Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Firmware Integrity in the Cloud Data Center

Home
Industry Insights
Firmware Integrity in the Cloud Data Center

Blog Article Published: 06/12/2018

By John Yeoh, Research Director/Americas, Cloud Security Alliance

As valued members, we wanted you to be among the first to hear about the newest report out from CSA—Firmware Integrity in the Cloud Data Center, in which key cloud providers and datacenter development stakeholders share their thoughts on building cloud infrastructure using secure servers that enable customers to trust the cloud providers' infrastructure at the hardware/firmware level.

Authored by the Cloud Security Industry Summit (CSIS) Technical Working Group, the position paper is aimed at hardware and firmware manufacturers, and identifies gaps in the industry, which make it difficult to meet the recently published NIST 800-193 requirements with ‘standard’ general-purpose servers and offers ways in which to build servers designed to meet the NIST requirements (including calling out missing technology when applicable) and enable cloud providers to increase trust in commodity hardware. The paper also suggests additional requirements that could further strengthen the level of security of servers.

Among the gaps that CSIS singles out for immediate attention by hardware manufacturers are:

  1. First-instruction integrity – The ability to ensure integrity of the first instruction (the first code or data loaded from mutable non-volatile media) in a way that is verifiable by the cloud provider and not just by the manufacturer.
  2. Chain-of-Trust for peripherals – The ability to leverage the host root of trust and other roots of trust to create a chain of trust to peripherals (e.g. for PCIe devices or other symbiont devices).
  3. Automatable Recovery – The ability to perform automated recovery back to a known boot-time state upon detection of corrupted firmware (after initial boot).

With the increasing level of sophistication of attackers and nation state threat mitigations, we think it’s critical to build a new, more secure generation of servers. The hardware/firmware industry must do a better job of building firmware with high code-quality and minimal potential for vulnerabilities at the firmware level. It’s vital that supply chain security can be verified every step along the way from component to system to solution The CSIS’s opinion is that these requirements can be met without cloud vendors having to design and build specialized hardware but rather through standardized commodity hardware.

We hope you will find this informative and that it will lead to further discussions within your own organization about the challenges involved in the future of cloud security.

Read the position paper.

Compliance

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
How to Set Your Small Privacy Team Up for Success

Published: 04/17/2024

How to Audit Your Outdated Security Processes

Published: 04/16/2024

Cloud Relationships: Getting to Grips With the ‘Vendor of My Vendor’

Published: 04/15/2024

Evaluate the Security of Your Cloud Service Provider with the CSA STAR Registry

Published: 04/13/2024