x
Cloud Native/NFV

Microsoft Looks to Secure Clouds With 'Project Cerberus'

Microsoft is looking to make cloud infrastructure safer at the hardware level with a new offering called "Project Cerberus," which is the company's latest contribution to the Open Compute Project (OCP).

Company engineers unveiled Cerberus at Zettastructure, the European digital infrastructure conference, which is taking place this week in London. This latest OCP project piggybacks on Microsoft's "Project Olympus," a set of open source hardware designs for hyperscale cloud, which Redmond announced last year.

With Cerberus, Microsoft is looking to protect the firmware of servers that help create the backbone of any cloud infrastructure. If an attacker, whether it's someone from inside the business or someone hacking in from the outside, can access and then take control of the firmware of a server, they can then burrow deep into the data center itself, gaining access to almost any data within the cloud infrastructure.

The goal here is to harden the server firmware against these types of attacks by adding layers of trust and verification into the hardware itself.

Microsoft is now a mythical, cloud guard dog.
(Source: Wikipedia)
Microsoft is now a mythical, cloud guard dog.
(Source: Wikipedia)

In a November 8 blog post, Kushagra Vaid, the general manager of Azure Hardware Infrastructure, writes that Cerberus provides a hardware "root of trust" for the firmware that is installed on the motherboard of a server -- this includes the BIOS and other components -- as well as any peripheral I/O devices that are connected. It then enforces strict access control and integrity verification starting at pre-boot and continuing through the runtime procedure.

Vaid added:

Project Cerberus consists of a cryptographic microcontroller running secure code which intercepts accesses from the host to flash over the SPI [Serial Peripheral Interface] bus (where firmware is stored), so it can continuously measure and attest these accesses to ensure firmware integrity and hence protect against unauthorized access and malicious updates. This enables robust pre-boot, boot-time and runtime integrity for all the firmware components in the system.

Microsoft designed Cerberus to be CPU and I/O agnostic, so it can be adapted to different hardware designs over time.


Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.


In addition, it's compliant with National Institute of Standards and Technology (NIST) 800-193 guidelines.

The Project Cerberus specifications are still being drafted, so it's not clear when it will be available, although Vaid notes that Microsoft plans to open source the specs once they are complete. The company is also working with Intel on implementing the technology into firmware.

Besides the Cerberus announcement, Vaid noted that the Project Olympus designs are now being deployed through Microsoft's Azure public cloud and are supporting the company's Fv2 virtual machines. Additionally, Redmond announced that commercial offerings based on the Olympus designs are now offered through Wiwynn and ZT Systems, with more providers on the way.

Related posts:

— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.

kq4ym 11/22/2017 | 4:09:11 PM
Re: Microsoft has really changed It does seem that the plan of "adding layers of trust and verification into the hardware itself," might be a good twist on security through software. Microsoft may well find some increase business through this new advanage in the overall security business.
mhhfive 11/13/2017 | 11:15:22 PM
Here's more evidence that securing firmware is hard Intel has some "god mode" authority in its hardware? Ugh!

https://www.theregister.co.uk/2017/11/09/chipzilla_come_closer_closer_listen_dump_ime/
mhhfive 11/13/2017 | 9:02:20 PM
Re: Microsoft has really changed Securing firmware is a pretty huge challenge. I think that it may take a somewhat complicated verification scheme before it's done correctly. Perhaps it could even require a blockchain system to ensure trust and verification. So far, it seems like centralized firmware versions and updates have been subject to man-in-the-middle attacks of various kinds.
danielcawrey 11/13/2017 | 4:07:42 PM
Re: Microsoft has really changed Firmware has long been a problem. Good to see Microsoft getting involved with solutions for this. I think in the past Microsoft has focused mostly on software. Now it's got to help to protect hardware. 
mhhfive 11/12/2017 | 2:07:17 PM
Microsoft has really changed It's good to see that Microsoft has embraced open source and is actively contributing to projects like OCP which don't directly support Windows or other Microsoft products.
HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE