Getting to the Root of Trust

Historically, virtual machines (VMs) share almost all the resources that a server contains as a way to improve efficiency. But today many modern cyberattacks are leveled against the full system stack. Sharing resources now means sharing threats. Consider an analogy from your own home. You likely share many resources in your kitchen, living room, family room, and so forth. Because these rooms and objects in these rooms are shared, remnants tell you who’s been there and what they were doing. Dishes in the sink tell you who’s had breakfast and who hasn’t; the channel that the TV is left on tells you who watched TV last. When others are in these spaces with you, congestion occurs. Even in my home, my family and I want to use the microwave or TV at the same time, and one of us must wait.

Sharing server resources can be similar in that different workloads can leave traces of what they’ve done or what they’re doing. Similarly, resource contention can give clues to what other processes are going on or yield unpredictable performance. Now, for workloads and data where security or quality of service (QoS) is a primary concern, a new solution is available.

Announced at Intel Data-Centric Innovation Day last month, the Intel® Select Solution for Hardened Security with Lockheed Martin* provides hardware-based security for edge and data center workloads that require higher levels of protection and QoS. This solution raises the bar for government, finance, energy, healthcare, and other data-sensitive industries. Working closely with the Lockheed Martin team, Intel was able to focus directly on insider threats and outside attacks that professionals are most concerned about in a rapidly-changing security landscape.

Confidentiality

Many edge and data center customers need assurance that their data and workloads can’t be compromised by malicious actors inside or outside of the organization. But standard east-west network isolation, the transfer of data from server to server within a data center, isn’t sufficient to protect against some of the more recent security threats because attacks have been moving down the server stack. Rootkits and Bootkits can slip in under standard protections to avoid detection. For example, the exploit “Shamoon” (aka W32.DisTrack) attacked computers’ master boot record in 2012. Since then, many examples of malware have sought to similarly undermine systems. Servers can run the most secure operating system available, but if the layers below are not validated and trusted, then attacks can still be successful.

The new solution utilizes Lockheed Martin’s Trusted Virtualization Environment to isolate and encrypt VMs, protecting data in use. This shift toward isolation moves an organization’s security from a reactive stance to a proactive one.

Integrity

To fully ensure platform components have not been tampered with requires a chain of trust from boot to runtime. The new solution starts with a root of trust in silicon and leverages the latest available Intel security technologies, including Intel® Boot Guard, Flash Descriptor Verification, Intel® Resource Director Technology (Intel® RDT) and Intel® AES-NI, to maintain that trust from power-on all the way to the virtualization environment, protecting against attackers and malware seeking to undermine higher level security features. Together, these security features measure, maintain, and verify the integrity of system critical applications at boot and at rest.

Availability

As essential as security is, it shouldn’t be detrimental to QoS. Reaching QoS goals often borders on the impossible in modern virtualized environments due to so-called “noisy neighbor” problems that can impact time-sensitive workloads such as automation, control-systems, real-time monitoring applications, and more. A common response to these issues is to request a larger VM or configure a VM with more cores and more memory. This might work as a stop-gap measure, but this can cause unnecessary per-core licensing and can impact other VMs that are hosted on the same system. Another response is to use multiple bare-metal servers to solve these problems, but this is also an expensive proposition as they consume more physical space, more electricity, and require more maintenance and support.

Intel and Lockheed Martin’s new solution allows multiple bare metal systems to be combined, allowing IT administrators to hit previously unreachable QoS goals within virtualized environments. Utilizing Intel RDT to reserve cache for exclusive use by individual VMs, the new solution helps protect against cache thrash and slow or sluggish response times. This helps ensure that the virtual environment cannot be compromised by adjacent overloaded virtual machines.

Upgrade to Hardware-Based Security

Intel® Select Solutions eliminate guesswork with benchmark-tested and verified solutions optimized for real-world performance. The Intel Select Solution for Hardened Security with Lockheed Martin offers a new way to partition VM resources to maintain system performance and strengthen security. Lockheed Martin’s deep, decades-long expertise in cybersecurity gives this new Intel Select Solution further credibility in the market. Mercury and Supermicro have announced intent to offer availability of this Intel Select Solution in the coming months; additional hardened security solutions will be coming from other partners, like HPE, soon.

Read about Intel’s 2nd Generation Intel® Xeon® Scalable processor security advancements in a blog post by my colleague Anil Rao, and see more of Intel’s hardware-enabled security features and how Intel is providing the industry with a trusted foundation for computing here. Learn more about protecting sensitive data with this Intel Select Solution in a recent podcast featuring my colleague Lisa Davis. To see full configuration details for the Intel Select Solution for Hardened Security with Lockheed Martin, read the solution brief.

Published on Categories SecurityTags , , ,
Garry Binder

About Garry Binder

Garry Binder, an Enterprise Security Architect in Intel’s Data Center Group, has been gaining expertise in this field for more than two decades, working on projects involving cyber security disciplines, secure software development, network security, system security, privacy regulations, and hybrid cloud. He holds CISSP, CISM, CISA, CRISC and Security+ certifications and earned a Bachelor of Science degree in Mathematics and Computer Science. Contacts on LinkedIn are welcome.