NOTICE: Branded Content
NOTICE: Certain versions of content (“Material”) accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.
Protect Your Assets

Understanding security risk and Atalla portfolio confidence with recent hardware vulnerability news

Understanding security risk and Atalla portfolio confidence with recent hardware vulnerability news

Security_Guest Absent Member.

Guest Post by Steve Wierenga, acting Atalla PM 

Remember a time when bold vendors could proudly claim “unbreakable” information security on highway billboards?  At minimum it invited skepticism and motivated industry InfoSec researchers to test the assertion. This was a sure way for your attention-seeking security vendor to eat crow and soon issue multiple security patches to keep up with the added scrutiny.  Maybe this approach could work as a low-cost bug bounty program, but it can be poor at positive brand differentiation, as a credible security partner, and potentially draw unwanted attention to you as a customer. 

Micro Focus Atalla has historically taken a conservative approach to any security claims beyond those that are externally and industry-peer verifiable, such as FIPS validation, PCI-HSM certified, Common Criteria certification, algorithm certificates, key lengths, TLS versions, etc. The reason is simple: one can easily prove a vulnerability, but never the absence of vulnerabilities. Should vendors make claims that invite more criticism? Maybe not the best marketing strategy! 

Meltdown Spectre.pngHowever, with the recent Meltdown/Spectre announcement, security vendors are scrambling to claim a strong position for your trust assurance. Today, we do not believe any of the Atalla hardware products are affected, based on our best information. Of course, we’ll continue to monitor and work with our partners to determine if/when patches or updates are required. So what are some of the credible claims we can assume, by nature of product design? 

There is a very good argument for keeping cryptographic secrets, root keys, and private keys inside a hardware security module (HSM) and only using them within the HSM.  Using SecureData district keys as an example, in a non-HSM deployment, the SecureData root (district) key resides (at least at times) in the central processing unit (CPU) memory and is used “in the clear” by the Intel or other CPUs to compute working encryption keys.  In a non-HSM deployment, working keys and the root key are protected from exposure only to the extent the host CPU architecture, OS, VM, and applications are immune to attacks -- which they can never be, with Meltdown and Spectre, as just the latest examples. 

However, if you keep and use the district key only within a physical HSM, it’s never accessible to attacks on the general purpose CPU/OS/VM/app environment. The working keys are still potentially vulnerable and exposed in the general purpose host environment, but if you are doing cryptographically sound key derivation, the district key can’t be reversed, and you can avoid having to revoke and re-issue the district key and all working keys because the root has been exposed. 

Atalla closed appliances, by design, defend against common threats

Security appliances such as Atalla HSM and Enterprise Secure Key Manager (ESKM) are purpose-designed to expect and resist common/known, as well as sophisticated cryptanalytic, attacks. They prevent the installation of unknown or untrusted applications/software/patches. They disable any root/shell access and non-essential ports/services/protocols. They do not allow unauthenticated administrator configuration changes and, moreover, use a hardware physical security boundary to deter, prevent, and detect penetration that could probe secrets. They bind the OS, application, and hardware into a known, verified configuration. They ship from the factory in a known state under audit controls, and provide evidence to customers they have not been intercepted and modified before receipt. They contain no “vendor backdoors” or hidden service credentials that could be exploited, and they do not “phone home” to report event or any other data over the unsecured Internet. 

Our new Atalla AT1000 HSM and ESKM do make use of the Intel/Linux GP environment, but it’s a bit more complicated to review why these are not believed to be affected, which we’ll save for a later blog discussion. 

While there is no zero-risk, silver-bullet solution, it makes sense to have confidence in hardware-based security, integrated appliances, and HSMs. While we wouldn’t simply promote HSMs as the blanket answer to Spectre/Meltdown, there are a lot of great reasons to upgrade your trust assurance over relying on off-the-shelf hardware and software that are always the target of new attacks. 

Want to learn more about Atalla hardware products? Contact us today for an overview!