As cyberattacks become more insidious, harder to detect and more harmful, companies are pulling out all the stops to protect their data and infrastructure. Intel is attempting to address these challenges head-on with major data security and privacy upgrades to its Xeon Scalable processors.
The newest version of the processors, code-named “Ice Lake,” will standardize on Intel Software Guard Extensions (SGX), a set of instructions designed to increase the security of application code and data. SGX enables applications to run in isolation in what Intel calls enclaves, which the company said helps protect up to one terabyte of code and data while in use. It also introduces several capabilities designed to improve data protection.
Intel's Ice Lake processor family is a major step ahead in terms of security, said Matt Kimball, a senior analyst at Moor Insights & Strategy. Among other capabilities, the enabling technologies Intel is providing full data protection while at rest, at work and in transit.
“There are a lot of solutions that enable IT organizations to build higher fences or bigger moats (so to speak) to protect the castle,” Kimball said. “But announcements like this from Intel enable those fences to be dug deeper into the ground, protecting infrastructure at the lowest levels, which in turns provides that greater level of data protection. It seems obvious to me that Intel has been listening to its customers.”
Intel's Ice Lake will include a new feature the company calls Total Memory Encryption (TME), which the company says will help ensure that all memory accessed from the Intel CPU is encrypted, including customer credentials, encryption keys, and other IP or personal information on the external memory bus.
Kimball explained that TME, which he said is very similar to AMD’s Secure Memory Encryption, prevents the ability to both “scrape” memory with a CLI utility to gain access to its contents and physically remove a dual in-line memory module (DIMM) and insert it into another system to access its contents.
With Ice Lake, Intel also has attempted to improve cryptographic performance by using a technique that combines the operations of two algorithms to allow them to execute simultaneously, and creating a method to process multiple independent data buffers in parallel.
“Some organizations don’t want to trade performance for security, and organizations haven’t been able to trade security for performance because security came at such a performance cost that it wasn’t cost-effective to implement,” Kimball added. Some of the most important use cases, he said, include cloud providers, which can use it to help ensure confidential computing capabilities to customers; regulated industries with sensitive information; and government entities.
Finally, Intel's Ice Lake processor family will include Intel Platform Firmware Resilience (PFR) to help protect against platform firmware attacks. Intel PFR is designed to detect and correct platform firmware attacks before they can compromise or disable the machine, the company said.
Taken together, these improvements signify a major advance for Intel and its customers, Kimball said.
“Intel has added the features that shape Ice Lake into a platform with full protection — from boot to execution of application and through the data lifecycle,” he said. “The built-in security capabilities will benefit companies of all sizes.”