Microsoft Looks to Secure Clouds With 'Project Cerberus'

Scott Ferguson
11/9/2017

Microsoft is looking to make cloud infrastructure safer at the hardware level with a new offering called "Project Cerberus," which is the company's latest contribution to the Open Compute Project (OCP).

Company engineers unveiled Cerberus at Zettastructure, the European digital infrastructure conference, which is taking place this week in London. This latest OCP project piggybacks on Microsoft's "Project Olympus," a set of open source hardware designs for hyperscale cloud, which Redmond announced last year.

With Cerberus, Microsoft is looking to protect the firmware of servers that help create the backbone of any cloud infrastructure. If an attacker, whether it's someone from inside the business or someone hacking in from the outside, can access and then take control of the firmware of a server, they can then burrow deep into the data center itself, gaining access to almost any data within the cloud infrastructure.

The goal here is to harden the server firmware against these types of attacks by adding layers of trust and verification into the hardware itself.

Microsoft is now a mythical, cloud guard dog.
(Source: Wikipedia)
Microsoft is now a mythical, cloud guard dog.
(Source: Wikipedia)

In a November 8 blog post, Kushagra Vaid, the general manager of Azure Hardware Infrastructure, writes that Cerberus provides a hardware "root of trust" for the firmware that is installed on the motherboard of a server -- this includes the BIOS and other components -- as well as any peripheral I/O devices that are connected. It then enforces strict access control and integrity verification starting at pre-boot and continuing through the runtime procedure.

Vaid added:

Project Cerberus consists of a cryptographic microcontroller running secure code which intercepts accesses from the host to flash over the SPI [Serial Peripheral Interface] bus (where firmware is stored), so it can continuously measure and attest these accesses to ensure firmware integrity and hence protect against unauthorized access and malicious updates. This enables robust pre-boot, boot-time and runtime integrity for all the firmware components in the system.

Microsoft designed Cerberus to be CPU and I/O agnostic, so it can be adapted to different hardware designs over time.


Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.


In addition, it's compliant with National Institute of Standards and Technology (NIST) 800-193 guidelines.

The Project Cerberus specifications are still being drafted, so it's not clear when it will be available, although Vaid notes that Microsoft plans to open source the specs once they are complete. The company is also working with Intel on implementing the technology into firmware.

Besides the Cerberus announcement, Vaid noted that the Project Olympus designs are now being deployed through Microsoft's Azure public cloud and are supporting the company's Fv2 virtual machines. Additionally, Redmond announced that commercial offerings based on the Olympus designs are now offered through Wiwynn and ZT Systems, with more providers on the way.

Related posts:

— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.

(5)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
kq4ym
kq4ym
11/22/2017 | 4:09:11 PM
Re: Microsoft has really changed
It does seem that the plan of "adding layers of trust and verification into the hardware itself," might be a good twist on security through software. Microsoft may well find some increase business through this new advanage in the overall security business.
mhhfive
mhhfive
11/13/2017 | 11:15:22 PM
Here's more evidence that securing firmware is hard
Intel has some "god mode" authority in its hardware? Ugh!

https://www.theregister.co.uk/2017/11/09/chipzilla_come_closer_closer_listen_dump_ime/
mhhfive
mhhfive
11/13/2017 | 9:02:20 PM
Re: Microsoft has really changed
Securing firmware is a pretty huge challenge. I think that it may take a somewhat complicated verification scheme before it's done correctly. Perhaps it could even require a blockchain system to ensure trust and verification. So far, it seems like centralized firmware versions and updates have been subject to man-in-the-middle attacks of various kinds.
danielcawrey
danielcawrey
11/13/2017 | 4:07:42 PM
Re: Microsoft has really changed
Firmware has long been a problem. Good to see Microsoft getting involved with solutions for this. I think in the past Microsoft has focused mostly on software. Now it's got to help to protect hardware. 
mhhfive
mhhfive
11/12/2017 | 2:07:17 PM
Microsoft has really changed
It's good to see that Microsoft has embraced open source and is actively contributing to projects like OCP which don't directly support Windows or other Microsoft products.
More Blogs from Scott Ferguson

For the last several years, CIOs and IT professionals have been wrestling with two specific issues as they work toward a cloud-centric future: Agile IT and the rush toward digital transformation. While enterprises want to keep innovating, finding a starting point and knowing which projects to tackle first remain a major obstacle.

To get a better handle on Agile IT and digital transformation, Light Reading Managing Editor Scott Ferguson recently spoke to two experts in these fields: Dan Kearnan, senior director of marketing for cloud at SAP, and Roy Illsley, a distinguished analyst with Ovum.

From its roots in industrial farm machinery and other equipment, John Deere has always looked for a technological edge. About 20 years ago, it was GPS and then 4G LTE. Now it's turning its attention to AI, machine learning and IoT.
Artificial intelligence and automation will become more integral to the enterprise, and 90% of all apps will have integrated AI capabilities by 2020, according to Oracle CEO Mark Hurd.
IBM is now offering access to Nvidia's Tesla V100 GPUs through its cloud offerings to help accelerate AI, HPC and other high-throughput workloads.
CIO Rhonda Gass is spearheading an effort to bring more automation and IoT to the factories making Stanley Black & Decker tools and other equipment.
Featured Video
Upcoming Live Events
October 1-2, 2019, New Orleans, Louisiana
October 10, 2019, New York, New York
October 22, 2019, Los Angeles, CA
November 5, 2019, London, England
November 7, 2019, London, UK
November 14, 2019, Maritim Hotel, Berlin
December 3, 2019, New York, New York
December 3-5, 2019, Vienna, Austria
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events
Partner Perspectives - content from our sponsors
Edge Computing, the Next Great IT Revolution
By Rajesh Gadiyar, Vice President & CTO, Network & Custom Logic Group, Intel Corp
Innovations in Home Media Terminals for the Upcoming 5G Era
By Tang Wei, Vice President, ZTE Corporation
All Partner Perspectives