Software/ platforms

OCP tackles Data Center Hardware and Firmware Security

Launches New Community Led Security Program Improving IT Device Security Posture

Today, the Open Compute Project Foundation (OCP), the nonprofit organization bringing hyperscale innovations to all, announced a new program, OCP Security Appraisal Framework and Enablement (S.A.F.E.) designed to improve the trustworthiness of devices across all data center IT infrastructure. The OCP S.A.F.E. program is expected to reduce cost overhead and redundancy of device security audits with an OCP Community developed per device security checklist, and advance the security posture of device hardware and firmware components across the supply chain.

The S.A.F.E. program adds a new dimension to the services offered by the OCP Foundation. It all starts with the OCP Community developing a standardized device specific audit checklist and criteria for selecting 3rd party device security review auditors. Both the device audit checklist and auditor selection criteria will be open sourced and available to all. Device auditors will do a self-assessment and those that qualify will be designated as OCP Security Review Providers (SRP). Device vendors will commission an OCP recognized SRP to conduct a device specific security review based on the appropriate OCP Community provided checklist.

“The OCP S.A.F.E. Program is designed to be a catalyst for upleveling the effort on security across the OCP Community and the industry. The OCP S.A.F.E. program is an OCP Community led effort to bring standardizations to device firmware security validation to help data center operators maintain a consistent security posture with reduced costs through removing duplication of efforts which can be replicated by other market segments. Security is the underlying foundation which makes OCP core tenets of efficiency, openness, scale, impact and sustainability possible,” said Steve Helvie, VP Emerging Markets at the Open Compute Project Foundation.

“Creating a standardized approach for provenance, code quality and software supply chain for firmware releases and firmware patches that run on data center IT devices benefits the broader community; from democratizing the review process to streamlining efforts. Google is pleased to be a founding member of the OCP S.A.F.E. program and together, with the community, we will accomplish our mutual goal of increased security assurance for the industry,” said Phil Venables, CISO, Google Cloud.

Independent third-party audits present significant challenges. These results are often available only to a certain set of customers, limiting their market impact. Also, these reviews are often commissioned by device consumers at the time of purchase, with device reviews are only performed once and subsequent security issues introduced by firmware upgrades and patches go undetected. The OCP driving a standardized approach, across all data center operators, will effectively and efficiently address these issues.

“We have partnered with OCP to create SAFE, a framework that promotes systematic security evaluations across the hardware ecosystem. This initiative provides enhanced levels of quality and security assurance to all hardware consumers,” said Mark Russinovich, Azure CTO.

The OCP S.A.F.E. Program is designed to reduce cost overhead and redundancy of device security audits, (1) provide security conformance assurance to device consumers (2) increase the number of devices whose firmware and associated updates are reviewed on a continuous basis, rather than only once when the device is 1st manufactured. (3) advance the security posture of device hardware and firmware components, through iterative refinement of review areas, testing scopes and reporting requirements.

The program has received strong support from both 3rd party auditors, device and silicon vendors. Currently Atredis Partners, IO Active, and NCC Group are enrolled as OCP Security Review Providers, with participating device vendors AMD and SK Hynix, and silicon vendor Intel.

“The OCP S.A.F.E. program with the increased level of security assurance it can provide should bring a new level of confidence to the market for data center IT device consumers and ultimately end users of cloud provider provided services. The efficiencies it drives at the same time as improving security is refreshing for the industry. This is just one example of how open collaboration within a community such as the OCP can benefit everyone,” said Ashish Nadkarni, Group Vice President and General Manager, Worldwide Infrastructure at IDC.

Visit AITechPark for cutting-edge Tech Trends around AI, ML, Cybersecurity, along with AITech News, and timely updates from industry professionals!

Related posts

Versa Networks Recognized with 2022 Global Enabling Technology Award

PR Newswire

CYTRIO Launches Privacy UX Platform

Business Wire

Q4 Inc. announces progress on generative AI for IR effectiveness

Business Wire