Partners: Intel's New Internal Security Group Needs To Put Safeguards On The Same Level As Speed
Partners said that Intel's new cross-company group formed to address the processor exploits should make security a high priority at the same level as performance.
"Security has to be more than just a side consideration," said Daniel Daninger, vice president of engineering at Nor-Tech. "When you have a group that's ordained with some amount of power, that's probably more influential than just some engineers that look at security also."
Daninger cautioned, though, that fundamental design changes aren't likely to happen fast, and could in reality take months or even years. The challenge spans beyond Intel, Daninger said, since other processor vendors have also been using speculative execution, in which a computer system performs some tasks before knowing whether or not it is actually needed.
"I think it [Intel's new security group] is necessary," Daninger said. "They're going to have to do a good job and a thorough job. It's just too fundamental."
Intel's plan to create an internal security group was first reported Monday night by The Oregonian. Intel on Tuesday confirmed to CRN the establishment of the group, and said it will be led by human resources chief Leslie Culbertson and report directly into CEO Brian Krzanich.
"On Monday, the company established the Intel Product Assurance and Security (IPAS) group that will consolidate Intel's cross-company efforts on the side-channel issues," the company said in a statement.
Spectre and Meltdown are three variants of a side-channel analysis security issue in server and PC processors, which could potentially enable hackers to access protected data.
Forming this group should help establish ownership and accountability within Intel for identifying potential issues as well as managing the resolution process, according to Kent Tibbils, vice president of marketing of Fremont, Calif.-based ASI Corp., via email.
The team should also be well-positioned to handle internal communications within Intel as well as external communications with customers, Tibbils said, offering a prompt response to all.
"The key here is ownership and responsibility, especially since these potential issues are becoming increasingly complex," Tibbils said. "Protecting against security breaches in the emerging markets of the future is vital."
The Oregonian reported that other members of the internal security group include: Josh Walden, head of Intel's new technology group; and Steve Smith, vice president and general manager of Intel's data center engineering group. Intel confirmed this as well.
"It is critical that we continue to work with the industry, to excel at customer satisfaction, to act with uncompromising integrity, and to achieve the highest standards of excellence," Krzanich said in a memo Monday obtained The Oregonian. "Simply put, I want to ensure we continue to respond appropriately, diligently, and with a customer-first attitude."
Smith participated on Intel's Jan. 3 call with financial analysts when news of the vulnerabilities broke, saying that the security issues lie in the approach researchers used to compromise a system, and not in the processors themselves.
"The processor is, in fact, operating as designed," Smith said. "And in every case, it's been this side-channel approach that the researchers used to gain information even while the processor is executing normally its intended functions."
Nor-Tech, a Burnsville, Minn.-based custom system builder, has been working closely with Intel since they debuted their first CPUs, according to Daninger. He said it isn't a huge surprise that vulnerabilities have emerged given the billions of parts contained within a CPU.
"Maybe there's a trade-off they're going to have to make between fast and secure," Daninger said.