The three 'wares and the why of data center security

Data center security solutions are comprised of hardware, firmware and software.  As a provider of all three, Microchip is able to provide insight into the needs and features of each and how they combine to provide effective, integrated solutions to tackle a growing threat. 

Half measures in cybersecurity don’t make data centers half secure; half measures make data centers unsecure. Effective cybersecurity has to cover all three of the fundamental layers in every computational system: firmware, software and hardware. 

Data centers are integral to an increasing number of business and societal functions. As repositories of invaluable data and as critical infrastructure, they have become irresistible targets for malicious hackers, some seeking to steal information, others hoping to disrupt the operations of the data center itself or of its customers. 

The largest commercial data centers are subject to relentless cyberattacks, as are most federal installations. All other data centers in the world are commonly assumed to have been probed for vulnerabilities if not attacked outright. That includes server clusters run by banks, municipal governments, original equipment manufacturers (OEMs), department stores, oil companies, medical facilities – literally everyone with a set of servers attached to a network. 

Smaller distributed edge data centers or on premises server clusters are often a required component to deliver low latency access to critical data. These smaller server clusters are often considered a tactical target as they might represent an avenue for gaining network access to a higher value target, or they might contain valuable data that is obscured from broader oversight. Malicious hackers will take control of a small server cluster that has no intrinsic value to them because they know it has value to the operator – this is the growing ransomware phenomenon. 

If the distributed server or storage nodes directly contain valuable data, then another threat becomes employees or contractors with access who may abuse their privileges and coordinate and sell data to cybercriminals – this is the insider threat. Smaller server clusters can be tactical targets as they might represent an avenue for gaining network access to a higher value target.

Every data center everywhere is perpetually at risk of being hacked. Hoping your computational cluster is too small, too insignificant or too anonymous is a dangerous strategy. Managing cybersecurity is a critical measure every data center and needs to be taken seriously.

That covers the who, what, when, where and only some of the whys of cybersecurity. The three ‘wares are actually the how. 

Points of vulnerability

Hardware, firmware and software represent different sets of attack vectors.  

Hardware gets swapped in and out of data centers regularly as operators make repairs, upgrade systems and expand capacity. The equipment involved can include everything from server blades and storage devices to networking equipment. 

Malicious hackers try to take advantage of the equipment update process by attempting to compromise hardware destined for data centers before it gets shipped and installed. The compromised element might be firmware or software. In addition, cybercriminals may coordinate with insiders to steal hardware which contains valuable data.

Any software that a data center runs for its own purposes or on behalf of its customers gets loaded, reloaded, executed and updated constantly. Theoretically, hackers have endless opportunities to try to alter existing code or insert their own code.   

Cautious data center operators will want to repeatedly test the hardware and software they run. Is the equipment what it says it is, and is it doing what it is supposed to be doing? Has any of the software been manipulated by bad actors in any way at any time? It is wise to verify incoming data – could it be hiding malware?

It might be harder to manipulate firmware, but if accomplished, it can be harder to detect, because ordinarily everything else is predicated on a boot from firmware. 

All three of the ‘wares need to be protected. Not protecting all three is very much akin to locking only some of your doors. You lock them all, or you’re making an intruder’s job too easy. Protecting any one or two of them can never be considered adequate security. 

Therefore, commercial data security solutions must manage hardware, firmware and software. 

Modern cybersecurity starts with a root of trust. The concept is that if you start with a reference in a cryptographic system that cannot be hacked in any way, then every check in a chain of checks building off that reference should be trustworthy too.

Different companies supply ICs and/or trusted platform modules with firmware that constitutes that root of trust. Several provide microcontrollers (MCUs) that enable advanced root of- rust hardware security, along with an immutable identity, and real-time security to ensure that both the hardware and the firmware in a system is authentic. 

Devices of this nature can be used directly, but some can also be paired with other processors as companion security MCUs, to provide easy-to-use firmware authentication, real-time bus protection, device attestation and public and private key storage for cryptographic functionality. 

Ideally, every piece of equipment that's added to the server or installed in a data center has firmware running on it that's trusted. When that is the case, data center operators are assured the firmware is authentic – that it genuinely came from an approved manufacturer. For an extra layer of safety, these checks can be performed before the server that contains them boots.  

Top of mind

Most of the largest commercial data centers are well-versed in cybersecurity and have implemented effective security measures.

On the positive side, there are recommendations for cyber security technology, procedures and best practices that are becoming referenced regularly enough that they are tantamount to industry standards. 

The Cyber Security Framework (CSF) from the National Institute of Science & Technology (NIST) is a set of recommendations that cover everything from servers, smartphones and internet of things (IoT) devices to the networks that connect them. 

The Open Compute Project (OCP), meanwhile, has developed an open specification for a Data Center-ready Secure Control Module (DC-SCM). This allows security elements that used to reside on a motherboard, such as server management, security and control features, to be incorporated into a compact module. 

Malicious hackers are forever probing for previously hidden vulnerabilities and devising new types of attacks, which means cybersecurity is an always an evolving practice. Data center operators would do well to work with partners able to provide insight into the needs and features of each of the three ‘wares, and how they combine to provide effective, integrated solutions to tackle a growing threat.

Kyle Gaede has been with Microchip Technology for nearly 25 years and is currently a principal manager for the company’s segment group with a focus on data centers. Gaede holds a bachelor of science in electrical engineering from the University of Texas Austin.