Microsoft Looks to Secure Clouds With 'Project Cerberus'Microsoft Looks to Secure Clouds With 'Project Cerberus'
Microsoft's latest Open Compute Project offering is called 'Project Cerberus,' and looks to make clouds more secure by protecting the firmware of cloud servers.
November 9, 2017
Microsoft is looking to make cloud infrastructure safer at the hardware level with a new offering called "Project Cerberus," which is the company's latest contribution to the Open Compute Project (OCP).
Company engineers unveiled Cerberus at Zettastructure, the European digital infrastructure conference, which is taking place this week in London. This latest OCP project piggybacks on Microsoft's "Project Olympus," a set of open source hardware designs for hyperscale cloud, which Redmond announced last year.
With Cerberus, Microsoft is looking to protect the firmware of servers that help create the backbone of any cloud infrastructure. If an attacker, whether it's someone from inside the business or someone hacking in from the outside, can access and then take control of the firmware of a server, they can then burrow deep into the data center itself, gaining access to almost any data within the cloud infrastructure.
The goal here is to harden the server firmware against these types of attacks by adding layers of trust and verification into the hardware itself.
Figure 1: Microsoft is now a mythical, cloud guard dog.
In a November 8 blog post, Kushagra Vaid, the general manager of Azure Hardware Infrastructure, writes that Cerberus provides a hardware "root of trust" for the firmware that is installed on the motherboard of a server -- this includes the BIOS and other components -- as well as any peripheral I/O devices that are connected. It then enforces strict access control and integrity verification starting at pre-boot and continuing through the runtime procedure.
Project Cerberus consists of a cryptographic microcontroller running secure code which intercepts accesses from the host to flash over the SPI [Serial Peripheral Interface] bus (where firmware is stored), so it can continuously measure and attest these accesses to ensure firmware integrity and hence protect against unauthorized access and malicious updates. This enables robust pre-boot, boot-time and runtime integrity for all the firmware components in the system.
Microsoft designed Cerberus to be CPU and I/O agnostic, so it can be adapted to different hardware designs over time.
Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.
In addition, it's compliant with National Institute of Standards and Technology (NIST) 800-193 guidelines.
The Project Cerberus specifications are still being drafted, so it's not clear when it will be available, although Vaid notes that Microsoft plans to open source the specs once they are complete. The company is also working with Intel on implementing the technology into firmware.
Besides the Cerberus announcement, Vaid noted that the Project Olympus designs are now being deployed through Microsoft's Azure public cloud and are supporting the company's Fv2 virtual machines. Additionally, Redmond announced that commercial offerings based on the Olympus designs are now offered through Wiwynn and ZT Systems, with more providers on the way.
About the Author(s)
You May Also Like
5G Network Automation and AI at Global Megaevents: A Telco AI-at-scale case study with Ooredoo and EricssonOct 10, 2023
5G Transport & Networking Strategies Digital Symposium.Oct 26, 2023
Improve Service Efficiency in the Call Center and Field with Slack AutomationOct 13, 2023
Open RAN Evolution Digital Symposium Day 1Jul 26, 2023