We've secured our CPU silicon, and ready to secure your business, says post-Meltdown Intel
Security stepped up after academics and hackers step up their bug-hunting game
Sponsored There used to be a set process for securing the enterprise, with measures that could be put in place by any competent network manager.
There would be perimeter devices, such as firewalls, to deter miscreants, and antivirus software on every PC to protect users who ignored the safety rules. These systems kept out most criminals and mischief-makers. Provided staff followed security procedures, such as using strong multi-factor authentication, chief security officers could be reasonably sure their organisations were protected.
In the past decade, the situation has become more complicated.
For one thing, the growth of cloud has introduced another dimension to the process of safeguarding a corporate infrastructure: the need to ensure that any off-premises services being deployed are properly secured. That means you must verify that your cloud service provider has adequate security in place. This is not usually an issue, as security is in the service providers’ DNA and, as such, they will generally have higher levels of protection than most enterprises.
The main issues that arise will be regulatory ones, with the cloud provider needing to conform to various regulatory demands – GDPR, for example, defines particular data-protection duties for cloud providers.
Perhaps the biggest concern of all is the sheer size of cloud data centres. A vulnerability that affects one physical server in one location can put many virtual machines at risk. We see this particularly with containers, where a rogue actor can take control of interconnected environments.
These large data centres thus present a tempting target for cyber-criminals. It is true that cloud service providers invest heavily in security, installing the latest equipment, and employing the top experts in the field, though the rewards for beating the system are great.
One way Intel® can beef up security within data centres is to add protection mechanisms to servers. The company has developed the Intel® SGX card, which provides its Software Guard Extensions (SGX) technology to host machines.
The SGX card was designed particularly for cloud providers. It works by creating secure environments in which code can execute free from outside tampering and snooping: specific application code and data runs in private regions of memory, known as enclaves, which are isolated from all other software. This allows trusted, sensitive code to run safely on off-premises servers even if you do not trust every layer of the stack. This is vital when running sensitive workloads on a public cloud provider.
Meanwhile, an Intel® innovation called Threat Detection Technology (TDT) uses a host server's hardware to accelerate the detection of malware, by scanning memory for evidence of infection and by scanning system events for suspicious activity. This can be combined with machine-learning software and antivirus tools to generate alerts so that appropriate action can be taken. It is a technology that can be used to identify and terminate threats before they spread across servers.
TDT support has been incorporated into some security software products. It has proved to be particularly effective at detecting cyber-criminals mining cryptocurrencies on compromised systems – a phenomenon known as cryptomining.
There are other ways to protect servers. The introduction of Intel® Optane™ DC Persistent Memory has changed the approach to security within data centres. The technology uses 256-bit AES encryption to securely store data, which is always active and does not have to be configured, and it does not hinder the performance of applications.
Optane™ DC Persistent Memory has proved to be an effective solution within data centres that handle large and sophisticated databases. It is particularly effective when number-crunching large datasets of customer information, the type of data that is commercially sensitive and requires multiple safeguards. By adding memory encryption to servers within the data centre, you gain an additional level of protection.
And it’s not just the upper layers of software and data you have to worry about. In the past, there would rarely be any concerns about the integrity of the actual machines itself. That’s all changed now, and enterprises have to contend with the very real danger of vulnerabilities at the silicon level. There is the potential for criminals to exploit flaws within server processors to siphon off data. These are vulnerabilities at the heart of many machines.
The first sign of trouble came in January 2018 when two chip-level vulnerabilities – Meltdown and Spectre – were revealed by security experts. No attacks were seen in the wild. The researchers went on that year to identify more variations of the side-channel vulnerabilities. In 2019, another flaw ‒ ZombieLoad – was identified.
The discovery of processor-level security weaknesses have clearly had a sobering effect on Intel®. As a result of its market dominance, Intel® was widely hit, though similar flaws were also found in processors designed by the likes of AMD, Arm, and others. Chip engineers across the industry have therefore had to come to terms with these families of side-channel leaks. The question is: how do you react to these threats?
The negative publicity generated by the disclosure of Meltdown, Spectre, ZombieLoad et al could have severely hurt Intel®. However, its fast and comprehensive response to the discoveries demonstrated the company was, and still is, well positioned to mitigate and address these types of flaws.
It’s a thorny issue for IT managers to deal with. A non-trivial fleet of workstations, PCs, servers, and other devices, will use a wide mix of processors, applications, and operating systems, some patched, some with patches still to install, and some unable to be patched, depending on the circumstances. The best guidance for IT managers to protect against CPU-level attacks – unlikely as they are – is to deploy only machines with the latest generations of processors inside them.
If that’s not economically viable, administrators should certainly make sure that all necessary microcode patches and software mitigations are installed.
Intel® says these side-channel leaks can only be maliciously exploited in the wild by highly sophisticated cyber-criminals. The archetypal hacker in the bedroom won't have the skills to abuse these flaws in the real world to steal information.
Having said that, Intel® has, among releasing software updates, addressed the weaknesses permanently in its newest generation of processors. The second-generation Xeon® Scalable processors have these security defenses built in, as does the eighth-generation Core™ processors. There will be fixes introduced into all subsequently released processors.
These side-channel leaks are particularly dangerous in environments running large numbers of virtualized servers on shared host servers in the cloud. It is problematic because it is possible for a malicious virtual machine to eavesdrop on a victim's VM. The larger data centre operators are very security conscious, and will be fully-patched and protected, though if you’re thinking of using a cloud provider, it’s certainly wise to ask which processors are being used and whether have they been shored up against side-channel attacks.
Whether a miscreant exploits the processor itself or an application deployed in the cloud, it is clear organisations are under pressure like never before. The multi-faceted approach taken by Intel® demonstrates how it is no longer adequate to have only one type or layer of protection against criminal behavior.
It is a case of strengthening safeguards with CPU cores; of using strong encryption; and of isolating and analyzing code and data in memory. The traditional methods of protection – firewalls and antivirus packages – should not been discarded, though they need to be complemented by a fresh approach to security, ensuring you do not become an easy target for increasingly sophisticated cyber criminals.
Sponsored by Intel®