Intel Confidential

James J Greene III

Sr Product Marketing Engineer, Security Technologies

August 2012

Data Center and Connected Systems Group:

Server Security Technologies

Legal Disclaimer Intel may make changes to specifications and product descriptions at any time, without notice.

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more information on performance tests and on the performance of Intel products, visit http://www.intel.com/performance

Intel does not control or audit the design or implementation of third party benchmarks or Web sites referenced in this document. Intel encourages all of its customers to visit the referenced Web sites or others where similar performance benchmarks are reported and confirm whether the referenced benchmarks are accurate and reflect performance of systems available for purchase.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel® Virtualization Technology (Intel® VT) requires a computer system with a processor, chipset, BIOS, virtual machine monitor (VMM) and applications enabled for virtualization technology. Functionality, performance or other virtualization technology benefits will vary depending on hardware and software configurations. Virtualization technology-enabled BIOS and VMM applications are currently in development.

Intel, Intel Xeon, Intel Core microarchitecture, and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). The MLE could consist of a virtual machine monitor, an OS or an application. In addition, Intel TXT requires the system to contain a TPM v1.2, as defined by the Trusted Computing Group and specific software for some uses. For more information, see here

The original equipment manufacturer must provide TPM functionality, which requires a TPM-supported BIOS. TPM functionality must be initialized and may not be available in all countries.

Intel® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. AES-NI is available on select Intel® processors. For availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni/

© 2011 Standard Performance Evaluation Corporation (SPEC) logo is reprinted with permission

Server Security Technologies

Agenda

Security trends and concerns

Intel provides foundation for best secure processing

Meeting the security challenge:

Technologies and use models to mitigate pain points

Summary

Server Security Technologies

Security in the Enterprise Trends Security Concerns Growing for Datacenter and Cloud

Trend: Changes in architectures require new protections

Virtualization and multi-tenancy

3rd party dependencies

Blurred boundary

Trend: Increased compliance concerns, costs

UK Data Protection Act, FedRAMP, Payment Card Industry (PCI), etc. require security enforcement and create audit needs

Trend: Shift in types of attack

Platform as a target, not just software

Stealth and control as objectives

Datacenter

Server Security Technologies

Security Concerns Limit Adoption of Cloud Better Security is Essential for Cloud Growth

1 McCann 2012 State of Cloud Security Global Survey, Feb 2012

Say lack of visibility inhibiting private cloud adoption1

Lack of control over public cloud1

Avoid putting workloads with compliance mandates in cloud1

57% 61% 55%

IT Pro survey of key concerns:

Gain visibility

Maintain control

Prove compliance

Enforce Intel® TXT

Establishes “trusted” status foundation for security policy-

based workload control

Encrypt Intel® AES-NI

Isolate Intel® VT and

Intel® TXT

Isolate Enforce Encrypt

Server Security Technologies

Intel® Technologies: Server Security Establishing the Foundation for More Secure Computing

Delivers built-in encryption acceleration

for better data protection

Protects VM isolation and provides a more secure

platform launch

Mf.

VMM

VM2 VM1

VMM

VM1

VMM

VM2 VM3 Policy

Available in Intel® Xeon® E3, E5 and E7 Based Cisco UCS Servers

Security Guidance for Critical Areas of Focus in Cloud Computing3

Multi-Tenant Solutions: The Pros, the Questions and

Integration Concerns2

A major concern of shared infrastructure

Lack traditional guarantees of physical separation

Multiple workloads may tamper or interact with each other

Homeland Security’s Subcommittee Hearing: Cloud Computing: What are the Security Implications?1

*Other names and brands may be claimed as the property of others

Isolate Enforce Encrypt

Server Security Technologies

Pain Point #1: Isolation Isolating Workloads on Shared Infrastructures is Critical

Source 1: http://www.outlookseries.com/A0995/Security/3817_Homeland_Security_Hearing_Cloud_Computing_Implications.htm

Source 2: http://www.itbusinessedge.com/cm/blogs/lawson/multi-tenant-solutions-the-pros-the-questions-and-integration-concerns/?cs=45181&page=2

Source 3: https://cloudsecurityalliance.org/csaguide.pdf

Intel® Virtualization Technology

Intel® VT for IA-32 and Intel® 64

(Intel® VT-x) HW support for

isolated execution

Intel® VT for Directed I/O (Intel® VT-d) HW support for

isolated I/O

Server Security Technologies

A Fresh Look at Intel® VT Hardware Provides Stronger Isolation of VMs

Traditional server VMM-based uses

Isolation needed for:

Separation of development and production environments

Technology demonstrations

Isolate Enforce Encrypt

New cloud security-related uses

Isolation of workloads in multi-tenant cloud

Memory monitoring for malware detection

Device isolation for protection against DMA attacks

VMM

VM2 VM1

US Dept of Homeland Security Cyber Security Research & Development Broad Agency Announcement (BAA): BAA 11-023

NIST Guidelines Seek to Minimize Risk of BIOS attacks2

Pre-runtime environment target of new attacks

Protections abstracted away by virtualization and cloud

Low-level attacks are hard to detect and can be difficult to recover from

Mebromi: The First BIOS Rootkit in the Wild1

*Other names and brands may be claimed as the property of others

Server Security Technologies

Pain Point #2: Enforcement New Controls Needed to Enforce Protection of Infrastructure

Source 1: http://www.outlookseries.com/A0995/Security/3817_Homeland_Security_Hearing_Cloud_Computing_Implications.htm

Source 2: http://www.itbusinessedge.com/cm/blogs/lawson/multi-tenant-solutions-the-pros-the-questions-and-integration-concerns/?cs=45181&page=2

Source 3: https://cloudsecurityalliance.org/csaguide.pdf

Isolate Enforce Encrypt

Server Security Technologies

Intel® Trusted Execution Technology (Intel® TXT) Hardens and Helps Control the Platform

Enables isolation and tamper detection in boot process

Complements runtime protections

Hardware based trust provides verification useful in compliance

Trust status usable by security and policy applications to control workloads

Internet

Compliance Hardware support for compliance reporting enhances auditability of cloud environment

Intel® TXT:

Isolate Enforce Encrypt

Trusted Launch Verified platform integrity reduces malware threat

Trusted Pools Control VMs based on platform trust to better protect data

Louisiana Personal Information Data Privacy Notification and Encryption Laws: SB 205 Act 4993

Encrypt Now to Meet New Massachusetts Data Protection Law2

Nevada Enacts Encryption Law for Data Transmission1

Server Security Technologies

Pain Point #3: Encryption Growing Burden to Work With Encrypted Data

1 http://www.crn.com/security/210605176;jsessionid=3BR5SYATQOCOHQE1GHPCKHWATMY32JVN

2 http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1346761,00.html

3 http://www.alertboot.com/blog/blogs/endpoint_security/archive/2009/10/16/louisiana-personal-information-data-privacy-notification-and-encryption-laws-sb-205-act-499.aspx

Isolate Enforce Encrypt

Growing regulatory demands to protect data physically or by encryption Data loss is a very painful/expensive problem for businesses Cloud, with its dynamic, boundless and multi-tenant characteristics make data protection even more difficult

*Other names and brands may be claimed as the property of others

Server Security Technologies

Data Protection with Intel® AES-NI Efficient Ways to Use Encryption for Data Protection

Special math functions built in the processor accelerate processing of crypto algorithms like AES

• Includes 7 new instructions

Makes enabled encryption software faster and stronger

Internet Intranet

Intel® AES-NI:

Isolate Enforce Encrypt

Data in Motion Secure transactions used pervasively in ecommerce, banking, etc.

Data in Process Most enterprise and cloud applications offer encryption options to secure information and protect confidentiality

Data at Rest Full disk encryption software protects data while saving to disk

Server Security Technologies

Summary: Intel® Helps Protect Your Business Enhance your infrastructure with Intel ® Xeon® Processor-based Cisco UCS systems

Isolate Protect system from tampering and segregate workloads on shared resources

Enforce Control over virtualized environments with better visibility into system integrity

Encrypt Provide better protection of data in flight, in use and at rest

VMM

VM2 VM1

VMM VMM

VM2 VM3

VM1

Intel® TXT

Intel® VT

Intel® AES-NI

Leading Use Models Growing Ecosystem