Start-ups lean hard on CPU-based security technology to protect virtual environments
- — 15 July, 2013 20:15
The idea of relying on the server or desktop central processing unit (CPU) as the key part of a security scheme is getting more attention as a number of start-ups are using the technology to protect virtual systems.
Take start-up PrivateCore, for example, co-founded by Oded Horovitz, its CEO, along with Steve Weis, CTO, and Carl Waldspurger as adviser. The start-up has come up with what it calls its vCage software that relies on the Intel Xeon Sandy Bridge CPU as the trusted component to encrypt data in use.
"Their CPU is loaded with security," says Horovitz about the Intel Sandy Bridge processor. PrivateCore has created its vCage software for secure processing through means of Intel Sandy Bridge-based servers in cloud environments, first off in infrastructure-as-a-service (IaaS).
Horovitz was formerly a lead security engineer at VMware as was Waldspurger, who joined with Weis, formerly on Google's security team focusing on crypto, to found the Palo Alto, Calif.-based firm in 2011. PrivateCore's main argument is that the latest CPU technologies should be the foundation for data processing of encrypted data.
The challenge in processing encrypted data is "the problem with having to decrypt to do processing," points out Horovitz. The vCage approach, based on the Intel CPU Sandy Bridge, makes use of the Intel Trusted Execution Technologies and Advanced Encryption Standard algorithm to perform the processing in RAM. This can be done with Intel Sandy Bridge because there's now about 20MB of cache available, enough to get the job done, says Horovitz. The data in question is only unencrypted in the CPU.
PrivateCore's vCage approach is being tested now by infrastructure-as-a-service providers, and some enterprises in virtualized data centers, according to PrivateCore's co-founders. PrivateCore has developed a key-management system for vCage but is also eyeing integration with existing key-management systems. PrivateCore has received $2.4 million in venture-capital backing from Foundation Capital.
Another start-up, Bromium, also makes a strong argument about the value of the CPU for security.
Bromium has a desktop anti-malware protection approach based on a specialized security-oriented hypervisor that relies on machine CPU as the bedrock for isolating malware and attack code. Called vSentry, it lets malware and attack code be simply tossed when the Web browser is closed. Simon Crosby, CTO at Bromium, strongly believes that the use of hardware-based CPU is where the future of security is headed. Crosby adds: "It's hard to break the CPU."
The company now counts the New York Stock Exchange, BlackRock and ADP as technology adopters. Bromium has gotten $35.5 million in venture-capital funding from a number of investment firms, including Andreessen Horowitz. Not surprisingly, Intel Capital is among them, too.
At processor manufacturer and Intel rival Advanced Micro Devices (AMD), Ron Perez is senior fellow and senior director of security architecture. He discussed some of AMD's latest steps to optimize AMD CPU for security purposes.
The rise of mobile computing and electronic payments is leading to an era where hardware-based processing can help protect transactions. Perez says AMD has licensed a technology called TrustZone from ARM that was developed to secure mobile payments and streamed content. TrustZone has won support from several third-party vendors.
Last December, the joint-venture firm Trustonic was announced by three partners, ARM, security firm Gemalto and security company Giesecke & Devrient, which is active in the financial industry, to put forward crypto technology embed in integrated circuits that can be turned on to enable many types of security functions. Companies supporting Trustonic include Symantec, Samsung and MasterCard International.
"We're going to include it in our processors going forward," says Perez about ARM's TrustZone technology. "We wanted an open approach as opposed to a proprietary approach."
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org
Read more about wide area network in Network World's Wide Area Network section.