Security Hardware Differentiated Through Licensed Software: a High-Tech Manufacturer’s Case Study

839 views

Published on

by J Ryan Kenny: Product Marketing, CPU Tech and Yan Huang: Director of Software Development, CPU Tech Presented at SoftSummit 2010

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
839
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security Hardware Differentiated Through Licensed Software: a High-Tech Manufacturer’s Case Study

  1. 1. Security Hardware DifferentiatedThrough Licensed SoftwareHigh-Tech Manufacturer’s Case Study
  2. 2. Agenda• CPU Tech Market• Company Overview• Product Overview• Customer Development Cycle• Flexera Software Licensing to Support Development
  3. 3. Agenda• CPU Tech Market• Company Overview• Product Overview• Customer Development Cycle• Flexera Software Licensing to Support Development
  4. 4. Electronics Component Markets• Semiconductor Markets in 2011, Gartner: –Overall estimate about $320 Billion –Processor-based chips: $144 Billion –Military/Industrial Market, System-on-Chip, 32-bit+: $500 Million, 20% CAGR• Of the entire semi-conductor market: “System-on-Chip Products Will Drive Growth”
  5. 5. Numerous Recent Security Threats
  6. 6. Pendulum Swings in Defense Electronics over Time Commercial Military Driven Proliferation of Aviation and Auto Markets Proliferate IP Protection Market Performance Concerns Standards (Anti-Tamper Dual Use Required) Components Custom Proliferate Commercial Components Full MIL-STD Cryptography Requirements Proliferates ‘Perry Memo’ COTS and Open Source Trust Rise in Intelligence Concerns And Cryptography Defense Open (US Sources Sources and Required) Defense Architectures Funding War-Time Priorities Mobilization Availability Concerns (US Sources Required)No DistinctMilitary Market Tech Boom Marginalizes Military Requirements Commercial Driven Market
  7. 7. Agenda• CPU Tech Market• Company Overview• Product Overview• Customer Development Cycle• Flexera Software Licensing to Support Development
  8. 8. What We Do: Develop Secure and CompatibleTechnology Understanding how to build secure systems CPU Tech’s Proven Approach CPU Tech Founded 1989 Understanding how to design secure systems and eliminate Understanding System vulnerabilities Vulnerabilities1980 1985 1990 1995 2000 2005 2010
  9. 9. Who We Are: Products and Services Clients and Partners• Founded in 1989 with a vision of making compatible System-on-a- Chip (SoC) technology economically practical• CPU Tech produces the Acalis® family of Secure Processors that protect software and systems from reverse engineering• CPU Tech offers secure processing implementation services to assist customers in achieving security goals and certifications• Veteran Owned, Small Business, Headquartered in Pleasanton, CA – Rep Firms across America
  10. 10. Agenda• CPU Tech Market• Company Overview• Product Overview• Customer Development Cycle• Flexera Software Licensing to Support Development
  11. 11. Acalis® CPU872 Secure Processor• Multi-Core Device with Integrated Security Processor & Offload Engines• IBM Trusted Foundry• Extensive, Multi-Layered Security to Protect Against Reverse Engineering• Two Complete PowerPC® Nodes• Scalable without Additional Devices• Power Efficient Processing
  12. 12. Acalis® Development EnvironmentH Acalis® CPU872 H Acalis® EB872 Secure Processor Evaluation BoardS Security Processor API T Acalis® Software Development Kit T Acalis S Embedded RTOS/OS SentryTM H Hardware: Devices & Boards S Software: Embedded User Software T Development Tools: Software Developer & Security Engineer Tools
  13. 13. Acalis Sentry™ Advantages• Graphical User Interface: Offers menu-driven, easy-to-use security configuration• Secure Data Transfer: Mocana SSL data security and authentication• Security Engineer Role: Clearly separates security role from software developer role• Access Rules: Provides clear implementation of settings on chip firewalls between processors, IO, and on-chip/off-chip memory• Trusted Source Environment: Adds hardware trust to your design environment in critical areas of encryption key and boot code management
  14. 14. How Acalis Sentry™ WorksAcalis® Design Environment Acalis Sentry™ Management Console Acalis® IDE Network Sentry Connection – Security Config – Sentry Connection S/W Encryption Boot Image AEC+AES Encrypted Image Acalis Sentry™
  15. 15. The Role of a Security Engineer • Current Role/ResponsibilitiesAcalis Sentry™ Management Console – Deeply embedded in software design – Line-by-line verification – Constant revision of design practices With Acalis SentryTM Security Server… • New Role/Responsibilities – Security separated from software design – Menu-defined security decisions – Clearly defined constraints for software designers – Simplifies „what-if‟ scenarios when changing security requirements
  16. 16. Agenda• CPU Tech Market• Company Overview• Product Overview• Customer Development Cycle• Flexera Software Licensing to Support Development
  17. 17. Defense Acquisition Process Programs have extensive Government reviews and milestones
  18. 18. Phases of Defense Customer Development Design SystemRequirements System Design and Integration Manufacturing/Support Test Prototype• This Life-Cycle can be 5-10 Years for Defense Programs• The Full Function of Acalis Sentry not Required in All Phases• There are sometimes security concerns in design – Not everyone in integration, test, or manufacturing need to understand sensitive design details – Some security settings are „locked down‟ for the remainder of the program – Some programs „compartmentalized‟, where engineers and users have different accesses
  19. 19. Supply Chain Security• The fact that „Supply Chain‟ pieces are now global is a concern to some defense officials• White House Issued „Comprehensive National Cyber Security Initiative‟ (CNCI) and Declassified in 2010• Part of the CNCI is Supply Chain Security: – “Risks stemming from both the domestic and globalized supply chain must be managed in a strategic and comprehensive way over the entire lifecycle of products, systems and services. “ – CNCI Initiative #11 Acalis Sentry is a customer offering by CPU Tech to help secure the supply chain in the development process through role and feature based licensing
  20. 20. Agenda• CPU Tech Market• Company Overview• Product Overview• Customer Development Cycle• Flexera Software Licensing to Support Development
  21. 21. Overview of Flexera Software Capabilities• CPU Tech currently utilizing several Flexera Software products• For the Acalis Sentry, using: – FlexNet Embedded – FlexNet Operations• This enables us to license several different „subscription licenses‟ to Acalis Sentry all from the same secure hardware
  22. 22. CPU Tech’s Business Challenges• Both desktop and embedded software provide different levels of functionality, operations, and security• Need to offer feature-based and role-based licensing and pricing models to our customers• Need to provide embedded-node-locked and floating licensing capability• Need to offer both off-line (for machines operating in a classified area) and web-based activation options to our customers• Need to be able to automate the activation process
  23. 23. CPU Tech’s Evaluation Criteria in SelectingFlexNet Producer Suite• Appropriate and adequate cryptographic encryption for license key protection and storage• Small memory footprint• Supported our processor architecture• Supported embedded OS‟s (OS independent, and easy to port)• Supported programming language• Performance and reliability• Easy to manage and track the license entitlement• License activation automation• Integration with other management systems, such as SalesForce• Total Cost of Ownership
  24. 24. Example Use Case of FlexNet Technology Embedded inAcalis Sentry Admin Developer Security How License Acalis® EB872 Engineer Works Evaluation Board  License Resides in Bootable Embedded Software  Determines Accesses and Privileges Based Active on Edition License  License pre- installed or updated by user Manufacturing Acalis SentryTM
  25. 25. Future Capabilities Enabled by FlexNet Embedded Admin Developer Security Engineer Acalis® EB872 Options: Evaluation Board  Off-line activation locked to device  Floating license on a license server  Provisioning server to Provisioning or automate the Generated License license update  Web-based license activationAcalis SentryTM Acalis SentryTM Manufacturing
  26. 26. Role and Mode Rules for Acalis SentryRoles Needed in Acalis Sentry: Design Phases for Acalis Sentry:• Administrator: Sets passwords, • Development: This encompasses all administrative options, license software development, requires activities multiple changes and security settings• Developer: Provides mission • Test/Integration: This phase requires embedded software, final embedded some controlled code and security images setting changes• Security Engineer: Sets security • Manufacturing: This phase requires settings in secure processor no code changes, but controls sensitive• Manufacturer: Final distributor of image distribution encrypted bootable image • Support: This phase typically involves only documentation, audit, reports
  27. 27. Matching Roles/Modes to Customer Design Model Design System Requirements System Design and Integration Manufacturing/Support Test Prototype Full Sentry Assembly Creation Results in Manufacturing Four Static‘Subscription Assembly Licenses’ Full Sentry Creation Manufacturing Static • Admin, Developer, • Admin, Developer, • Admin, • Admin, Security Security Engineer, Security Engineer Manufacturing Engineer Manufacturing • New images result • Unchanging • Security audit only – • Full spectrum of from debug image(s) being keeps production design space changes installed floor intact, no other needed functions
  28. 28. Matrix of Features to Subscription Licenses Assembly FeaturesSubscriptions Full Manufacturing Static CreationProduct Activation √ √ √ √Configuration (locking/unlocking,network) √ √ √ √Licensing (activation, update) √ √ √ √Field Upgrade √ √ √ √Tamper and Activity Log (storing,retrieving) √ √ √ √Device Sanitization √ √ √ √Access Configuration (user group,users) √ √ √ √Security Configuration (firewall, key,event log) √ √ √ √Assembly Creation √ √Assembly Upgrade √ √Target Activity Log Retrieval √ √ √ √Manufacturing Process √ √ √
  29. 29. Features, Subscriptions, and Roles – Security Engineer Assembly FeaturesSubscriptions Full Manufacturing Static CreationProduct Activation √ √ √ √Configuration (locking/unlocking,network)Licensing (activation, update)Field Upgrade √ √ √ √Tamper and Activity Log (storing,retrieving)Device SanitizationAccess Configuration (user group,users)Security Configuration (firewall, key,event log) √ √ √ √Assembly Creation √ √Assembly Upgrade √ √Target Activity Log Retrieval √ √ √ √Manufacturing Process √ √ √
  30. 30. Features, Subscriptions, and Roles – Administrator Assembly FeaturesSubscriptions Full Manufacturing Static CreationProduct Activation √ √ √ √Configuration (locking/unlocking,network) √ √ √ √Licensing (activation, update) √ √ √ √Field Upgrade √ √ √ √Tamper and Activity Log (storing,retrieving) √ √ √ √Device Sanitization √ √ √ √Access Configuration (user group,users) √ √ √ √Security Configuration (firewall, key,event log)Assembly CreationAssembly UpgradeTarget Activity Log RetrievalManufacturing Process
  31. 31. Features, Subscriptions, and Roles – Developer Assembly FeaturesSubscriptions Full Manufacturing Static CreationProduct ActivationConfiguration (locking/unlocking,network)Licensing (activation, update)Field UpgradeTamper and Activity Log (storing,retrieving)Device SanitizationAccess Configuration (user group,users)Security Configuration (firewall, key,event log)Assembly Creation √ √Assembly Upgrade √ √Target Activity Log Retrieval √ √Manufacturing Process
  32. 32. Features, Subscriptions, and Roles – Manufacturer Assembly FeaturesSubscriptions Full Manufacturing Static CreationProduct ActivationConfiguration (locking/unlocking,network)Licensing (activation, update)Field UpgradeTamper and Activity Log (storing,retrieving)Device SanitizationAccess Configuration (user group,users)Security Configuration (firewall, key,event log)Assembly CreationAssembly UpgradeTarget Activity Log Retrieval √ √Manufacturing Process √ √ √
  33. 33. Cost Advantages of Flexera Software LicensingModel in Sentry• Reduces Manufacturing Cost (Single Version of Hardware)• Adds a Valuable Security Layer in User Activation• Operational Savings in Ease up Upgrade/Downgrade• Flexibility allows CPU Tech to Tailor Subscription Licenses to Customer• Protects CPU Tech and Customer Intellectual Property• Gets us Faster to Market, as we are only limited by hardware schedule
  34. 34. Example Cost Model to Customer Cost model allows customers to customize their licensing package and increase design security Design and System Requirements System Design Integration Manufacturing/Support Prototype Test Full Sentry Assembly Creation Manufacturing Example: Static – Two Yrs Fully Sentry (2 x $A) – Two Yrs Assembly Creation (2 x $B) – Three Yrs Manufacturing (3 x $C) – Five Yrs Static (5 x $D) Total Cost: $XYZ
  35. 35. Summary• Flexible Licensing helps customer with life-cycle security• Allows for cost and revenue model that matches customer process• Much of what were security „rules‟ to be enforced through audit are now enforced by fiat• Customers can play by our licensing rules within their secure facilities• Provides flexibility, cost reduction, and ease of upgrade/downgrade• Offers protection for intellectual property and revenue
  36. 36. Questions?Thank You!

×