Microsoft Looks to Secure Clouds With 'Project Cerberus'
Microsoft is looking to make cloud infrastructure safer at the hardware level with a new offering called "Project Cerberus," which is the company's latest contribution to the Open Compute Project (OCP).
Company engineers unveiled Cerberus at Zettastructure, the European digital infrastructure conference, which is taking place this week in London. This latest OCP project piggybacks on Microsoft's "Project Olympus," a set of open source hardware designs for hyperscale cloud, which Redmond announced last year.
With Cerberus, Microsoft is looking to protect the firmware of servers that help create the backbone of any cloud infrastructure. If an attacker, whether it's someone from inside the business or someone hacking in from the outside, can access and then take control of the firmware of a server, they can then burrow deep into the data center itself, gaining access to almost any data within the cloud infrastructure.
The goal here is to harden the server firmware against these types of attacks by adding layers of trust and verification into the hardware itself.
In a November 8 blog post, Kushagra Vaid, the general manager of Azure Hardware Infrastructure, writes that Cerberus provides a hardware "root of trust" for the firmware that is installed on the motherboard of a server -- this includes the BIOS and other components -- as well as any peripheral I/O devices that are connected. It then enforces strict access control and integrity verification starting at pre-boot and continuing through the runtime procedure.
Project Cerberus consists of a cryptographic microcontroller running secure code which intercepts accesses from the host to flash over the SPI [Serial Peripheral Interface] bus (where firmware is stored), so it can continuously measure and attest these accesses to ensure firmware integrity and hence protect against unauthorized access and malicious updates. This enables robust pre-boot, boot-time and runtime integrity for all the firmware components in the system.
Microsoft designed Cerberus to be CPU and I/O agnostic, so it can be adapted to different hardware designs over time.
In addition, it's compliant with National Institute of Standards and Technology (NIST) 800-193 guidelines.
The Project Cerberus specifications are still being drafted, so it's not clear when it will be available, although Vaid notes that Microsoft plans to open source the specs once they are complete. The company is also working with Intel on implementing the technology into firmware.
Besides the Cerberus announcement, Vaid noted that the Project Olympus designs are now being deployed through Microsoft's Azure public cloud and are supporting the company's Fv2 virtual machines. Additionally, Redmond announced that commercial offerings based on the Olympus designs are now offered through Wiwynn and ZT Systems, with more providers on the way.Related posts:
- Microsoft's 'CrystalNet' Looks to Eliminate Cloud Downtime
- Microsoft Growing Explosively, but Amazon Retains Huge Cloud Lead
- Why Chevron's 7-Year Microsoft Deal Is More Than Your Typical Tech Contract