The irony around this topic in the middle of the coronavirus scare – when more of us are working remotely through the cloud – is not lost on me. Nevertheless, ingrained beliefs move slowly so it’s still worth shedding further light. There is a tribal wisdom among chip designers that what we do demands much higher security than any other conceivable activity and can only be handled safely in our in-company datacenter.
At one time, this demand was reasonable. In-house IT/IS worked hard to limit access, hackers weren’t too sophisticated and nation/state hacking wasn’t a thing (as far as we knew). But when it comes to security, cloud capabilities have been racing ahead and your IT/IS group, with the best will in the world, is hopelessly outmatched. If you work for the NSA or CIA on air-gapped systems you may still be more secure, otherwise we might want to revisit those cherished beliefs.
Sometimes our beliefs are so ingrained they defy reason. Dan Ganousis (VP sales and marketing at Metrics) told me he recently talked to three design verification teams at one of the largest cloud providers, who told him that they could never put their IP in the cloud because it isn’t sufficiently secure. Seriously? They work for one of the largest cloud services providers in the world. Everyone else is moving to the cloud – retail, banks, financial services, trading, legal services, medical records, the DoD. But design IP supposedly requires higher security than those do? And it’s OK that they as employees of that provider don’t trust that security but everyone else should?
That one’s good for a laugh but there are more serious reasons we need to wake up and smell the coffee. One is simply engineering horsepower. Who is going to build more secure datacenters, a trillion-dollar company with a cloud service business as a major component of its revenue or a much smaller company in which IT/IS is a small component of cost, not even revenue? Sure, the cloud providers started out behind, but they’ve had a long time to catch up, they can afford to recruit the best of the best and they’re constantly pushed by a wider range of customer and security demands than our datacenters will ever be.
Another is liability. Ask your legal department about the contracts they have signed with your IP providers. Those contracts require that the company provide best efforts in ensuring their IP data is kept secure. This is legal-speak requiring that the efforts they make will be at least as good as the best efforts that can be found any company, not just in companies like ours.
Back in the day, that was pretty subjective. We could make a list of all the things we were doing to ensure our IP provider data was secure, everyone would look at the list, say “wow, long list, we’re impressed” and that would be good enough. But now there are objective benchmarks – the cloud providers. Anyone can go to these websites and download their security provisions.
Are we doing as much as Microsoft, Amazon, Google, IBM and others, including what they recommend as best practices? Point by point? If not, we are not making best efforts according to a legally supportable definition of that term, and we’re in violation of the contract. Ultimately this isn’t something we engineers get to decide; it’s a decision more likely to be made by the CEO, the board and consulting counsel.
Then think about what our company has moved to the cloud over the last three years. HR has HIPAA (health insurance) data and payroll there. They have our resumes there and the NDAs we signed. Finance has stock grants, contracts, accounts. Everything critical to the business – stuff that both financially and legally the company and its employees cannot afford to have hacked – it’s all in the cloud, apart from our design.
About that design. When a company signs a sales contract with a customer, part of that contract covers escrow, a requirement that we deposit all our design data, software, documentation, test suites and so on in some safe place. This provides customers with an option, if disaster hits, to retrieve the data so they can continue to support whatever they bought from us and can make new versions themselves or through some other provider if needed.
Escrow is a serious legal business. Cloud-based escrow even has a name: Escrow as a Service (EaaS). So all our design crown jewels are already in the cloud, at least for past designs.
So next time any of us want to argue that we can’t do verification or whatever in the cloud because it’s not secure? No – just no. Once reasonable, security concern as a defense has become the veritable Monty Python parrot – kicked the bucket, shuffled off this mortal coil, gone to meet its maker and joined the choir invisbule. Funny, but very out of touch.
Metrics provides cloud-based verification. You might want to check them out.