Yesterday, Intel hosted our Security Day leading into the RSA Conference. What was special about this year is we had a full day to share our security vision, and I had the opportunity to share my thoughts on Intel's data-centric security strategy.
Our data center security strategy is built on a commitment to secure the platform and protect the data without compromising performance. As cyberattacks move down the layers of the system stack, software-only and perimeter-only security strategies are no longer enough. Intel’s products are architected to deliver deeper security, with built-in, silicon-enabled security technologies that help protect potential attack surfaces. Rooted in silicon, our security technologies help create a trusted foundation for computing that customers can depend on.
Now more than ever, we’re processing and sharing highly sensitive information like medical records, financial data, and proprietary information that needs to stay encrypted wherever it resides – from your on-premises data center to the public cloud and edge.
Common security measures typically protect data at rest and in transit, but often fall short of protecting data while it is being actively computed in memory – possibly the most challenging and important step in a fully-encrypted data lifecycle.
Protecting Data In Use
Protecting data in use is the new frontier. When we say protecting data, we mean protecting your data from other applications or tenants, from the service provider, or even malicious code with root privileges, so that even if your data is being processed in someone else’s system, they cannot get access to it. This is where we see confidential computing coming in. I like to think of confidential computing as focusing on protecting data during computation - especially when it takes place in a platform or environment we do not directly control. Data owners want to have to trust as few parties as possible. Hardware can play a critical role in establishing trust and reducing who can access your data. This is why Intel is a founding member of the Confidential Computing Consortium, an open source community dedicated to defining and accelerating the adoption of confidential computing. Accelerating adoption of confidential computing will require collaboration and standards from parties across the industry, including hardware vendors, cloud providers, developers, open source experts, academics, and more.
Confidential computing enables a whole range of new usage scenarios, including migrating extremely sensitive workloads and data to the cloud, and enabling multi-party sharing scenarios that have been difficult to build due to privacy, security, and regulatory requirements. Another example is Federated Learning, which enables parties to securely conduct machine learning across broader data sources while keeping algorithms and data sets confidential.
These are not just theories for the future. Intel is ready with offerings in the Confidential Computing space now. In fact, Intel® Software Guard Extensions (Intel® SGX), an application isolation technology, is the most researched, tested, and deployed solution for hardware-based trusted execution in the market today. Intel has a robust ecosystem of partners and developers that are already deploying software and services built on Intel® Software Guard Extensions. I was joined on stage by Scott Woodgate, Microsoft Sr Director of Azure Security and Management Marketing, to talk about how they are deploying Intel® Software Guard Extensions in their own Microsoft Azure DC series virtual machines to help protect their customers’ data. Scott walked through a recent scenario from financial services focused on fraud protection or money laundering. "We’ve seen multiple banks around the world implement multi-party machine learning to find specific patterns on fraud and help the bottom line of these banks. To do this, banks perform machine learning to find patterns on shared datasets in Azure using Intel SGX enabled protected enclaves without ever exposing an individual bank’s dataset to other parties including banks or even an administrator on the virtual machines.”
New Data Protection Innovations Coming
I also shared some new innovations we have coming in the future. We've listened to our customers and partners and know that there's room for growth to make security capabilities more scalable and easier to deploy as data-intensive demands increase. We're working to bring customers more choice so they can balance their needs between ease of scaled deployment and level of data isolation.
First and foremost, we’ll bring Intel® Software Guard Extensions to a broader line of mainstream server platforms, with larger protected enclaves, to enable improved performance. We’ll also extend the confidential compute paradigm to include offload accelerators such as FPGAs and GPUs. This will greatly expand the number of usages that will be able to leverage advanced application isolation capabilities. To provide even more choice, we’ll also bring full memory encryption to help protect against additional styles of physical-based attacks and streamline VM and Container isolation which will bring “easy button” memory protections for virtualized environments.
Platform and Performance Choices
Intel offers more choice around platform and performance solutions. Security solutions are only as strong as the layers below them, so the reliability of the platform firmware is also critical. We’ve seen individual vendors and the open platform community beginning to address this space, and we’re excited to contribute as well. Intel® Platform Firmware Resilience (Intel® PFR) is an Intel® FPGA based solution that Intel has developed to help protect platform firmware components by monitoring and filtering malicious traffic on the system buses, verifying the integrity of platform firmware images before any firmware code is executed, and even restoring corrupted firmware to a known-good state from a protected gold recovery image. We like to simplify this all by saying Intel Platform Firmware Resilience protects, detects, and corrects.
Combined with other Trusted Boot technologies that Intel delivers on each new platform generation, these new capabilities continue to raise the bar for resistance against attack and help provide a trusted foundation for modern cloud and enterprise deployments.
Intel continues to lead by bringing innovative security solutions to market. We work with the security ecosystem to drive broad industry advancements, and we encourage you to check out our resources at https://www.intel.com/securityinnovations.
Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries.