Security rooted in silicon has the greatest opportunity to subvert both current and future threats, according to Martin Dixon, VP of security architecture and engineering at Intel.

In a recent blog post, Dixon broke down how Intel integrates security insights into its silicon to protect workloads from threats over the life of its products.

In the wake of side-channel attacks like Meltdown and Specter, silicon-layer security has become a hot topic, especially in the cloud where confidential computing is taking off.

In response, chipmakers have taken steps to make it easier for software vendors to secure their workloads. This can be done by accelerating stronger cryptographic algorithms or providing a secure enclave for the user’s most sensitive data.

Last October, Intel revealed that its upcoming Ice Lake-based Xeon Scalable processors would feature secure enclaves, full memory encryption, firmware protections, and enhanced cryptographic performance compared to previous generation Xeons.

“The primary way attackers get into systems continues to be through something they can scale — and that is software,” Dixon wrote. “By building silicon enhancements realized through logic inside of the processor,” it’s possible to eliminate performance overheads that might have dissuaded developers from implementing stronger encryption, he explained.

However, it’s not just about making it easier to encrypt data at rest or in transit. One of the biggest challenges that silicon-based security is attempting to solve is how to encrypt data in use. This is exactly what the Linux Foundation’s Confidential Computing Consortium, of which Intel is a member, is attempting to address.

By encrypting data in use, it can be processed in memory without being exposed to the rest of the system. This is especially important for organizations that handle sensitive data such as personally identifiable information, financial data, or health information, and thus need to mitigate threats that target the confidentiality and integrity of the applications and data in system memory.

According to Dixon, before Intel can integrate security features into its chips, the company has to understand where the threats are coming from.

“Our products are highly complex, and we cannot anticipate the myriad ways in which they will be used, nor how sophisticated third parties will seek to undermine their integrity,” he wrote.

So Intel works with security researchers working in every environment their chips may find a home to identify, test, and validate the security capabilities of its products. It’s about building a culture in which security concerns raised by the community are taken seriously and addressed quickly, Dixon explained.

And this culture extends into the development of new security capabilities. “The entirety of a product’s life needs to be secure, and our development practices stem from a security development lifecycle,” he wrote.

This lifecycle defines a set of processes that ensures that security principles and privacy tenants are considered at every step of product development. “Building security and privacy into products from concept to retirement is not only a strong development practice but it is also essential to enabling customers to truly unleash the power of their data,” Dixon wrote.

And with a few notable exceptions, Intel’s security philosophy appears to be paying off. “In 2020, 92% of vulnerabilities addressed in our products were a direct result of the proactive investment in our processes,” Dixon wrote.

And while Intel is heavily invested in silicon security, it's hardly the only vendor doing it. Over the past year, every major chipmaker, including AMD and Nvidia, have made commitments to strengthening their hardware security capabilities.

All three companies are members of the  Confidential Computing Consortium. Meanwhile, cloud providers, hyperscalers, and software vendors like VMware have steadily announced support for hardware-level security.

Early last year, Microsoft Azure and IBM launched confidential computing virtual machines (VMs) using Intel’s security capabilities. Meanwhile, Google and VMware tapped AMD for their own spin on the concept.

Both of Google Cloud’s Confidential VMs and Assured Workloads for government platforms, announced last summer, are based on security capabilities baked into AMD’s EPYC processors. And in an update to its popular vSphere platform, VMware added support for AMD’s secure encrypted virtualization-encrypted state function to enable memory encryption on the platform.