Hardware-Enabled Security for Server Platforms: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases

Draft NIST Cybersecurity White Paper, Hardware-Enabled Security for Server Platforms: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases

In today’s cloud data centers and edge computing, there are three main forces that impact security: (1) the introduction of billions of connected devices and increased adoption of the cloud have significantly increased attack surfaces; (2) hacking has become industrialized with sophisticated and evolving techniques to compromise data; and (3) solutions composed of multiple technologies from different vendors result in a lack of coherent and consistent implementations of security controls. Given these forces, the foundation for a data center or edge computing security strategy should have a consolidated approach to comprehensively secure the entire hardware platform on which workloads and data are executed and accessed.

In the scope of this document, the hardware platform is a server (e.g., application server, storage server, virtualization server) in a data center or edge compute facility. The hardware platform represents the first part of the layered security approach. Hardware security can provide a stronger foundation than one offered by software or firmware, which can be modified with relative ease. Existing security implementations can be enhanced by providing a base-layer, immutable hardware module that chains software and firmware verifications from the hardware all the way to the application space or specified security control. In that manner, existing security mechanisms can be trusted even more to accomplish their security goals without compromise, even when there is a lack of physical security or attacks originate from the software layer.

This white paper explains hardware-based security techniques and technologies that can improve server platform security and data protection for cloud data centers and edge computing. The rest of this white paper covers the following topics:

• Section 2 provides an overview of hardware platform security.
• Section 3 discusses the measurement and verification of platform integrity.
• Section 4 considers protecting data in use, also known as confidential computing.
• Section 5 examines remote attestation services, which can collate platform integrity measurements to aid in integrity verification.
• Section 6 describes a number of cloud use case scenarios that take advantage of hardware-based security.
• Section 7 states the next steps for this white paper and how others can contribute.