Guarding the Cloud: Google, Microchip, and Others Up Hardware Security

June 08, 2022 by Jake Hertz

Here are a few companies that have recently announced new ways to protect cloud data at the silicon level.

As many industries move operations to the cloud, one of the biggest question marks is security. 

In April, Ponemon released an Intel-sponsored survey in which 1,406 IT and IT security practitioners shared what types of technologies they prioritize for security systems. Eighty-five percent of those surveyed ranked hardware and firmware-based security in their organizations as a high or a very high priority. However, a smaller number of respondents—64%—said their organizations actively strive to advance hardware security, particularly within the cloud infrastructure, data centers, edge computing devices, and security operations centers.


Ponemon survey results

Ponemon survey results on the role of hardware in organizations' security solutions. Image courtesy of Ponemon

As a testament to this effort, multiple companies have released products and initiatives this month that emphasize hardware-level security for cloud computing. In this article, we’ll review some of the latest hardware security releases for the cloud. 


Google and AMD Partner Up

One of the largest cloud services providers in the world is Google Cloud. On May 10, the company announced a partnership with AMD to increase its security offerings.

The purpose of the partnership is to evaluate, analyze, and improve the security of Google’s servers, which historically employ AMD EPYC processors. Together, Google’s Project Zero security team worked closely with AMD’s firmware teams to conduct a detailed review of the hardware and firmware that underlies AMD’s Confidential Computing technology.

Within this study, the teams implemented a plethora of hardware security tests that focused specifically on how third-generation AMD EPYC processors are implemented within Google’s servers, searching for exploitable system- and hardware-level flaws.


PCIe testing using an IO screamer

PCIe testing using an IO screamer. Image (modified) courtesy of Google

During the study, the researchers identified and confirmed a number of potential issues in Google’s cloud security. AMD then fixed all applicable issues and provided firmware updates to affected devices. Now, with the corrections implemented, both teams have concluded that Google’s Confidential Computing solutions meet an exceptionally high level of security standards. 


Microchip’s Root of Trust

Another announcement about hardware security comes from Microchip, which announced a new real-time root-of-trust controller.

The new product, called the CEC1736, is a microcontroller-based root-of-trust controller designed for servers, telecommunications, networking, and industrial applications. On the hardware level, the device is considered a configurable mixed-signal I/O controller based on a 32-bit 96 MHz Arm Cortex-M4 core. Importantly, the device goes beyond conventional NIST 800-193 Platform Firmware Resiliency guidelines by incorporating new runtime firmware protection. This protection is said to secure the boot process while creating a chain of trust within a system. 


System block diagram of the CEC173x

System block diagram of the CEC173x in a server application. Image courtesy of Microchip

On a cryptographic level, the CEC1736 Trust Shield family is capable of AES-256, SHA-512, RSA-4096, and ECC with key sizes reaching 571 bits. The Elliptic Curve Digital Signature Algorithm (ECDSA) is 384-bit keys in length. To this end, the device features a 384-bit hardware PUF for secure key generation and protection. Other security features include SPI boot flash monitoring and intervention, lifecycle provisions, and transfer of ownership provisions.

Microchip designed this device to provide servers and data centers with a reliable hardware root of trust that can be used to ensure trustworthiness and security.


Andes and Crypto Quantique Focus on IoT Security

The final hardware security announcement of this roundup comes from Andes Technology. The company recently announced a partnership with Crypto Quantique to deliver security features to RISC-V-based IoT devices.


Block diagram of AndesCore A45MP processor

Block diagram of AndesCore A45MP processor. Image courtesy of Andes Technology

Specifically, this collaboration aims to combine Andes’ RISC-V processors with Crypto Quantique’s quantum-driven semiconductor hardware IP, known as QDID, which brings a quantum-based root of trust to the silicon. According to Crypto Quantique, QDID is a type of PUF that works by measuring quantum effects in the silicon substrate to create unique device identities and cryptographic keys. Andes states that QDID fits well within the RISC-V framework, and as such will be used to advance the security of Andes’ microcontrollers.

Beyond this, Andes will leverage Crypto Quantique’s QuarLink platform, a chip-to-cloud security management platform designed specifically for IoT devices. This platform also leverages QDID to add layers of security to devices through monitoring and key renewal features. 


Closing Thoughts

While many organizations emphasize the importance of hardware security, others are slower to adopt silicon-level solutions. For instance, in the Ponemon survey, 38% of respondents said their organizations offset the cost of encryption with hardware-enabled accelerators.


Security solutions deployed within surveyed organizations

Security solutions deployed within surveyed organizations. Image courtesy of Ponemon

Even so, with big players like Google, AMD, and Microchip churning out hardware-based security solutions, cloud data will be better guarded against privacy breaches and attacks.