Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Security Leadership and ManagementCybersecurity News

A Case for Embedded Hardware Security For Cloud Computing

By Joel P. Wittenauer
cloudnetwork
June 19, 2019

There are many different attack scenarios in cloud computing. Each layer in the cloud stack has the potential to expose a ruinous vulnerability. This includes the hosted applications, the virtualization environments, server hardware and other infrastructure necessary to support a cloud solution. These are the things that keep security-minded cloud service providers up at night.

To help alleviate some of these concerns, cloud service providers should be demanding that their vendors deliver best-in-class security solutions for each layer in their system. The obvious question, however, is how does one know if the vendor’s security story is good enough? This article deals with some of the issues one can raise with their vendors to better protect your infrastructure from attacks.

Evaluate Where You are Vulnerable

Since early 2018, new server-class vulnerabilities have been popping up in the form of CPU microarchitectural attacks.  These attacks include Spectre, Meltdown, Foreshadow, RIDL, Fallout and Zombieload. As CPU manufacturers try to combat the competing needs of high performance coupled with security, they are likely to continue to struggle.

Mike Hamburg, a member of the Spectre team and a Rambus security researcher, is quoted as follows, “…beyond short-term solutions such as patching, the semiconductor industry should seriously consider designing chips that run sensitive cryptographic functions in a physically separate secure core, silo-ed away from the CPU. This design approach will go a long way in helping to prevent vulnerabilities that can be exploited by Meltdown and Spectre.”

The quote above is a call for CPU vendors to begin to look for different means to protect security critical assets from CPU-based microarchitectural attacks. The current mix of defects all center around CPU designs intended to increase processing efficiency for demanding workloads. Current fixes that mitigate some of these flaws reduce processing efficiency. What are CPU vendors doing to fix these issues, while maintaining the processing efficiency required for hosting demanding cloud services?

Beyond the server CPUs that run the virtualized environments for hosting cloud applications, the servers have many other CPUs in their subsystems that are executing firmware. These CPUs can be in the hard disk controller, network controller, base management controller and other server components. How is one to be sure that the proper firmware is executing on each of these subsystems? How does one know whether these subsystems are leaking system secrets to attackers?

Beyond server-level security, cloud platform providers should be asking the vendors of other network infrastructure what they are doing to secure their hardware. Like the many server subsystems, network appliances and other equipment have their own CPUs and firmware. Again, it is up to cloud service providers to ask the right questions of their vendors to better understand the security risks for their infrastructure.

Hardware Root of Trust  

One critical solution that cloud service providers should be asking about is the inclusion of hardware roots of trust in their equipment. A properly designed hardware root of trust can be the central component to solve many of the issues described earlier in this article.

The National Institute of Standards and Technology (NIST) of the U. S. Department of Commerce defines a hardware root of trust as: “. . . many roots of trust are implemented in hardware so that malware cannot tamper with the functions they provide. Roots of trust provide a firm foundation from which to build security and trust.”

Hardware roots of trust can be used in many different cloud infrastructure security applications. For example, a hardware roots of trust can be used to securely boot firmware of components in a server, network equipment and other parts of your infrastructure. The same hardware roots of trust can also be used to assist in secure firmware updates for the same components.

Looking beyond firmware boot and update security, hardware roots of trust can be used for secure key management, cryptographic algorithm acceleration, cryptographic protocol support and many other applications. If a hardware root of trust is programmable, such that it can support many different applications, increases the value of your investment.  

Modern, state-of-the-art hardware roots of trust have a CPU that can execute applications to support its platform. These hardware roots of trust must also support mechanisms for isolating security assets between each of the applications. For example, one likely does not want their cryptographic accelerator application to have access to the secure firmware update assets and vice versa.

Going back to Mike Hamburg’s quote above, one can also use hardware roots of trust to help with solving the microarchitectural attacks plaguing the industry today. Given the proper software ecosystem support, one can offload critical security functionality to a hardware root of trust. A root of trust that has been designed from the bottom with security in mind should not be susceptible to similar attacks as the high-level CPU system. Secure keys managed and used inside the root of trust would no longer be vulnerable to exposure.

Conclusion

Cloud service providers have a lot on their minds when it comes to securing their solution. To alleviate some of these concerns, they must demand the latest security solutions from their vendors. Each vendor of each layer of the cloud platform solution must be able to provide answers to how they are staying on the cutting edge of security technology.

These security solutions should include using hardware roots of trust. Beyond simply including hardware roots of trust in their products, cloud equipment vendors must also be able to explain how they are used. They should also be able to explain how the cloud service providers can take advantage of the hardware roots of trust themselves. 

After collecting the answers from their vendors regarding how their vendors are or are not using hardware roots of trust, cloud service providers can better assess their security risks. They can then put a plan in motion to move to new vendors who meet their security requirements.

KEYWORDS: cloud computing cybersecurity security software

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Joel wittenauer

Joel Wittenauer is the Embedded Software Product Architect for the Cryptography Products Group at Rambus, located in San Francisco, CA. He has been with Rambus since 2013. His primary areas of focus have been anti-counterfeiting, IoT security and hardware roots of trust. A graduate of the Speed Scientific School at the University of Louisville, Joel has over 20 years of experience in embedded software development, with nearly 15 of those years focused on embedded security solutions.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • New Newswire Feature Image 3/8/2012

    From RSA: Japan, Korea, UK Offer Best Privacy, Security Policies for Cloud Computing

    See More
  • New Newswire Feature Image 3/8/2012

    10 Top Countries for Cloud Computing

    See More
  • cloud-computing-freepik

    Cloud computing is a bonanza – but security lags

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

See More Products

Events

View AllSubmit An Event
  • May 22, 2012

    Cloud Security Alliance CCSK Training

    This class is geared towards security professionals, but is also useful for anyone looking to expand their knowledge of cloud security.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing