Production Server Security Manifesto

17 Oct, 2019 #cloud, #infra, #security

The world has changed; mobile phones now have the most secure environment, rather than servers in a datacenter. Take a look at iOS and Android security; it’s far beyond what servers look like.

Mobile phones have a “secure enclave”/”tamper-resistant environment”; in contrast, on servers, there is ring-2/-3 firmware, which is a form of malware.

Manifesto

Secure hardware

We need an analog of a “secure enclave”/”tamper-resistant environment” on servers too. This should not be exposed to ring-2/-3 firmware. This has to be in hardware (with CoreBoot and OpenBMC).

But we should acknowledge that there’s always going to be a 0-day.

Use ALL isolation OS can provide

Dismiss the “container” vs. “VM” mindset; it’s a limited one. Clearly, modern servers need both (e.g., GC, AWS) plus sandboxes.

Software quality and reliability

Privilege separation is an old idea. Prioritize quality and reliability in distributed systems software over new features.

(UPDATE) This is exactly what the AWS Nitro Card Controller looks like.