More interestingly, Cavium (now Marvell) also designed and manufactured the HSMs which are used by the top cloud providers (such as AWS, GCP, possibly Azure too), to hold the most critical private keys:
Ayup. We use AWS CloudHSM to hold our private signing keys for deploying field upgrades to our hardware. And when we break the CI scripts I see Cavium in the AWS logs.
Now I gotta take this to our security team and figure out what to do.
I'd be surprised if you get anything more than generic statements about how they take security very seriously and they are open to suggestions, but avoid addressing the mentioned concerns directly (and this applies to all cloud providers out there, not just AWS).
I'm sure a few others here would like to see their response as well.
The Intel Management Engine always runs as long as the motherboard is
receiving power, even when the computer is turned off. This issue can be
mitigated with deployment of a hardware device, which is able to disconnect
mains power.
Intel's main competitor AMD has incorporated the equivalent AMD Secure
Technology (formally called Platform Security Processor) in virtually all of
its post-2013 CPUs.
Is there anyone here who actually thought cloud provider HSMs were secure against the provider itself or whatever nation state(s) have jurisdiction over it?
It would never occur to me to even suspect that. I assume that anything I do in the cloud is absolutely transparent to the cloud provider unless it's running homomorphic encryption, which is still too slow and limited to do much that is useful.
I would trust them to be secure against the average "hacker" though, so they do serve some purpose. If your threat model includes nation states then you should not be trusting cloud providers at all.
Lots of people believe that. They believe truthfully you can get to the level of AWS, MS, Google, Facebook or Apple whilst standing up to the nations that host those companies. I've walked into government employees in the hallways of tiny ISPs, I see no reason to believe at all that larger companies are any different except for when easier backdoors have been installed.
At my Fortune 250, our threat model apparently includes -- rather conveniently and coincidentally -- everything! Well, everything they make an off-the-shelf product for, anyway. It makes new purchasing decisions easy:
"Does your product make any thing, in any way, more secure?"
"Uh... Yes?"
"You son of a bitch. We're in. Roll it out everywhere. Now."
It's interesting to consider the people who, with the very same set of facts, come to completely opposite conclusions about security.
For instance, Amazon has a staff of thousands or tens of thousands. To me, that means they can't possibly have a good grasp on internal security, that there's no way to know if and when data has been accessed improperly, et cetera. To others, the fact that they're a mega-huge company means they have security people, security processes and procedures, and they are therefore even more secure than smaller companies.
For one of the two groups, the generalized uncertainty of the small company is greater than the generalized uncertainty of the large. For the other, the size of the large makes certain things inevitable, where the security of smaller companies obviously depends on which companies we're talking about and the people involved. More often than not, people want to generalize about small companies but wouldn't apply the same criteria to larger companies like Amazon.
There's a huge emotional component in this, which I think salespeople excel at exploiting.
It fascinates me, even though it's a never-ending source of frustration.
I think there’s such a thing as plausible deniability here. We didn’t know for certain so we weren’t culpable, but now that it’s public record, we really have to do something about it or risk liability with our customer data.
You don't need to think about this in a binary fashion. You can split your trust across multiple entities. Different clouds, different countries, or a mix of cloud and data centers you own.
This breeds the familiar scenario where a group will start saying the link between the two is so clear that there must be a connection. Then you’ll get another group calling the first group conspiracy theorists, and say it’s just a coincidence of probability.
Narrative control and information modeling is so powerful it’s scary.
Now get yourself some half-decent psyops and contaminate the first group with supporting voices that emphasize weaker evidence, use poor logic, name-drop socially questionable sources, and go out of their way to sound ridiculous.
HSMs are mainly for compliance, where a customer needs to check a regulatory box, because some rules says you must use a HSM. The more standard it is, the easier it is to demonstrate to the auditor that you've checked the box.
joezydeco|2 years ago
Now I gotta take this to our security team and figure out what to do.
supriyo-biswas|2 years ago
I'm sure a few others here would like to see their response as well.
d-161|2 years ago
https://github.com/Ylianst
theamk|2 years ago
I mean, you are already in US-based cloud, so if NSA is interested, they will just request information directly, no backdoors needed.
(This is a good test for your security team, btw: if they say anything other that "we do nothing", you know its all security theater)
datavirtue|2 years ago
api|2 years ago
It would never occur to me to even suspect that. I assume that anything I do in the cloud is absolutely transparent to the cloud provider unless it's running homomorphic encryption, which is still too slow and limited to do much that is useful.
I would trust them to be secure against the average "hacker" though, so they do serve some purpose. If your threat model includes nation states then you should not be trusting cloud providers at all.
jacquesm|2 years ago
TheRealDunkirk|2 years ago
At my Fortune 250, our threat model apparently includes -- rather conveniently and coincidentally -- everything! Well, everything they make an off-the-shelf product for, anyway. It makes new purchasing decisions easy:
"Does your product make any thing, in any way, more secure?"
"Uh... Yes?"
"You son of a bitch. We're in. Roll it out everywhere. Now."
johnklos|2 years ago
For instance, Amazon has a staff of thousands or tens of thousands. To me, that means they can't possibly have a good grasp on internal security, that there's no way to know if and when data has been accessed improperly, et cetera. To others, the fact that they're a mega-huge company means they have security people, security processes and procedures, and they are therefore even more secure than smaller companies.
For one of the two groups, the generalized uncertainty of the small company is greater than the generalized uncertainty of the large. For the other, the size of the large makes certain things inevitable, where the security of smaller companies obviously depends on which companies we're talking about and the people involved. More often than not, people want to generalize about small companies but wouldn't apply the same criteria to larger companies like Amazon.
There's a huge emotional component in this, which I think salespeople excel at exploiting.
It fascinates me, even though it's a never-ending source of frustration.
enkid|2 years ago
numbsafari|2 years ago
Even when you are a nation state, you still have to worry about other nation states.
wsc981|2 years ago
lokar|2 years ago
dclowd9901|2 years ago
bowmessage|2 years ago
[0] https://cloud.google.com/blog/products/identity-security/new...
amenghra|2 years ago
ipaddr|2 years ago
pyinstallwoes|2 years ago
Narrative control and information modeling is so powerful it’s scary.
jacquesm|2 years ago
sdiupIGPWEfh|2 years ago
amluto|2 years ago
If nothing else, at Google/Amazon scale, I’d be concerned about a third-party HSM losing data.
jhallenworld|2 years ago
Also, the Cavium one was the fastest one on the market the last time I looked at this. Thales, Safenet and IBM also had them..
teepo|2 years ago
https://cloud.ibm.com/docs/hs-crypto?topic=hs-crypto-faq-bas...
tgsovlerkhgsel|2 years ago
HSMs are mainly for compliance, where a customer needs to check a regulatory box, because some rules says you must use a HSM. The more standard it is, the easier it is to demonstrate to the auditor that you've checked the box.
unknown|2 years ago
[deleted]
BlueTemplar|2 years ago
[deleted]
milesward|2 years ago
zimmerfrei|2 years ago
https://www.marvell.com/company/newsroom/marvell-enables-ent...