Launches New Community Led Security Program Improving IT Device Security Posture
Today, the Open Compute Project Foundation (OCP), the nonprofit organization bringing hyperscale innovations to all, announced a new program, OCP Security Appraisal Framework and Enablement (S.A.F.E.) designed to improve the trustworthiness of devices across all data center IT infrastructure. The OCP S.A.F.E. program is expected to reduce cost overhead and redundancy of device security audits with an OCP Community developed per device security checklist, and advance the security posture of device hardware and firmware components across the supply chain.
The S.A.F.E. program adds a new dimension to the services offered by the OCP Foundation. It all starts with the OCP Community developing a standardized device specific audit checklist and criteria for selecting 3rd party device security review auditors. Both the device audit checklist and auditor selection criteria will be open sourced and available to all. Device auditors will do a self-assessment and those that qualify will be designated as OCP Security Review Providers (SRP). Device vendors will commission an OCP recognized SRP to conduct a device specific security review based on the appropriate OCP Community provided checklist.
“The OCP S.A.F.E. Program is designed to be a catalyst for upleveling the effort on security across the OCP Community and the industry. The OCP S.A.F.E. program is an OCP Community led effort to bring standardizations to device firmware security validation to help data center operators maintain a consistent security posture with reduced costs through removing duplication of efforts which can be replicated by other market segments. Security is the underlying foundation which makes OCP core tenets of efficiency, openness, scale, impact and sustainability possible," said Steve Helvie, VP Emerging Markets at the Open Compute Project Foundation.
“Creating a standardized approach for provenance, code quality and software supply chain for firmware releases and firmware patches that run on data center IT devices benefits the broader community; from democratizing the review process to streamlining efforts. Google is pleased to be a founding member of the OCP S.A.F.E. program and together, with the community, we will accomplish our mutual goal of increased security assurance for the industry,” said Phil Venables, CISO, Google Cloud.
Independent third-party audits present significant challenges. These results are often available only to a certain set of customers, limiting their market impact. Also, these reviews are often commissioned by device consumers at the time of purchase, with device reviews are only performed once and subsequent security issues introduced by firmware upgrades and patches go undetected. The OCP driving a standardized approach, across all data center operators, will effectively and efficiently address these issues.
“We have partnered with OCP to create SAFE, a framework that promotes systematic security evaluations across the hardware ecosystem. This initiative provides enhanced levels of quality and security assurance to all hardware consumers,” said Mark Russinovich, Azure CTO
The OCP S.A.F.E. Program is designed to reduce cost overhead and redundancy of device security audits, (1) provide security conformance assurance to device consumers (2) increase the number of devices whose firmware and associated updates are reviewed on a continuous basis, rather than only once when the device is 1st manufactured. (3) advance the security posture of device hardware and firmware components, through iterative refinement of review areas, testing scopes and reporting requirements.
The program has received strong support from both 3rd party auditors, device and silicon vendors. Currently Atredis Partners, IOActive, and NCC Group are enrolled as OCP Security Review Providers, with participating device vendors AMD and SK Hynix, and silicon vendor Intel.
“The OCP S.A.F.E. program with the increased level of security assurance it can provide should bring a new level of confidence to the market for data center IT device consumers and ultimately end users of cloud provider provided services. The efficiencies it drives at the same time as improving security is refreshing for the industry. This is just one example of how open collaboration within a community such as the OCP can benefit everyone,” said Ashish Nadkarni, Group Vice President and General Manager, Worldwide Infrastructure at IDC.
Support from Key Stakeholders
Atredis Partners
“A fundamental principle of our firm has always been a commitment to doing work we’re proud of, for people we respect – a commitment to finding the most actionable security defects for our clients in the most efficient way possible. A key part of that mission has always been an end to counterproductive ‘black boxes’, and a move toward partnership, openness and transparency. The collaborative spirit built into OCP SAFE is a very positive step in the right direction, toward a day when critical infrastructure vulnerabilities aren’t hidden behind NDAs and privilege walls, but brought into the light so that we can all work together to build a safer, more secure world”, said Shawn Moyer, CEO and cofounder of Atredis Partners.
IOActive
“Modern data center hardware and firmware supply chains are increasingly targeted by malicious actors. The OCP S.A.F.E Program defines and enforces a consistent framework for testing, validating, and assuring the security and integrity of devices at the very heart of today's cloud. S.A.F.E is win-win for both device vendors and data center owners. Data center owners that have struggled to maintain and enforce their unique security requirements for hardware and firmware, and device vendors that have had to piece together a costly jigsaw of overlapping and inconsistent requirements across their many data center customers, can now align against a single consistent and stringent methodology delivered by an accredited and mutually trusted pool of security auditors'', said Gunter Ollmann, CTO at IOActive Inc.
NCC Group
Our mission at NCC Group is to create a more secure digital future and we are proud to have partnered with the Open Compute Project to help define the security assurance criteria for the SAFE Program. We believe that SAFE will play a key part in uplifting the security posture of the entire ecosystem, enabling device vendors and cloud providers to agree on a standardized security test methodology to be conducted by a vetted and trusted group of auditors. Ultimately, SAFE will advance the safety and security of customers and their data. said NCC Group
AMD
“Assurance and transparency are core pillars of security at AMD. We are excited to be part of the OCP S.A.F.E program and contribute to open hardware standards while gaining schedule efficiencies of product audits and iteratively raising our security assurance. We have a long-standing history of supporting open source software projects and we are happy to continue this commitment to open hardware as well,” said Robert Hormuth, corporate vice president, Architecture and Strategy, Data Center Solutions Group, AMD.
Intel
“At OCP Global Summit, Intel is proud to demonstrate OCP S.A.F.E.; a framework that drives systematic security reviews across the hardware ecosystem, and enables assurances of security through verifiable attestation”, said Mohan Kumar, Intel Fellow.
About the Open Compute Project Foundation
The Open Compute Project (OCP) is a collaborative Community of hyperscale data center operators, telecom, colocation providers and enterprise IT users, working with the product and solution vendor ecosystem to develop open innovations deployable from the cloud to the edge. The OCP Foundation is responsible for fostering and serving the OCP Community to meet the market and shape the future, taking hyperscale-led innovations to everyone. Meeting the market is accomplished through addressing challenging market obstacles with open specifications, designs and emerging market programs that showcase OCP-recognized IT equipment and data center facility best practices. Shaping the future includes investing in strategic initiatives and programs that prepare the IT ecosystem for major technology changes, such as AI & ML, optics, advanced cooling techniques, composable memory and silicon. OCP Community-developed open innovations strive to benefit all, optimized through the lens of impact, efficiency, scale and sustainability. Learn more at www.opencompute.org.
For more information reach out to: Steve Helvie, VP Emerging Markets