The downfalls presented by layers of software security are too significant to properly defend against today’s hackers. Garrison’s co-founder and CEO, Henry Harrison, believes it’s time enterprises reconsider the security fundamentals and shift the focus to hardware-based security ‘hardsec’, an emerging security architecture born out of the intelligence community, as the path forward.
In June, Intel announced that it was working closely with Microsoft to develop what could usher in the next era of corporate enterprise-level cybersecurityOpens a new window : hardware-enforced stack protection which builds upon existing exploit protection in Windows 10.
It’s highly encouraging to see such initiatives take hold. By adopting hardware-focused tools, corporate enterprises will embrace new, needed approaches to strengthen their defenses. In doing so, they will align their strategies to those of the national security apparatus – a.k.a. “the secret state.†Agencies of many countries have sought to lead the battle, given the grave consequences of falling behind.Â
What Is Hardsec?
About a decade ago, the U.K. government security community originated an alternative architecture called “hardsecOpens a new window â€, which rejects a paradigm that has dominated thinking since the beginning of attacks – that protecting against threats is a software challenge.
The Intel-Microsoft effort seeks to enforce code integrity and terminate any malicious code, with a minimum performance impact. “Hardware is the bedrock of any security solution,†said Intel Security Strategies and Initiatives (SSI) general manager, Tom Garrison, in making the June announcement. “Security solutions rooted in hardware provide the greatest opportunity to provide security assurance against current and future threatsâ€, he added.
Treating security as a software challenge ignores the essence of cyber risk. Computers use processors (or “Turing machinesâ€) to run various kinds of software with different applications. But hackers will exploit the adaptability of Turing machines by ordering them to run malicious applications that trigger data breaches, ransomware, and additional attacks.
Learn More: 4 Hardware-Based Endpoint Security Strategies for a Distributed Workforce
How Can Hardsec Eliminate Threats?
It’s true that we have benefited for decades with software’s tremendous flexibility as it runs on a CPU. But this same flexibility has created complex systems in which simple bugs can lead to vulnerabilities with limitless impact. In other words, the very power which allows us to achieve great results with software by merely giving it instructions also allows adversaries to substitute their instructions and sabotage a computing platform.
Security solutions rooted in hardware can avoid this issue by deploying non-Turing machines to eliminate threats. But hardware is expensive and inflexible, and if there is a vulnerability, it cannot be fixed. Hardsec achieves the best of both worlds. It uses Field Programmable Gate Array (FPGA) integrated circuits which can be programmed and reprogrammed with non-Turing machine security logic. Thus, it gives the benefits of a hardware approach with the flexibility of software.Â
And by restricting reprogramming to specific physical FPGA pins, IT teams can restrict – by physical hardware design and implementation – who can reprogram the FPGA to those who have access to a well-protected privileged management environment. Attackers are kept out because they cannot physically transmit data to the pins. This enables the teams to safeguard the enterprise without significantly compromising the ability of our solutions to carry out the tasks we require of it.
Despite being hardware devices, FPGA chips enhance security functionality because teams can
use them to program and reprogram protective measures without the need for physical changes.
Yet, as opposed to complex software-based tools that give adversaries abundant opportunities to exploit, hardsec controls are comparatively simplistic and narrow. They will do what they are originally told to do, and nothing more. Hence, they are “too stubborn†to be hacked.
Learn More: From Seat Belts to CCPA: Why Regulations Won’t Kill Innovation
Bridging the Gap
To cite just a couple of examples of hardsec’s practical possibilities: it enables commercial users to click on links without putting their systems at risk because hardsec can help transform the web into harmless pixels. It also safeguards enterprises from email attachment or application programming interface risks.
For broad adoption, the commercial industry must rethink its security purchase processes. Currently, buyers prioritize features and functions – top analyst firms even admit that their cybersecurity product reports do not involve actual security analysis. The “secret state,†in contrast, conducts extensive, in-depth security analysis on products before acquiring them.
To bridge the gap, private firms should be able to afford the equivalent of a nation-state analysis program. However, such a program is time-consuming and expensive. To address this, we should encourage commercial peer group collaboration in the form of a consortium, through which companies would collectively pool budgeting to fund for more thorough testing. It would be even better to bring public sector expertise into the consortium to share analysis data. Through the ages, intelligence and security communities have protected their information well.
Business leaders are just starting to catch up to the fact that they too must explore new approaches to strengthen their defenses.Â
Commercial enterprises need to start acknowledging that layers upon layers of software security create too many pitfalls to counter the formidable capabilities of today’s hackers. In transitioning to strategies that effectively deploy hardware solutions, these businesses must cultivate a culture of collective analysis while collaborating with innovators in government. It is not simply a viable path forward – it may be the only path forward.
What are your thoughts about hardsec and the possibilities that it opens up? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!