Securing the Environment from Software-Based Attacks
Securing the actual compute plane on which software runs is what differentiates hardsec from a software-based security tool. While they have their advantages, a software tool can’t protect at the physical or logic level because it requires the logic itself to execute.
“Putting hardsec in there, we can be quite sure of what the protocol does and how it behaves. Because the data being transferred is being checked by the logic, we know that nothing else can get through,” Wiseman says. “We call it a protocol break. The attacker cannot interact with the target using any software protocol weaknesses.”
“There are elements of a cybersecurity system that no sort of software control can actually provide,” Wetmore says. “It’s that next level of hardware-based capability that gives you that assurance that those cryptographic assets, or those transactions that are happening inside that hardware security module, can’t be altered or extracted.”
LEARN MORE: Agencies can improve security and employees’ digital experiences.
How HardSec Safeguards Cryptographic Keys
At the system level, hardsec can be implemented in a few different ways.
Hardware security modules come in the form of a network-attached device — a peripheral component interconnect express (PCIe) card or a USB card. They specialize in managing and protecting cryptographic keys and sensitive data.
“Those hardware components provide that tamper resistance and the security controls designed right into the hardware,” Wetmore says. “Keys can never leave that hardware environment, and the logic that’s inside that device then provides the auditability and access control and all of the fundamental security controls in the HSM.”
Trusted platform modules are another form of hardsec. TPMs are digital vaults, providing a secure compute environment on a motherboard for cryptographic or other sensitive computing on a given system.
DISCOVER: Agencies should know the truth about security service edge.
“TPM security is key to protecting secrets. For years, we’ve also integrated an additional PC endpoint security controller to provide core security and resiliency assurances to the device,” Gardner says. “For example, it’s designed to validate the integrity of our own BIOS firmware, including with the use of quantum-resistant cryptography.”
BIOS is the code that’s running the basic input/output system for the computer and dictating how the hardware is working, and hackers aim to control it to take control of data on a device.
“Hardware security is almost like the immune system in your body,” Gardner says. “It’s like the protective coding of your DNA, starting with your BIOS validation.”
ACT NOW: Implement these five keys for an effective cyber strategy.
Making HardSec a Procurement Necessity
The supply chain that supports IT hardware is long and winding, providing many opportunities for device security to be compromised. When it comes to procurement, hardsec should be a top-of-mind consideration.
“That’s the first decision in the security chain: Are you evaluating the hardware?” Gardner says. “If it’s not secure, the rest of the features don’t matter. And it’s got to be designed for resilience, which is what we have been doing for years now with hardware support for secure automated firmware and operating system recovery, in case of breach, failure or destructive attack.”
Hardsec is an even more pressing concern for agencies charged with protecting sensitive information and critical government systems.
“The problem is that procurement should be based on true best value, but it is often relegated to the lowest cost technically acceptable,” Gardner says. “In certain parts of government, you just can’t live with second rate. You have to demand the best on the market, especially in the intelligence community and Department of Defense, the Department of State for critical infrastructure, and Homeland Security.”