Intel Announces New Security Capabilities and Provides Update on Supply Chain Transparency Initiative
RSA CONFERENCE 2020 – San Francisco – Intel announced four new security capabilities and provided further information on its previously-announced Compute Lifecycle Assurance supply chain transparency initiative today at RSA Conference 2020 in San Francisco.
Intel hardware is the bedrock of much of the world’s computing capability. Hardware is also, says Tom Garrison, VP and GM of client security strategy and initiatives at Intel, “the bedrock of any security solution. Just as a physical structure requires a foundation established on bedrock to withstand the forces of nature, security solutions rooted in hardware will provide the greatest opportunity to provide security assurance against current and future threats.”
Intel believes that the next ten years will see more architecture advancements than the last 50 years — starting, perhaps, with Intel’s four new capabilities. These are application isolation, VM and container isolation, full memory encryption, and Intel platform firmware resilience.
Application isolation helps protect data in use with a narrow attack surface. This will expand the existing Intel Software Guard Extensions (SGX) to a broader range of mainstream data-centric platforms, and will provide larger protected enclaves increasing the number of usages leveraging the technology.
VM and container isolation will isolate virtual environments from each other, and from the Hypervisor and cloud provider without requiring application code modifications. Noticeably, the NSA warned in January 2020, “Vulnerabilities in cloud hypervisors (i.e., the software/hardware that enables virtualization) or container platforms are especially severe due to the critical role these technologies play in securing cloud architectures and isolating customer workloads.”
Full memory encryption provides hardware-based encryption that is transparent to the operating system and software layers. Its purpose is to better protect against physical memory attacks.
Intel platform firmware resilience is a field-programmable gate array (FPGA) -based solution that helps protect firmware by monitoring and filtering malicious traffic on the system buses. It verifies the integrity of platform firmware images, and can recover corrupted firmware back to a known good state.
Intel also announced progress on the Compute Lifecycle Assurance Initiative it introduced in December 2019. This initiative is designed to provide transparency and assurance to the complete hardware supply chain and lifecycle (build, transfer, operate and retire), starting with Intel’s own Transparent Supply Chain (TSC) tools.
The basic process is to add a root of trust and chain of trust — using the Trusted Computing Group’s (TCG) Trusted Platform Module 2.0 (TPM) standard — that can be monitored and followed from manufacture through the various different build stages to delivery and use by the customer. “This allows customers to gain traceability and accountability for platforms with component-level reporting,” says Intel.
“This chain of trust process provides essential traceability based on the TPM,” says Thorsten Stremlau, chair of TCG’s marketing work group. “Bringing component-level traceability to platforms and systems increases confidence and reduces the risk of counterfeit electronic parts while also facilitating procurement standards. This is the right direction for the industry.”
TSC is already available for Intel customers across Intel vPro platform-based PCs, Intel NUC, Intel Xeon SP systems, Intel Solid State Drives and certain Intel Core commercial PCs. Under the Compute Lifecycle Assurance Initiative, Intel also provides TSC to ecosystem partners. So far, Hyve Solutions, Inspur, Lenovo (client and server), Mitac, Quanta, Supermicro and ZT Systems have enabled Intel TSC tools. Intel also has active deployments of Intel TSC with enterprise IT and cloud service providers.