Solving Enterprise Security Challenges

This article is sponsored by 英特尔

Intel? just launched its?4th Generation Xeon? Scalable processor ,?which is geared towards its Enterprise customer base. To learn more about how Intel solves enterprise security challenges, I had a conversation with Brian Richardson , who is the Security Marketing Lead for Intel Data Center & AI (DCAI) Marketing Product Strategy.

The key takeaways of the conversation are as follows:

· The main challenges that enterprises face in securing their infrastructure are the increasing number of cyberattacks, increasing regulation, and increased security spending. The traditional software approach to cyber security is no longer enough to stop attacks, which are becoming increasingly more sophisticated.

· Confidential computing is a newer approach to protect data when it is in use, not just at rest or in transit, which is being focused on by Intel and the industry.

· The fourth-generation Intel Scalable Processor addresses enterprise security needs by using technology, such as Intel SGX, or Software Guard Extensions, to protect data in use.

Avrohom: One of the topics on everyone’s minds is security. As you know, data breaches are, unfortunately a very common occurrence, and with that comes the risk of ransomware shutting down businesses and public services, not to mention the damage done to its reputation, which is virtually incalculable. With that on our minds, what are some of the challenges enterprises face when it comes to securing their infrastructure?

Brian: Most enterprises are concerned about three things. One, is the increasing number of cyberattacks. Two is increasing regulation, and the third would be the increase in overall security spending. So, if you look at different metrics on what people are calling a cybercrime economy, Mainstream technologies did a study last year and estimated that the entire cybercrime economy is about $1.2T. And attacks are getting more sophisticated. So, most people try to take a software approach to stopping attacks or putting up a cyber security perimeter. The problem is that the attacks are now so sophisticated that they’re hard to stop with software alone. In 2019, Sophos did a study and reported that 75% of companies that had been attacked by ransomware were running some kind of data protection, and it was up to date!

So, now we’re getting into the second factor, which is regulation. Because of all the different issues that we’ve had with data privacy and data protection, we’re seeing a lot of new four-letter words entering the vocabulary of CISOs. Such as GDPR (General Data Protection Regulation), NIST (National Institute of Standards and Technology), and Pipl (an identity trust company). There are new executive orders coming out every year. HIPAA regulations are still in place, and if you do payments, you have to worry about PCI (Payment Card Industry) compliance for payment processors.

And now you’re getting into just overall increased spending on cyber security. Last year’s estimated worldwide spending on cyber security was $133.8B.

So, those are the kinds of things that every industry is facing. There is a big cyber security issue. There is a lot of focus on it from a spending and defense standpoint, but a lot of the traditional tactics of just putting up malware detection or virus protection, most of the attacks are now really beyond that scope.

Avrohom: Sure, and as we evolve our technologies, the bad guys evolve their technologies, as well. So, what are some of the ways enterprises go about solving their security challenges?

Brian: In the data center, the challenge is that you have people that are doing on-premises work and they’re migrating things towards the cloud. And, when you have both of those issues, whether you are the controller of the machine in its entirety, in a standard enterprise environment, or you’re moving to a cloud service and you’re relying on a third party to provide the hardware and the infrastructure, our customers are concerned about four major areas, and we address all of those in our Xeon products.

You have platform integrity, safe software behavior, crypto acceleration, and confidential computing. So, if you look at Platform integrity, that’s where people get into a lot of things like Root of Trust, which is an essential component of a zero-trust strategy. So, you’re trying to confirm, is this platform, the platform you expected? Verification of that platform at its barest level whether its firmware, hardware, or basic configuration, is a big part of platform integrity.

Safe software behavior is preventing common attacks. So, if you look at stack behaviors, you’re trying to prevent people from using stack manipulation, to take known good software, and basically ransom-letter it together like an old magazine cut out into something malicious.

And crypto acceleration is making sure that you can accelerate your infrastructure when you up your encryption strength, or up the basic power of the keys that you’re issuing to your customers.

We’ve all heard about the whole post-quantum problem where quantum computers one day, will probably be able to crack keys of things that are signed securely today. So, upping that key strength is important. And you want to be able to have some kind of offload processor, like Intel’s QAT (Quick Assist Technology), that allows you to take the increased burden of that off the host CPU.

The fourth one, which is the one I really want to focus on is confidential computing, because this is kind of a newer approach that we’re taking at Intel and within the industry to protect data when it’s in use, not just at rest or in transit. We’re good at protecting data at rest. With SSD encryption, we’re really good at protecting in transit with HTTPS and other encryption protocols. But in use, typically you have to unencrypt the data. And that’s an area that we want to focus on. Because I think that that kind of change in the way that we do data protection and use is going to unlock a whole new set of industries and a whole new set of business opportunities.

Avrohom: So, Brian, how does the fourth-generation Intel scalable processor address enterprise security needs?

Brian: If you look at something like confidential computing, we’ve had technology in play for a while called Intel SGX, or Software Guard Extensions. And that is designed to protect data in use through the idea of a trusted enclave. Everything in confidential computing runs off that backbone of “this is a hardware-enforced area”. We’re using isolation to keep the data that’s in process inside of that Trusted Execution Environment. And that’s done through hardware and software enforcement. So, only authorized software has access to the data inside that Trusted Execution Environment.

With something like SGX, that trusted enclave happens at an application level. With the newer technology, we’ve included the trust domain extensions, or Intel TDX, happens at a VM level.

So, it depends on the sliding scale of how secure your data needs to be, and what kind of regulations or constraints do you have. And a lot of the things that go into the hardware behind the fourth-gen Xeon, are designed with these two concepts in mind.

Even though SGX has been around since 2015, we’ve managed to enhance the level of isolation, and also work on a number of different software partner solutions and open-source solutions that make it easier for people to take advantage of that.

And then everything else in the platform, from the platform integrity to safe software behavior supports the overall safe operation of that platform. So, it’s really just taking the kind of concepts that we’ve had in play for platform integrity. I used to work on firmware quite a lot. So things like Intel boot guard or platform firmware resiliency, make sure that that first code to run on the platform is in the state, you expect it to be. Establish that base root of trust, so that everything else, the safe software behavior, the crypto acceleration with things like QAT and our other processor extensions, are there to support a known good platform that confidential computing can run on top of.

Avrohom: This sounds like a lot of great information. Can you share some case studies of it in action?

Brian: The case studies that come to mind, we do a lot of things with confidential computing in areas where there’s heavy regulation. So, think about healthcare, financial services, and government applications. The two I want to focus on, one is in an automated driving scenario. So, this is confidential AI, where you have an AI and machine learning algorithm, you want to train it, but the data that you’re working with has some personally identifiable information or PII in it. In the driving use cases, when you go out into a city street and decide that you need to capture video, you’re going to get people’s faces, you’re going to get mailboxes, you’re going to get licensed plates. So, you have to be able to separate that data and store it differently.

If you’re working with a company like Bosch, all of that falls under GDPR in their automated driving training system. They can’t just blur it out. You can’t blur out the number plates because the AI that learns how to drive the car doesn’t know what a license plate looks like, which can help them identify a vehicle. If you blur out faces, then I don’t really have smooth face anymore, because of all that firmware I used to write. I don’t want people with age lines like me to get run over in the street, because it was only trained on blurred out faces. So, what Bosch does in their system is they separate it out like Photoshop layers, and they keep all the personally identifiable stuff in an SGX enclave. This allows them to meet all of the regulatory compliance issues they have with GDPR. But at the same time, meet all the automotive safety issues that they need to solve for that regulatory environment by making sure that that full data can be reassembled when they use it to train their customer’s platforms.

The other is a medical use case with UC San Francisco. They wanted to do collaborative research between different health institutions. The problem with that is that HIPAA regulations in the US make that extremely difficult to do. You can’t just take multiple databases and kind of shove them together. Because you end up then mixing data and potentially exposing a dataset from one hospital to the other. So, they partnered with beekeeper API to create a system that patient information is pooled, and then it’s only combined inside of the Intel SGX enclave during the training process. So, the data is anonymized on its way in, but the Enclave keeps the data private from other parties and maintains that HIPAA compliance. So now they get the benefit of absorbing data from multiple institutions but staying within the regulatory envelope. And that’s the thing I think is most exciting about confidential computing, in general, whether you’re doing it with Intel SGX, or Intel TDX, is you now have these opportunities when people move into cloud environments or want to share and collaborate on data, you’re able to share that in a way that doesn’t bring a privacy or regulatory risk into that environment.

Avrohom: I know somebody that is working on a collaborative solution in Healthcare, and these are some of the challenges, because if you think about it, the more we pool our data together, the better we all are as a society. So, it’s great to see that there are solutions that are coming out there that enables us to do collaborations like that.

Brian: Right. I mean, the lawyers want me to say no system is absolutely secure. But what we can do with technologies like confidential computing, is make sure that we are reducing that overall risk and making sure that people don’t skip a business opportunity, because they fear that there’s a regulatory issue or a privacy issue. We want people to be able to take advantage of moving things to the cloud, and scaling their stuff up. But we want them to do it in a way that provides the best constraints so that they can operate in those environments and not fear regulation. We don’t want them to fear the concern of what’s going to happen to them if they move into a business model. Right now, they’ve got a framework that allows them to look at the data compliance, look at the regulatory environment and say, yes, I still can scale this and take full advantage of the technology.

Avrohom: I see this as a huge game changer in the industry. So, Brian, how can people connect with you to learn more about the fourth-generation Xeon, scalable processor, and also to connect with you?

Brian: Well, to connect with me personally, I’m on LinkedIn, and Twitter. My Twitter handle is @Intel_Brian, and you can just look for Brian Richardson. I’m the one that works at Intel. If you want to learn about this technology, I recommend you go to?https://intel.com/ConfidentialComputing . That’s a good primer on the background behind confidential computing and the different technologies we offer to support that.

Avrohom: Brian, do you have any parting words of wisdom that you’d like to share with the audience?

Brian: I think there’s two things to think about. Right now, a lot of people are looking at transitioning from an on-prem model to a cloud or services model. A lot of it is a transformation from capital expenditure to operational expenditure. So, if you see capex to opex, in some trends slide, that’s what we’re talking about. When you do that, evaluate your needs. Whether it’s data sensitivity, regulations, or compliance, and think about the hardware running on the service. A lot of things that when they get “SaaS-ified”, as I call it, they think the hardware disappears because they don’t interact with it. Hardware is extremely relevant to software outcomes, whether it’s acceleration or enforcement of security boundaries.

And the second is, I hate to say this about my own job, but security is not sexy. It’s infrastructure. We’re talking about plumbing. And I do a lot of hobby work on my house in my barn, and I found out that plumbing is really important, especially if someone before you doesn’t do it well, and you have to go back and refactor everything. It’s really messy. So, think about stable foundations when you work on stuff. I know we’re all going for the coolest trend and the kind of shiniest object on the roadmap. But don’t forget the infrastructure that lies behind it and make sure that you’re building on something that is stable enough to scale to your needs and secure enough to meet your requirements.

Learn more about the Intel??4th Generation Xeon? Scalable processor ?:

4th Gen Intel? Xeon? Processors

New 4th Gen Intel? Xeon? processors have the most built-in accelerators to improve performance in AI, analytics…

www.intel.com

About the Author

Avrohom Gottheil is the founder of #AskTheCEO Media, where he helps global brands get heard over the noise on social media by presenting their corporate message using language people understand.

Avrohom presents his clients as Thought Leaders, which challenges his audience to reimagine their own mission and vision, delivering actionable insights, and leaving them passionate, motivated, and with the necessary tools to take immediate action.

Avrohom comes from a 20+ year career in IT and Telecom, where he helped businesses around the world install and maintain their communication systems and contact centers. He is a Top-ranked global expert in IoT, AI, Cloud, and Cybersecurity, followed worldwide on Twitter, and a frequent speaker on leveraging technology to accelerate revenue growth.

Listen to him share the latest technology trends, tools, and best practices for IoT, AI, Cloud, Cybersecurity, and more on the #AskTheCEO podcast — voted as the #1 Channel Friendly Podcast 2019 by Forrester.

Contact Avrohom:

Web:?https://asktheceo.biz

LinkedIn:?https://www.dhirubhai.net/in/avrohom-gottheil/

Facebook: AvrohomGottheil

Twitter: @avrohomg

Instagram: @avrohomg