EDITORIAL | October 19, 2023

A SAFE Journey to Selling Devices to Cloud and Datacenter Providers

Observations from the OCP Global Summit | San Jose, CA | October, 18, 2023

If you missed it, there was a significant launch of the Open Compute Project (OCP) Foundation’s new community-led security program for improving device security underpins a fundamental change in the way device vendors and manufacturers engage and sell their products to the worlds leading cloud and datacenter providers.

Beyond standing up a framework for driving continuous security conformance assurance, the Security Appraisal Framework and Enablement (S.A.F.E.) program redefines(and optimizes) the relationship between the device vendor, the device adopter, and the security review provider.

Back when I served as chief security officer for Microsoft’s Cloud and AI Security group, I encountered a scaling problem with the way Azure worked with device vendors (think in terms of CPU’s, GPU’s, SSD’s, network cards, etc.) in validating the integrity and security of their devices. The short story is that before any device or it’s firmware could be deployed within a datacenter a security assessment had to be undertaken – and only devices (and their firmware) that came back with “clean” security reports could be purchased and ultimately deployed. Through a combination of Microsoft’s in-house and trusted third-party penetration testing and code review teams, each key device would be tested and an iterative improvement cycle would continue until the security assurance report came back clean.

There were two obvious problems with that mode of security assurance and interaction. As a purchaser and adopter of devices, how do you scale an in-house security practices to assess and assure the thousands of devices from hundreds of vendors and their ever-changing firmware? And, as a device vendor, how do you meet and coordinate the overlapping yet distinct security requirements of every purchaser and adopter of your technology?

Which brings me back to S.A.F.E. While it has been a couple years since I moved on from Microsoft, it’s fantastic to see that those first meetings with the OCP team and like-minded cloud service providers to tackle those problems that culminated this week in the official launch of the solution – and doubly proud of IOActive’s key involvements in both the creation of the S.A.F.E. device security checklist and Security Review Provider (SRP) criteria, and for being one of the founding SRP providers.

For device vendors, I think S.A.F.E. is great news.

A few points to justify that statement:

  1. Just one set of device security requirements (complete with device checklists) that address all OCP member purchasers and adopters. Better yet, community-driven and publicly available security requirements (with input from purchasers, vendors, and SRP providers alike) that will evolve and adapt to the changing world
  2. Accredited and trusted OCP SRP providers that device vendors can engage with at anytime in their device and firmware’s development lifecycle – cost-effectively accelerating and simplifying a vendors journey to “clean” S.A.F.E.-Approved product status; ultimately ensuring a vendor’s devices can be purchased and deployed by cloud and datacenter providers quicker than ever before
  3. Devices with advanced and proprietary technologies can be security tested and assured to meet adopter security requirements without the vendor having to share proprietary source code with the adopter.

One last perspective to share – oriented specifically to device vendors: there’s fantastic innovation going on across the cloud and datacenter device ecosystem. As I navigate the OCP conference Expo hall, passing by liquid cooling-systems, quantum computing data connectors, petabyte storage arrays, and even specialized forklifts for moving data racks- I’m reminded that many vendors are only just now starting their security journey, and the prospect of having to meet the detailed requirements of S.A.F.E. may feel daunting.

In all my time at Microsoft (and IBM for that matter), I never encountered a device vendor that “nailed security” the first time, nor the third time. Reaching S.A.F.E. approval will be a journey that requires a trusted security partner. When you’re ready for that journey, you’ll not find a stronger and more accomplished or experienced partner than the team at IOActive.