Intel Confidential James J Greene III Sr Product Marketing Engineer, Security Technologies August 2012 Data Center and Connected Systems Group: Server Security Technologies
Jan 15, 2015
Intel Confidential
James J Greene III
Sr Product Marketing Engineer, Security Technologies
August 2012
Data Center and Connected Systems Group:
Server Security Technologies
Legal Disclaimer Intel may make changes to specifications and product descriptions at any time, without notice.
Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more information on performance tests and on the performance of Intel products, visit http://www.intel.com/performance
Intel does not control or audit the design or implementation of third party benchmarks or Web sites referenced in this document. Intel encourages all of its customers to visit the referenced Web sites or others where similar performance benchmarks are reported and confirm whether the referenced benchmarks are accurate and reflect performance of systems available for purchase.
Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.
Intel® Virtualization Technology (Intel® VT) requires a computer system with a processor, chipset, BIOS, virtual machine monitor (VMM) and applications enabled for virtualization technology. Functionality, performance or other virtualization technology benefits will vary depending on hardware and software configurations. Virtualization technology-enabled BIOS and VMM applications are currently in development.
Intel, Intel Xeon, Intel Core microarchitecture, and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). The MLE could consist of a virtual machine monitor, an OS or an application. In addition, Intel TXT requires the system to contain a TPM v1.2, as defined by the Trusted Computing Group and specific software for some uses. For more information, see here
The original equipment manufacturer must provide TPM functionality, which requires a TPM-supported BIOS. TPM functionality must be initialized and may not be available in all countries.
Intel® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. AES-NI is available on select Intel® processors. For availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni/
© 2011 Standard Performance Evaluation Corporation (SPEC) logo is reprinted with permission
Server Security Technologies
Agenda
Security trends and concerns
Intel provides foundation for best secure processing
Meeting the security challenge:
Technologies and use models to mitigate pain points
Summary
Server Security Technologies
Security in the Enterprise Trends Security Concerns Growing for Datacenter and Cloud
Trend: Changes in architectures require new protections
Virtualization and multi-tenancy
3rd party dependencies
Blurred boundary
Trend: Increased compliance concerns, costs
UK Data Protection Act, FedRAMP, Payment Card Industry (PCI), etc. require security enforcement and create audit needs
Trend: Shift in types of attack
Platform as a target, not just software
Stealth and control as objectives
Datacenter
Server Security Technologies
Security Concerns Limit Adoption of Cloud Better Security is Essential for Cloud Growth
1 McCann 2012 State of Cloud Security Global Survey, Feb 2012
Say lack of visibility inhibiting private cloud adoption1
Lack of control over public cloud1
Avoid putting workloads with compliance mandates in cloud1
57% 61% 55%
IT Pro survey of key concerns:
Gain visibility
Maintain control
Prove compliance
Enforce Intel® TXT
Establishes “trusted” status foundation for security policy-
based workload control
Encrypt Intel® AES-NI
Isolate Intel® VT and
Intel® TXT
Isolate Enforce Encrypt
Server Security Technologies
Intel® Technologies: Server Security Establishing the Foundation for More Secure Computing
Delivers built-in encryption acceleration
for better data protection
Protects VM isolation and provides a more secure
platform launch
Mf.
VMM
VM2 VM1
VMM
VM1
VMM
VM2 VM3 Policy
Available in Intel® Xeon® E3, E5 and E7 Based Cisco UCS Servers
Security Guidance for Critical Areas of Focus in Cloud Computing3
Multi-Tenant Solutions: The Pros, the Questions and
Integration Concerns2
A major concern of shared infrastructure
Lack traditional guarantees of physical separation
Multiple workloads may tamper or interact with each other
Homeland Security’s Subcommittee Hearing: Cloud Computing: What are the Security Implications?1
*Other names and brands may be claimed as the property of others
Isolate Enforce Encrypt
Server Security Technologies
Pain Point #1: Isolation Isolating Workloads on Shared Infrastructures is Critical
Source 1: http://www.outlookseries.com/A0995/Security/3817_Homeland_Security_Hearing_Cloud_Computing_Implications.htm
Source 2: http://www.itbusinessedge.com/cm/blogs/lawson/multi-tenant-solutions-the-pros-the-questions-and-integration-concerns/?cs=45181&page=2
Source 3: https://cloudsecurityalliance.org/csaguide.pdf
Intel® Virtualization Technology
Intel® VT for IA-32 and Intel® 64
(Intel® VT-x) HW support for
isolated execution
Intel® VT for Directed I/O (Intel® VT-d) HW support for
isolated I/O
Server Security Technologies
A Fresh Look at Intel® VT Hardware Provides Stronger Isolation of VMs
Traditional server VMM-based uses
Isolation needed for:
Separation of development and production environments
Technology demonstrations
Isolate Enforce Encrypt
New cloud security-related uses
Isolation of workloads in multi-tenant cloud
Memory monitoring for malware detection
Device isolation for protection against DMA attacks
VMM
VM2 VM1
US Dept of Homeland Security Cyber Security Research & Development Broad Agency Announcement (BAA): BAA 11-023
NIST Guidelines Seek to Minimize Risk of BIOS attacks2
Pre-runtime environment target of new attacks
Protections abstracted away by virtualization and cloud
Low-level attacks are hard to detect and can be difficult to recover from
Mebromi: The First BIOS Rootkit in the Wild1
*Other names and brands may be claimed as the property of others
Server Security Technologies
Pain Point #2: Enforcement New Controls Needed to Enforce Protection of Infrastructure
Source 1: http://www.outlookseries.com/A0995/Security/3817_Homeland_Security_Hearing_Cloud_Computing_Implications.htm
Source 2: http://www.itbusinessedge.com/cm/blogs/lawson/multi-tenant-solutions-the-pros-the-questions-and-integration-concerns/?cs=45181&page=2
Source 3: https://cloudsecurityalliance.org/csaguide.pdf
Isolate Enforce Encrypt
Server Security Technologies
Intel® Trusted Execution Technology (Intel® TXT) Hardens and Helps Control the Platform
Enables isolation and tamper detection in boot process
Complements runtime protections
Hardware based trust provides verification useful in compliance
Trust status usable by security and policy applications to control workloads
Internet
Compliance Hardware support for compliance reporting enhances auditability of cloud environment
Intel® TXT:
Isolate Enforce Encrypt
Trusted Launch Verified platform integrity reduces malware threat
Trusted Pools Control VMs based on platform trust to better protect data
Louisiana Personal Information Data Privacy Notification and Encryption Laws: SB 205 Act 4993
Encrypt Now to Meet New Massachusetts Data Protection Law2
Nevada Enacts Encryption Law for Data Transmission1
Server Security Technologies
Pain Point #3: Encryption Growing Burden to Work With Encrypted Data
1 http://www.crn.com/security/210605176;jsessionid=3BR5SYATQOCOHQE1GHPCKHWATMY32JVN
2 http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1346761,00.html
3 http://www.alertboot.com/blog/blogs/endpoint_security/archive/2009/10/16/louisiana-personal-information-data-privacy-notification-and-encryption-laws-sb-205-act-499.aspx
Isolate Enforce Encrypt
Growing regulatory demands to protect data physically or by encryption Data loss is a very painful/expensive problem for businesses Cloud, with its dynamic, boundless and multi-tenant characteristics make data protection even more difficult
*Other names and brands may be claimed as the property of others
Server Security Technologies
Data Protection with Intel® AES-NI Efficient Ways to Use Encryption for Data Protection
Special math functions built in the processor accelerate processing of crypto algorithms like AES
• Includes 7 new instructions
Makes enabled encryption software faster and stronger
Internet Intranet
Intel® AES-NI:
Isolate Enforce Encrypt
Data in Motion Secure transactions used pervasively in ecommerce, banking, etc.
Data in Process Most enterprise and cloud applications offer encryption options to secure information and protect confidentiality
Data at Rest Full disk encryption software protects data while saving to disk
Server Security Technologies
Summary: Intel® Helps Protect Your Business Enhance your infrastructure with Intel ® Xeon® Processor-based Cisco UCS systems
Isolate Protect system from tampering and segregate workloads on shared resources
Enforce Control over virtualized environments with better visibility into system integrity
Encrypt Provide better protection of data in flight, in use and at rest
VMM
VM2 VM1
VMM VMM
VM2 VM3
VM1
Intel® TXT
Intel® VT
Intel® AES-NI
Leading Use Models Growing Ecosystem