Originally published 2/23/2021 by Intel Tech
Author: Tom Garrison, VP & GM of Client Security Strategy & Initiatives
Keeping your organization’s infrastructure secure is a challenge. In addition to monitoring new attacks to see if they threaten the security of the products you make, the Chief Information Security Officer (CISO) must also survey the security of their own compute infrastructure — the base from which employees operate, collaborate, develop, and build the portfolio.
Today’s CISO has to consider several key compute assurance issues:
- How can CISOs be confident the compute devices their employees are using arrive secure and that they stay secure?
- How can CISOs keep up with the necessary updates, new technology, and emerging security threats, while still managing the other things on their plate?
- How can CISOs minimize supplier security risks when they can’t physically be with the product from design to delivery?
- How do CISOs ensure product and system security from design to EOL?
Today, I am going to talk about some of these compute assurance challenges and how Intel is helping CISOs address them.
Challenge: Transparency, Traceability, and Tamper Detection in the Compute Supply Chain
Modern supply chains are complex. By the time a final product is delivered, it has likely changed hands multiple times, and each party in the supply chain may have a different security and privacy model for protecting product and customer data. Some in the supply chain likely have mature product assurance and confidentiality processes and tools, and others likely do not. Nevertheless, you are expected to assure the security of compute systems — which includes their entire supply chain, not just the last step of it. How can you gain the knowledge to be confident in doing so?
There are a couple of key elements to assurance in any supply chain. The first are tracking and tracing, and the second is tamper detection. These often require additional resources and processes that can strain manufacturers. Tracking and tracing helps establish origin and protect against counterfeit. Tamper detection involves measuring the state of a product at various places in the supply chain — a snapshot of key ingredients such as firmware versions, that can help identify any foul play. The challenge is to scale up the ability and willingness of those within the supply chain to increase transparency of these two elements. That is, make it easy.
How Compute Lifecycle Assurance Helps CISOs Address These Challenges
Compute Lifecycle Assurance (CLA) is an is an initiative led by Intel to drive the industry to align design, and deploy solutions intended to help CISOs. These solutions are intended to assess and assure the security of a device, component, platform, or system throughout the compute lifecycle, from ‘security-first’ design and build to retirement. It separates the lifecycle into four major categories (build, transfer, operate, retire) and articulates for each a collection of governance, processes, tools, and technologies. These sometimes include products, such as Transparent Supply Chain, that automates the tracking and tracing of key components and facilitates the comparison of a system or component at various stages of its journey to detect unrequested changes.
Compute Lifecycle Assurance Framework
Here are some considerations the Compute Lifecyle Assurance framework proposes, and a few options that the product Transparent Supply Chain helps address today:
- Threat modeling and design of product architecture for security.
- Partnership with companies to drive supply chain transparency and hold suppliers to strict security standards. For example, we have worked extensively with Lenovo on innovations in supply chain security.
- System and component level traceability through Transparent Supply Chain.
- Digital proof of product origin with Transparent Supply Chain by linking platform certificates to the Trusted Platform Module (TPM).
- Help ensure authenticity of a platform with Transparent Supply Chain’s digitally signed statement of conformance.
- Tamper detection on first boot with Transparent Supply Chain to alert you to any changes from the original design.
- Participation in the definition of Industry standards supply chain security with organizations such as NITSC and TCG.
There is a lot to consider. Beginning with a framework that breaks down considerations by lifecycle phase, and recommends processes, tools, and sometimes products within those phases to help increase assurance while reducing the burden on IT can help.
To learn more about CLA and how it is helping CISOs address security challenges, check out our Introduction to Compute Lifecycle Assurance whitepaper or the CLA home page. For additional information about security, listen to my interview with CRN’s Jennifer Zarate “Why Supply Chain Security Is Critical For the Channel”. And check out intechnology.intel.com for a list of podcasts and YouTube videos. Content includes topics from security careers, supply chain security, AI, NLP, digital transformation, and more. Follow me on Twitter at @tommgarrison.