Integrated hardware security engine provides better data protection

by CXOtoday Staff    Oct 21, 2010

Vincent TanThe development of smarter consumer devices and automated enterprise systems is leading to the increased need for higher security. The advancement of such devices and systems, bring convenience and efficiency through the use of ubiquitous networks. But the presence of a network connection inherently presents two issues with security: data in transit and data at a location.

Data in transit can be intercepted through a man-in-the-middle attack. In the event of such an attack, the confidentiality of intercepted data is compromised. Imagine if the communication had been between a company and a potential customer. The company could lose the potential customer to a rival company if the intercepted data was obtained by the rival company.

Data can also be easily stolen even if it is not in transit. Computer viruses and other forms of malware float around in the vast nebulous cloud of the Internet. Malware designers employ all sorts of methods from laying traps, proactive seek-and-destroy, to a digital version of the proverbial “five-finger discount”. Imagine if a company had a database of 1 million customers on a server. Suddenly, the company discovers that a rival company has been contacting their customers using information obtained from their database.

Current security solutions
So what can be done to avoid such heinous acts of industrial espionage or invasion of personal privacy? In an attempt to address such security issues, various forms of security technology have been developed to protect data, whether in transit or at a location. However these security solutions may either have flaws, are complex to implement and maintain, or have significant costs for implementation.

VPNs to protect data in transit?
To date, VPNs have been proven to work well for protecting data in transit. However, the complexity of managing, maintaining, and upgrading existing VPNs can become an IT person’s nightmare. While managing a 2-site VPN is not much to worry, however when the VPN grows to 100 sites, adding another node can become a tedious task.

In a VPN, every site connected to the VPN must be identified by the node to which it is attempting to communicate. Therefore in a 2-site VPN, site A has site B’s ID and vice versa. But in a 100-site VPN, every site would have to have 99 other site IDs and hence even adding 1 new site to a 100-site VPN can become cumbersome. Expanding a VPN can be tedious and laborious - resulting in many man hours and ultimately high costs for hiring specialists.

Firewalls to protect data at a location?
Today in any corporate environment, a firewall is a necessity. But is it enough? It has been proven that even firewall security can be breached. Firewalls should never be considered the be-all and end-all of network security. They are only the frontlines. One thing no firewall can protect against is physical infiltration.

For example, company A has a disgruntled employee. One day the disgruntled employee decides he will take some company secrets in a USB stick and either sell it to a rival company or start his own rival company. No firewall on Earth can stop the disgruntled employee.

The power within
Now that two of the major weaknesses in VPN and firewall solutions have been uncovered, this provided a market to companies to come up with CPUs which have evolved considerably from just merely focusing on enhancing the frequencies. Today there is a larger need for processors with respect to integrated hardware security to include a hardware engine designed especially for handling cryptographic encryption, decryption, random number generation without compromising on becoming faster and more power efficient.

Very few companies have integrated a security engine into the x86 processor designed CPUs which enjoy distinct advantage. The inclusion of an on-chip Advanced Cryptography Engine enables customers the unique opportunity to apply data encryption without the hassles of additional hardware. Organizations today need to enable a range of security implementations that use data encryption as the central security strategy - making data free to be stored, processed, remotely accessed, or moved from place to place across a network without the worries of theft.

So how does an integrated hardware security engine help with the aforementioned security issues? First off, the integrated hardware security engine greatly simplifies protected communication between members of an organization regardless of its size. The same technology that works for an organization of two people can just as easily work for an organization of 10,000 people. Instead of hiring security specialists to spend hours upon hours of costly labor setting up 100,000,000 different policies just for establishing site IDs of the 10,000-site VPN, all that is needed is a public key directory that can be accessed for sending protected data.

With the integrated hardware security engine, an organization already using hardware with visionary architecture (intelligent) CPUs does not need to worry about the complexities of integrating additional security hardware to their existing systems. A simple software update is all that is required to exploit the power within such CPUs. Secondly, the integrated hardware security engine can protect data by encrypting it so that if the data is stolen, it will be useless. Going back to the disgruntled employee example, assume company A is now using servers powered by VIA CPUs. The disgruntled employee sneaks in a USB stick and succeeds in copying company secrets and takes it home. Rival company B purchases the secrets, but finds that the data looks garbled and therefore company A’s secrets remain secret.

Realizing the immense potential for intelligent CPUs, customers are looking to develop secure solutions to meet increasing security demands and accomplish their security goals successfully.

The author, Vincent Tan, is a senior director at VIA Technologies, a participant company of ‘Taiwan Excellence’, TAITRA