurances, to answer questions like, “Is my data running on the right hardware, or has my platform been compromised in any way?” Intel SecL-DC provides attestation capabilities for integrity and compliance across compute pools in the cloud, made possible with an established hardware-based root-of-trust.
- Data Sovereignty: As data breaches gain in public visibility, governments and regulators are stepping in. The most prominent example of this is the General Data Protection Regulation (GDPR) from the European Union. Intel® SecL – DC’s attestation capabilities based on a hardware root-of-trust provide controls which help cloud providers manage GDPR-style requirements for customer data privacy. Solutions built on Intel SecL–DC can enable Data Sovereignty and geo-location policies which verify user data is kept only on servers provisioned in approved regions.
- Intel® Threat Detection Technology (Intel® TDT): Augments existing ISV security solution capabilities to improve the detection of advanced cyber threats and exploits. Intel TDT makes it possible to detect exploits using advanced telemetry registers in the CPU in conjunction with Machine Learning (ML) to identify threats in real-time based on known threat models. Intel TDT can use unsupervised ML to continuously learn normal system behaviors and identify deviations thereby creating new threat models.
Protecting Data throughout its Lifecycle
Intel SecL-DC continues Intel’s commitment to help protect data throughout its lifecycle—at rest, in flight, and in use. In addition to the security advancements made in the 2nd Generation Intel Xeon Scalable processors processors with Intel SecL – DC, Intel also announced the following technologies and solutions that make data protection, wherever it resides in its lifecycle, more robust and targeted:
- Intel® Software Guard Extensions (Intel® SGX) was recently made available for mainstream 2-socket platforms and cloud infrastructures with the Intel SGX Card. Intel SGX addresses data protection while it is in use, by enabling developers to partition their application code and data into processor-hardened encrypted areas of execution in memory.
- To address the needs of data protection at scale in the cloud, Intel offers scalable encryption acceleration with Intel® QuickAssist Technology (Intel® QAT). Intel QAT accelerates compute-intensive operations for encryption and compression, and offloads them from the main CPU, freeing up more cores for your other important workloads.
- Intel® Select Solution for Hardened Security with Lockheed Martin*, a new level of military-grade security for cloud hosting of sensitive workloads at scale, is a fundamental change in approach to security and data protection, from a reactive stance, to a proactive one. This solution combines Lockheed Martin’s decades of physical security expertise and Intel’s world class hardware and software to co-develop a one-of-a-kind solution that offers enhanced VM isolation, trusted boot stack through runtime, and robust deterministic quality of service (QoS), revolutionizing how organizations can protect their most critical information.
Starting at the silicon layer and moving up the stack with purpose-built features to help tackle the most pressing issues facing IT professionals today, Intel strives to be at the forefront of security leadership. For more information about all of Intel’s latest security features, visit the trusted infrastructure page on intel.com.