Security

Hardware Security: Protecting Data in the Quantum Era

Faced with an unprecedented threat, federal agencies are looking to lock down the physical compute layer for additional cybersecurity assurance.

Alexander Slagg

Twitter

Alexander Slagg is a freelance writer specializing in technology and education. He is an ongoing contributor to the CDW family of magazines.

Most agencies aren’t prepared to combat quantum computing, and they need to be when it inevitably becomes able to crack the traditional encryption that secures many sensitive government documents and communications.

A key aspect of mitigating this threat is bolstering hardware security (hardsec).

The Office of Management and Budget issued a memo in 2022 that directed agencies to begin transitioning to post-quantum cryptography, a stronger encryption standard intended to thwart quantum computing. Bolstering hardsec — which provides a root of trust for cryptographic operations, protection against side-channel attacks and higher levels of assurance and resilience — is also essential.

“We’ve seen this massive growth of keys and certificates and secrets,” says Greg Wetmore, vice president of product development at Entrust. “Attackers are going after those critical keys that are protecting the most important systems, and if the hardware security element isn’t a component of the system, that’s when we see breaches.”

Click the banner below to start implementing smarter security.

x_security_q325_animated_click_desktop_03

x_security_q325_animated_click_mobile_03

What Is HardSec?

At its most basic, hardsec is about securing the physical computing device — and the data on it — from unauthorized access or tampering. It’s a foundational security measure that allows you to build other defense-in-depth security measures on top of it, and it delivers auditable and testable security against physical threats and remote, software-based attacks.

“Today’s emphasis on zero trust is appropriate; it’s a new mindset of how you protect the system. You can’t just throw up barrier after barrier. You need to build trust in your system, and in your network,” says Tommy Gardner, chief technology officer at HP Federal. “A lot of people, when they think about cybersecurity, immediately jump to the software side because there are a lot of holes there. People don’t understand the same principles and the same attack vectors reside in hardware.”

“With hardsec, you are implementing critical security functions in hardware logic and then building the rest of your security around that,” says Simon Wiseman, chief technology officer at Everfox. “If you need a security check done, and you want to be sure that it’s done, implement it in logic. Security then becomes a fairly direct process that provides certainty.”

That’s the first decision in the security chain: Are you evaluating the hardware?”

Tommy Gardner CTO, HP Federal

How HardSec Protects Devices and Workstations

Hardsec functions at the most basic level of a computing device: the physical or logic level (meaning the electronic components that perform the compute operations).

For workstations and devices, it is often implemented using either application-specific integrated circuits, which are programmed during production and cannot be changed, or field-programmable gate array chips, which can be reprogrammed after manufacturing. The security value comes in either controlling the production of the ASICs and what goes on them or controlling the logic programmed in the FPGAs.

“With an FPGA, the logic chip is entirely general purpose. Nobody knows what you’re going to do with it, and it’s configured with your logic later,” Wiseman says. “That gives you lots of advantages because, if I get a chip out of a factory, I can’t actually know what’s in it. FPGAs provide a really high level of confidence in the hardware.”

Click the banner below for the latest federal IT and cybersecurity insights.

Securing the Environment from Software-Based Attacks

Securing the actual compute plane on which software runs is what differentiates hardsec from a software-based security tool. While they have their advantages, a software tool can’t protect at the physical or logic level because it requires the logic itself to execute.

“Putting hardsec in there, we can be quite sure of what the protocol does and how it behaves. Because the data being transferred is being checked by the logic, we know that nothing else can get through,” Wiseman says. “We call it a protocol break. The attacker cannot interact with the target using any software protocol weaknesses.”

“There are elements of a cybersecurity system that no sort of software control can actually provide,” Wetmore says. “It’s that next level of hardware-based capability that gives you that assurance that those cryptographic assets, or those transactions that are happening inside that hardware security module, can’t be altered or extracted.”

LEARN MORE: Agencies can improve security and employees’ digital experiences.

How HardSec Safeguards Cryptographic Keys

At the system level, hardsec can be implemented in a few different ways.

Hardware security modules come in the form of a network-attached device — a peripheral component interconnect express (PCIe) card or a USB card. They specialize in managing and protecting cryptographic keys and sensitive data.

“Those hardware components provide that tamper resistance and the security controls designed right into the hardware,” Wetmore says. “Keys can never leave that hardware environment, and the logic that’s inside that device then provides the auditability and access control and all of the fundamental security controls in the HSM.”

Trusted platform modules are another form of hardsec. TPMs are digital vaults, providing a secure compute environment on a motherboard for cryptographic or other sensitive computing on a given system.

DISCOVER: Agencies should know the truth about security service edge.

“TPM security is key to protecting secrets. For years, we’ve also integrated an additional PC endpoint security controller to provide core security and resiliency assurances to the device,” Gardner says. “For example, it’s designed to validate the integrity of our own BIOS firmware, including with the use of quantum-resistant cryptography.”

BIOS is the code that’s running the basic input/output system for the computer and dictating how the hardware is working, and hackers aim to control it to take control of data on a device.

“Hardware security is almost like the immune system in your body,” Gardner says. “It’s like the protective coding of your DNA, starting with your BIOS validation.”

ACT NOW: Implement these five keys for an effective cyber strategy.

Making HardSec a Procurement Necessity

The supply chain that supports IT hardware is long and winding, providing many opportunities for device security to be compromised. When it comes to procurement, hardsec should be a top-of-mind consideration.

“That’s the first decision in the security chain: Are you evaluating the hardware?” Gardner says. “If it’s not secure, the rest of the features don’t matter. And it’s got to be designed for resilience, which is what we have been doing for years now with hardware support for secure automated firmware and operating system recovery, in case of breach, failure or destructive attack.”

Hardsec is an even more pressing concern for agencies charged with protecting sensitive information and critical government systems.

“The problem is that procurement should be based on true best value, but it is often relegated to the lowest cost technically acceptable,” Gardner says. “In certain parts of government, you just can’t live with second rate. You have to demand the best on the market, especially in the intelligence community and Department of Defense, the Department of State for critical infrastructure, and Homeland Security.”

canart7/Getty Images