Server Security Technologies: New Lines of Defense for IT

667 views
556 views

Published on

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
667
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Server Security Technologies: New Lines of Defense for IT

  1. 1. Data Center and Connected Systems Group:Server Security TechnologiesJames J Greene IIISr Product Marketing Engineer, Security TechnologiesAugust 2012 Intel Confidential
  2. 2. Legal DisclaimerIntel may make changes to specifications and product descriptions at any time, without notice.Software and workloads used in performance tests may have been optimized for performance only on Intelmicroprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computersystems, components, software, operations and functions. Any change to any of those factors may cause the resultsto vary. You should consult other information and performance tests to assist you in fully evaluating yourcontemplated purchases, including the performance of that product when combined with other products. For moreinformation on performance tests and on the performance of Intel products, visit http://www.intel.com/performanceIntel does not control or audit the design or implementation of third party benchmarks or Web sites referenced in thisdocument. Intel encourages all of its customers to visit the referenced Web sites or others where similar performancebenchmarks are reported and confirm whether the referenced benchmarks are accurate and reflect performance ofsystems available for purchase.Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which maycause the product to deviate from published specifications. Current characterized errata are available on request.Intel® Virtualization Technology (Intel® VT) requires a computer system with a processor, chipset, BIOS, virtualmachine monitor (VMM) and applications enabled for virtualization technology. Functionality, performance or othervirtualization technology benefits will vary depending on hardware and software configurations. Virtualizationtechnology-enabled BIOS and VMM applications are currently in development.Intel, Intel Xeon, Intel Core microarchitecture, and the Intel logo are trademarks or registered trademarks of IntelCorporation or its subsidiaries in the United States and other countries.No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel®TXT) requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset,BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). The MLEcould consist of a virtual machine monitor, an OS or an application. In addition, Intel TXT requires the system tocontain a TPM v1.2, as defined by the Trusted Computing Group and specific software for some uses. For moreinformation, see hereThe original equipment manufacturer must provide TPM functionality, which requires a TPM-supported BIOS. TPMfunctionality must be initialized and may not be available in all countries.Intel® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software toexecute the instructions in the correct sequence. AES-NI is available on select Intel® processors. For availability,consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni/© 2011 Standard Performance Evaluation Corporation (SPEC) logo is reprinted with permission
  3. 3. Server Security TechnologiesAgendaSecurity trends and concernsIntel provides foundation for best secure processingMeeting the security challenge:Technologies and use models to mitigate pain pointsSummary
  4. 4. Server Security Technologies Security in the Enterprise Trends Security Concerns Growing for Datacenter and Cloud Trend: Shift in types of attack Platform as a target, not just software Stealth and control as objectivesTrend:Increased complianceconcerns, costs Trend: Datacenter Changes in architecturesUK Data Protection Act, FedRAMP,Payment Card Industry (PCI), etc. require new protectionsrequire security enforcement and Virtualization andcreate audit needs multi-tenancy 3rd party dependencies Blurred boundary
  5. 5. Server Security TechnologiesSecurity Concerns Limit Adoption of CloudBetter Security is Essential for Cloud Growth Gain visibility Maintain control Prove compliance IT Pro survey of key concerns: 57% 61% 55% Avoid putting workloads Say lack of visibility Lack of control over with compliance inhibiting private public cloud1 mandates in cloud1 cloud adoption1 1 McCann 2012 State of Cloud Security Global Survey, Feb 2012
  6. 6. Isolate Enforce EncryptServer Security TechnologiesIntel® Technologies: Server SecurityEstablishing the Foundation for More Secure Computing Isolate Enforce Encrypt Intel® VT and Intel® TXT Intel® AES-NI Intel® TXT Delivers built-inProtects VM isolation and Establishes “trusted” status encryption acceleration provides a more secure foundation for security policy- for better data platform launch based workload control protection Mf. VM1 VM2 Policy VM2 VM3 VM1 VMM VMM VMM Available in Intel® Xeon® E3, E5 and E7 Based Cisco UCS Servers
  7. 7. Isolate Enforce EncryptServer Security TechnologiesPain Point #1: IsolationIsolating Workloads on Shared Infrastructures is Critical Homeland Security’s Subcommittee Hearing: A major concern of Cloud Computing: What are shared infrastructure the Security Implications?1 Lack traditional guarantees of Multi-Tenant Solutions: physical separation The Pros, the Questions and Integration Concerns2 Multiple workloads may tamper or interact with each other Security Guidance for Critical Areas of Focus in Cloud Computing3 *Other names and brands may be claimed as the property of othersSource 1: http://www.outlookseries.com/A0995/Security/3817_Homeland_Security_Hearing_Cloud_Computing_Implications.htmSource 2: http://www.itbusinessedge.com/cm/blogs/lawson/multi-tenant-solutions-the-pros-the-questions-and-integration-concerns/?cs=45181&page=2Source 3: https://cloudsecurityalliance.org/csaguide.pdf
  8. 8. Isolate Enforce EncryptServer Security TechnologiesA Fresh Look at Intel® VTHardware Provides Stronger Isolation of VMs Intel® Virtualization TechnologyTraditional serverVMM-based uses Intel® VT for IA- Intel® VT for 32 and Intel® 64 Directed I/OIsolation needed for: (Intel® VT-x) (Intel® VT-d) HW support for HW support forSeparation of development isolated execution isolated I/Oand production environmentsTechnology demonstrationsNew cloud security-related usesIsolation of workloads in VM1 VM2multi-tenant cloudMemory monitoring formalware detection VMMDevice isolation for protectionagainst DMA attacks
  9. 9. Isolate Enforce EncryptServer Security TechnologiesPain Point #2: EnforcementNew Controls Needed to Enforce Protection of Infrastructure Pre-runtime environment Mebromi: The First BIOS target of new Rootkit in the Wild1 attacks Protections abstracted away NIST Guidelines Seek by virtualization to Minimize Risk of BIOS attacks2 and cloud Low-level attacks US Dept of Homeland are hard to detect Security Cyber Security and can be Research & Development difficult to recover Broad Agency Announcement from (BAA): BAA 11-023 *Other names and brands may be claimed as the property of othersSource 1: http://www.outlookseries.com/A0995/Security/3817_Homeland_Security_Hearing_Cloud_Computing_Implications.htmSource 2: http://www.itbusinessedge.com/cm/blogs/lawson/multi-tenant-solutions-the-pros-the-questions-and-integration-concerns/?cs=45181&page=2Source 3: https://cloudsecurityalliance.org/csaguide.pdf
  10. 10. Isolate Enforce EncryptServer Security TechnologiesIntel® Trusted Execution Technology (Intel® TXT)Hardens and Helps Control the Platform Trusted PoolsIntel® TXT: Control VMs based on platform trust to better protect dataEnables isolation andtamper detection inboot process Trusted LaunchComplements runtime Verified platform integrity reduces malware threatprotectionsHardware based trustprovides verification Internetuseful in complianceTrust status usable bysecurity and policyapplications to controlworkloads Compliance Hardware support for compliance reporting enhances auditability of cloud environment
  11. 11. Isolate Enforce EncryptServer Security TechnologiesPain Point #3: EncryptionGrowing Burden to Work With Encrypted Data Nevada Enacts Encryption Growing regulatory Law for Data demands to protect Transmission1 data physically or by encryption Data loss is a very Encrypt Now to Meet painful/expensive New Massachusetts problem for businesses Data Protection Law2 Cloud, with its dynamic, boundless and multi-tenant Louisiana Personal Information Data Privacy characteristics make Notification and Encryption data protection even Laws: more difficult SB 205 Act 4993 *Other names and brands may be claimed as the property of others1 http://www.crn.com/security/210605176;jsessionid=3BR5SYATQOCOHQE1GHPCKHWATMY32JVN2 http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1346761,00.html3 http://www.alertboot.com/blog/blogs/endpoint_security/archive/2009/10/16/louisiana-personal-information-data-privacy-notification-and-encryption-laws-sb-205-act-499.aspx
  12. 12. Isolate Enforce EncryptServer Security TechnologiesData Protection with Intel® AES-NIEfficient Ways to Use Encryption for Data Protection Data at RestIntel® AES-NI: Full disk encryption software protects data while saving to diskSpecial math functions Data in Motionbuilt in the processor Secure transactions used pervasively in ecommerce,accelerate processing banking, etc.of crypto algorithmslike AES Internet Intranet• Includes 7 new instructionsMakes enabledencryption softwarefaster and stronger Data in Process Most enterprise and cloud applications offer encryption options to secure information and protect confidentiality
  13. 13. Server Security TechnologiesSummary: Intel® Helps Protect Your BusinessEnhance your infrastructure with Intel ® Xeon® Processor-based Cisco UCS systems Intel® VT VM1 VM2 Isolate Protect system from tampering and segregate VMM workloads on shared resources VM2 VM3 Enforce Intel® TXT VM1 Control over virtualized environments with VMM VMM better visibility into system integrity Intel® AES-NI Encrypt Provide better protection of data in flight, in use and at rest Leading Use Models Growing Ecosystem

×