Upload
flexera-software
View
627
Download
0
Embed Size (px)
DESCRIPTION
by J Ryan Kenny: Product Marketing, CPU Tech and Yan Huang: Director of Software Development, CPU Tech Presented at SoftSummit 2010
Citation preview
Security Hardware Differentiated
Through Licensed Software
High-Tech Manufacturer’s Case Study
Agenda
• CPU Tech Market
• Company Overview
• Product Overview
• Customer Development Cycle
• Flexera Software Licensing to Support Development
• CPU Tech Market
• Company Overview
• Product Overview
• Customer Development Cycle
• Flexera Software Licensing to Support Development
Agenda
Electronics Component Markets
• Semiconductor Markets in 2011, Gartner:
–Overall estimate about $320 Billion
–Processor-based chips: $144 Billion
–Military/Industrial Market, System-on-Chip, 32-bit+: $500
Million, 20% CAGR
• Of the entire semi-conductor market:
“System-on-Chip Products Will Drive Growth”
Numerous Recent Security Threats
Pendulum Swings in Defense Electronics over
Time
Full MIL-STD
Requirements
No Distinct
Military Market
War-Time
Mobilization
Rise in Intelligence
And Cryptography
Custom
Components
Military Driven
Market
Commercial Driven
Market
Proliferation of
Performance
StandardsDual Use
Components
Proliferate
Commercial
Aviation and Auto
Markets Proliferate
‘Perry Memo’
COTS and
Open Source
Defense Open
Sources and
Architectures
Tech Boom Marginalizes
Military Requirements
Availability
Concerns
(US Sources
Required)
Trust
Concerns
(US Sources
Required)
Commercial
Cryptography
Proliferates
IP Protection
Concerns
(Anti-Tamper
Required)
Defense
Funding
Priorities
• CPU Tech Market
• Company Overview
• Product Overview
• Customer Development Cycle
• Flexera Software Licensing to Support Development
Agenda
What We Do: Develop Secure and Compatible
Technology
1980 20101995 2000 2005
Understanding System
Vulnerabilities
1985
Understanding
how to design
secure systems
and eliminate
vulnerabilities
Understanding
how to build
secure systems
CPU Tech
Founded 1989
1990
CPU Tech’s Proven Approach
Who We Are: Products and Services Clients and Partners
• Founded in 1989 with a vision of making compatible System-on-a-
Chip (SoC) technology economically practical
• CPU Tech produces the Acalis® family of
Secure Processors that protect software and
systems from reverse engineering
• CPU Tech offers secure processing implementation services to
assist customers in achieving security goals and certifications
• Veteran Owned, Small Business, Headquartered in Pleasanton, CA
– Rep Firms across America
• CPU Tech Market
• Company Overview
• Product Overview
• Customer Development Cycle
• Flexera Software Licensing to Support Development
Agenda
Acalis® CPU872 Secure Processor
• Multi-Core Device with Integrated
Security Processor & Offload
Engines
• IBM Trusted Foundry
• Extensive, Multi-Layered Security to
Protect Against Reverse Engineering
• Two Complete PowerPC® Nodes
• Scalable without Additional Devices
• Power Efficient Processing
Acalis® Development Environment
Acalis® CPU872
Secure ProcessorH
Acalis
SentryTM
T
S
T
H Acalis® EB872
Evaluation
Board
Acalis®
Software
Development Kit
Embedded RTOS/OS
Security Processor APIS
H
S
T
Hardware: Devices & Boards
Software: Embedded User Software
Development Tools: Software Developer & Security Engineer Tools
Acalis Sentry™ Advantages
• Graphical User Interface: Offers menu-driven, easy-to-use security
configuration
• Secure Data Transfer: Mocana SSL data security and authentication
• Security Engineer Role: Clearly separates security role from software
developer role
• Access Rules: Provides clear implementation of settings on chip firewalls
between processors, IO, and on-chip/off-chip memory
• Trusted Source Environment: Adds hardware trust to your design environment
in critical areas of encryption key and boot code management
How Acalis Sentry™ Works
AEC+AES
Encrypted
Image
Acalis Sentry™ Management Console Acalis® IDE
Acalis Sentry™
Network
– Sentry Connection
S/W
En
cry
ptio
n
Sentry Connection – Secu
rity C
on
fig
Boot Image
Acalis® Design Environment
Acalis Sentry™ Management Console
The Role of a Security Engineer
• Current Role/Responsibilities
– Deeply embedded in software design
– Line-by-line verification
– Constant revision of design practices
With Acalis SentryTM Security Server…
• New Role/Responsibilities
– Security separated from software design
– Menu-defined security decisions
– Clearly defined constraints for software
designers
– Simplifies „what-if‟ scenarios when changing
security requirements
• CPU Tech Market
• Company Overview
• Product Overview
• Customer Development Cycle
• Flexera Software Licensing to Support Development
Agenda
Defense Acquisition Process
Programs have extensive Government reviews and milestones
Phases of Defense Customer Development
Requirements System Design
Design
and
Prototype
IntegrationSystem
TestManufacturing/Support
• This Life-Cycle can be 5-10 Years for Defense Programs
• The Full Function of Acalis Sentry not Required in All Phases
• There are sometimes security concerns in design– Not everyone in integration, test, or manufacturing need to understand sensitive design
details
– Some security settings are „locked down‟ for the remainder of the program
– Some programs „compartmentalized‟, where engineers and users have different accesses
Supply Chain Security
• The fact that „Supply Chain‟ pieces are now global is a concern to some
defense officials
• White House Issued „Comprehensive National Cyber Security Initiative‟
(CNCI) and Declassified in 2010
• Part of the CNCI is Supply Chain Security:– “Risks stemming from both the domestic and globalized supply chain must be managed in a
strategic and comprehensive way over the entire lifecycle of products, systems and services. “
– CNCI Initiative #11
Acalis Sentry is a customer offering by CPU Tech to help secure the
supply chain in the development process through
role and feature based licensing
• CPU Tech Market
• Company Overview
• Product Overview
• Customer Development Cycle
• Flexera Software Licensing to Support Development
Agenda
Overview of Flexera Software Capabilities
• CPU Tech currently utilizing several Flexera Software products
• For the Acalis Sentry, using:– FlexNet Embedded
– FlexNet Operations
• This enables us to license several different „subscription
licenses‟ to Acalis Sentry all from the same secure hardware
CPU Tech’s Business Challenges
• Both desktop and embedded software provide different levels of
functionality, operations, and security
• Need to offer feature-based and role-based licensing and
pricing models to our customers
• Need to provide embedded-node-locked and floating licensing
capability
• Need to offer both off-line (for machines operating in a classified
area) and web-based activation options to our customers
• Need to be able to automate the activation process
CPU Tech’s Evaluation Criteria in Selecting
FlexNet Producer Suite
• Appropriate and adequate cryptographic encryption for license
key protection and storage
• Small memory footprint
• Supported our processor architecture
• Supported embedded OS‟s (OS independent, and easy to port)
• Supported programming language
• Performance and reliability
• Easy to manage and track the license entitlement
• License activation automation
• Integration with other management systems, such as
SalesForce
• Total Cost of Ownership
Example Use Case of FlexNet Technology Embedded in
Acalis Sentry
Acalis SentryTM
Acalis® EB872
Evaluation Board
Admin Developer Security
Engineer
Manufacturing
How License
Works
License Resides
in Bootable
Embedded
Software
Determines
Accesses and
Privileges Based
on Edition
License pre-
installed or
updated by user
Active
License
Future Capabilities Enabled by FlexNet Embedded
Acalis® EB872
Evaluation Board
Admin Developer Security Engineer
Manufacturing
Options:
Off-line activation
locked to device
Floating license
on a license
server
Provisioning
server to
automate the
license update
Web-based
license activation
Provisioning or
Generated License
Acalis SentryTM Acalis SentryTM
Role and Mode Rules for Acalis Sentry
Roles Needed in Acalis Sentry:
• Administrator: Sets passwords,
administrative options, license
activities
• Developer: Provides mission
embedded software, final embedded
images
• Security Engineer: Sets security
settings in secure processor
• Manufacturer: Final distributor of
encrypted bootable image
Design Phases for Acalis Sentry:
• Development: This encompasses all
software development, requires
multiple changes and security settings
• Test/Integration: This phase requires
some controlled code and security
setting changes
• Manufacturing: This phase requires
no code changes, but controls sensitive
image distribution
• Support: This phase typically involves
only documentation, audit, reports
Matching Roles/Modes to Customer Design Model
Full Sentry
• Admin, Developer,
Security Engineer,
Manufacturing
• Full spectrum of
design space
needed
Assembly
Creation
• Admin, Developer,
Security Engineer
• New images result
from debug
changes
Manufacturing
• Admin,
Manufacturing
• Unchanging
image(s) being
installed
Static
• Admin, Security
Engineer
• Security audit only –
keeps production
floor intact, no other
functions
Results in
Four
‘Subscription
Licenses’
Requirements System Design
Design
and
Prototype
IntegrationSystem
TestManufacturing/Support
Full Sentry
Assembly Creation
Manufacturing
Static
Matrix of Features to Subscription Licenses
Features\Subscriptions FullAssembly
CreationManufacturing Static
Product Activation √ √ √ √Configuration (locking/unlocking,
network) √ √ √ √
Licensing (activation, update) √ √ √ √
Field Upgrade √ √ √ √Tamper and Activity Log (storing,
retrieving) √ √ √ √
Device Sanitization √ √ √ √Access Configuration (user group,
users) √ √ √ √
Security Configuration (firewall, key,
event log) √ √ √ √
Assembly Creation √ √
Assembly Upgrade √ √
Target Activity Log Retrieval √ √ √ √
Manufacturing Process √ √ √
Features, Subscriptions, and Roles – Security Engineer
Features\Subscriptions FullAssembly
CreationManufacturing Static
Product Activation √ √ √ √Configuration (locking/unlocking,
network)
Licensing (activation, update)
Field Upgrade √ √ √ √Tamper and Activity Log (storing,
retrieving)
Device Sanitization
Access Configuration (user group,
users)
Security Configuration (firewall, key,
event log) √ √ √ √
Assembly Creation √ √
Assembly Upgrade √ √
Target Activity Log Retrieval √ √ √ √
Manufacturing Process √ √ √
Features, Subscriptions, and Roles – Administrator
Features\Subscriptions FullAssembly
CreationManufacturing Static
Product Activation √ √ √ √Configuration (locking/unlocking,
network) √ √ √ √
Licensing (activation, update) √ √ √ √
Field Upgrade √ √ √ √Tamper and Activity Log (storing,
retrieving) √ √ √ √
Device Sanitization √ √ √ √Access Configuration (user group,
users) √ √ √ √
Security Configuration (firewall, key,
event log)
Assembly Creation
Assembly Upgrade
Target Activity Log Retrieval
Manufacturing Process
Features, Subscriptions, and Roles – Developer
Features\Subscriptions FullAssembly
CreationManufacturing Static
Product Activation
Configuration (locking/unlocking,
network)
Licensing (activation, update)
Field Upgrade
Tamper and Activity Log (storing,
retrieving)
Device Sanitization
Access Configuration (user group,
users)
Security Configuration (firewall, key,
event log)
Assembly Creation √ √
Assembly Upgrade √ √
Target Activity Log Retrieval √ √
Manufacturing Process
Features, Subscriptions, and Roles – Manufacturer
Features\Subscriptions FullAssembly
CreationManufacturing Static
Product Activation
Configuration (locking/unlocking,
network)
Licensing (activation, update)
Field Upgrade
Tamper and Activity Log (storing,
retrieving)
Device Sanitization
Access Configuration (user group,
users)
Security Configuration (firewall, key,
event log)
Assembly Creation
Assembly Upgrade
Target Activity Log Retrieval √ √
Manufacturing Process √ √ √
Cost Advantages of Flexera Software Licensing
Model in Sentry
• Reduces Manufacturing Cost (Single Version of Hardware)
• Adds a Valuable Security Layer in User Activation
• Operational Savings in Ease up Upgrade/Downgrade
• Flexibility allows CPU Tech to Tailor Subscription Licenses to
Customer
• Protects CPU Tech and Customer Intellectual Property
• Gets us Faster to Market, as we are only limited by hardware
schedule
Example Cost Model to Customer
Example:
– Two Yrs Fully Sentry (2 x $A)
– Two Yrs Assembly Creation (2 x $B)
– Three Yrs Manufacturing (3 x $C)
– Five Yrs Static (5 x $D)
Total Cost: $XYZ
Cost model allows customers to customize their licensing
package and increase design security
Requirements System DesignDesign and
PrototypeIntegration
System
TestManufacturing/Support
Full SentryAssembly Creation
ManufacturingStatic
Summary
• Flexible Licensing helps customer with life-cycle security
• Allows for cost and revenue model that matches customer
process
• Much of what were security „rules‟ to be enforced through audit
are now enforced by fiat
• Customers can play by our licensing rules within their secure
facilities
• Provides flexibility, cost reduction, and ease of
upgrade/downgrade
• Offers protection for intellectual property and revenue
Questions?
Thank You!