WP_Term Object
(
    [term_id] => 654
    [name] => Sidense
    [slug] => sidense
    [term_group] => 0
    [term_taxonomy_id] => 654
    [taxonomy] => category
    [description] => 
    [parent] => 14433
    [count] => 44
    [filter] => raw
    [cat_ID] => 654
    [category_count] => 44
    [category_description] => 
    [cat_name] => Sidense
    [category_nicename] => sidense
    [category_parent] => 14433
    [is_post] => 1
)

NVM central to multi-layer trust in cloud

NVM central to multi-layer trust in cloud
by Don Dingee on 04-21-2014 at 4:00 pm

Pop quiz: Name one of the hottest applications for non-volatile memory – A) processor and code configuration; B) RFID tags; C) secure encryption keys; D) all the above. The answer is D, but not in the way you may be thinking; a new approach is using all these ideas at once, combined in SoC designs targeting advanced security for cloud-based computing.

Humans poking around the web pose a basic set of trust problems. Many routine transactions involve a person aiming a browser at a URL. Common threats involve a machine masquerading as something else, seeking to gain information presented by an unsuspecting user, or joining a network with permissions granting unauthorized access. Spoofing a URL, IP address, or a digital certificate are fairly common approaches to gain false trust online.

The cloud adds a layer of complexity to trust, however. As compute resources distribute and scale, free from the walls of a single data center, it is becoming nearly impossible for a user to tell where their transaction is actually going. Is the server in Kathmandu the right one, or is it the one in Timbuktu? Both could be completely legitimate – or totally bogus. The cloud has made geo-location by itself all but useless in determining authenticity and trust.

A new idea for server authentication is postulated in research from Digital Authentication Technologies and Intel, blending technologies in a next-generation approach to trusted computing for the cloud. One of the latest approaches to access security is digital fingerprinting. By utilizing all the stored information about a device – such as processor ID and clock speed, operating system and browser versions, MAC address, time zone settings, screen resolution, and many more items commonly known about a configuration – a client can be identified with a high degree of accuracy, without using cookies or certificates.

On the server side, more than a configuration is needed to establish trust. The approach DAT describes is the Contextual Location Fingerprint (CLF). The premise is elegant: create a digital fingerprint for a machine that includes location information as part of a multi-factor trust chain. Rather than a geo-location, which can be spoofed and may be hard to derive anyway considering GPS doesn’t penetrate large buildings well, in this concept location implies proximity within an authorized data center.

The key is tight integration of ultra-low-power NVM technology, such as that provided by Sidense, within the SoC at the heart of the server. A dual-ported block of NVM allows access to protected data, with out-of-band read/write capability using RFID. A server can be introduced to a facility, verified and configured with software, then have the necessary keying loaded via RF – even when its power is off. Once the server joins the trusted network, a heartbeat broadcast continuously updates short-term public and private session keys using the same RF connection.

There are many other applications of this approach, including BYOD and Internet of Things networks, which make it a noteworthy idea. For a much more thorough description of the concept, please see the full white paper from DAT and Intel:

Enterprise Security Innovations: How to Strengthen Trust by Adding Location and Proximity Assurance

When all devices become connected, trust in the cloud becomes paramount. I suspect wireless credential exchange with processor secured storage capability built around NVM may be the next must-have feature for SoCs, just as encryption and trusted execution units are found in most server-class platforms today.