By Jason Lackey, HyTrust
People are easily distracted from what is really important. In the military it was long held that strategic planning was key, but these days it is widely accepted that “Amateurs talk tactics, but professionals study logistics.” Similarly, when talking cloud, there are some who dismiss talk of hardware, long since “commoditized.”
Except, of course, that fluffy white stuff in the end has to run on something. It runs on hardware and that hardware has a critical impact on the overall performance, scale and cost of whatever you are doing.
At HyTrust we help secure the cloud. Our partners at Intel supply the engines that power the cloud, virtualized data centers, desktops, laptops and much of the computing world. The good news is that with the launch of the new Broadwell processor line, including the Intel® Xeon® processor E7 v4, those engines just got a tuneup. Actually, upon reflection, perhaps it’s more like bolting on more cylinders with the new Xeon processors supporting up to 24(!) cores.
But there is more to Broadwell and the Xeon processor E7 v4 beyond just raw core count. While AES-NI (x86 instruction set enhancement) already provides hardware acceleration for many common encryption calculations, and Haswell raised the crypto performance bar with the XTS version of AES-NI, Intel has added new Broadwell instructions (PREFETCHW, ADCX, ADOX and RDSEED) for even better encryption and security. Indeed, the hardware-enhanced random number generation enabled by RDSEED is the perfect complement to HyTrust DataControl VM/data encryption solutions. Our developers anticipate being able to use RDSEED with our own source of entropy without changing our FIPS certified DRBG – important in a virtualized key manager.
Beyond “just” hardware acceleration for encryption and other security related tasks, the latest Xeon E7 processors also add SMAP – Supervisor Mode Access Protection, which actually helps the hardware provide better security by making it harder for attackers to access userland memory, helping block NULL pointer and similar attacks.
Intel knows that in order to build the best possible solutions that you need partners and, in an ideal case, a whole community. One of the interesting points in the recent Intel “Cloud Day” press event was about Intel and VMware working together with NIST to build Centers of Excellence. We are proud to be a charter member. We also invite you to check out the NIST/NCCoE Building Block, Trusted Geolocation in the Cloud which highlights cloud geofencing/boundary control capabilities powered by Intel’s TXT “hardware root of trust” and HyTrust.
These are exciting times to be working in the cloud and exciting times to be in security, but every time I hear someone prattle on about how “hardware is just a commodity” I can’t help but laugh because it’s just the opposite.
At the most fundamental levels, the hardware is becoming more and more powerful, taking on more and more complex tasks including encryption acceleration, geofencing, blocking attacks and even generating more random pseudorandom numbers and seeds. On top of it, the CPUs are gaining more cores (remember, up to 24 with the E7 v4) and in the case of an 8-socket system can address up to 24 TB of RAM, more cache and better, faster IO.
So while some will talk about commodity hardware, at HyTrust our engineering teams are more focused on new CPU features and how we can make better use of things like AES-NI, TXT and RDSEED to better meet the needs of our customers. In technology it is rare to find a good partner you can depend on, it is rarer still to find one who keeps bringing more to the table.
Anyone else looking forward to v5?