Rooted in the principle of ‘never trust, always verify’ is a strategic security initiative that prevents successful data breaches by eliminating the concept of ‘trust’ from an organisation’s network architecture. The Zero Trust Architecture works upon traditional systems’ flaw, which believes that data needs to be only protected from outside of an organisation.
Intel is one of the companies that believe that cybersecurity measures and zero trust, in particular, should not be just restricted to networks or systems but must be applied all the way down inside the silicon. To this end, Intel has technologies in place to allow immutable identifiers inside the chips. Each transaction on the internal fabrics has a hardware-generated identifier. In addition, mutual authentication is required between chiplets within a package. Intel says that these measures are the company’s ways of introducing the zero-trust concept to its design.
Intel’s Zero Trust Approach
Many security paradigms still rely on physical connectivity in hardware. This means that when access is on a hardware bus, it is often considered legitimate. Typically, hardware designers are not taught to ask questions. A bit or message is automatically assumed to come from the right party. As attackers become increasingly sophisticated in physical attacks, these assumptions must be questioned just as the paradigm of authenticating the network once was questioned.
To counter this, Intel and others in the industry have contributed technology on the system level like the DMTF’s Security Protocol and the Data Model (SPDM). This model allows for secure collaboration between hardware elements similar to how TLS and HTTPS secure web transactions. Intel also used PCI-SIG and Compute Express Link to add Integrity and Data Encryption (IDE), which helps protect physical links to accelerators such as GPUs when implemented.
As mentioned above, Intel intends to widen the scope of zero trust to hardware as well. While hardware development has different characteristics than software, the two share a lot of commonalities in terms of security principles.
Some of Intel’s security principles for hardware are:
- Fail safely and securely
- Memory management checks
- Least-privilege access
- Protect the weakest part of the design
- Blocking Resource Access for specific tasks
- Inventing simple architectures
- Easy to use security mechanisms.
Intel applies these principles while developing the security technologies of their products to improve fundamental security, protection of data and workloads, and software reliability. This provides the customers with robust technologies which strengthen their safety and thus support a Zero Trust infrastructure.
Intel Software Guard Extensions were originally created for protecting identities on laptop machines. Since then, Intel SGX has been expanded beyond the initial small data scenarios it was created for and into big data environments like on-premises data centres or hyperscale cloud infrastructure. Intel SGX allocates a section of memory that is set aside as an encrypted data enclave.
Intel SGX denies entry to any non-approved user. This feature makes it a powerful tool for a zero-trust approach to security. Furthermore, since the code and the data are secluded within the data enclave, Intel SGX successfully thwarts any attack, even the ones that completely breach the other systems in the organisation.
This differentiation makes Intel SGX critical for zero trust. As a result, Intel SGX runs with the least amount of trust necessary to ensure that your data remains confidential.