Launches New Community Led Security Program Improving IT Device Security Posture
SAN JOSE, Calif., Oct. 18, 2023 /PRNewswire/ — Today, the Open Compute Project Foundation (OCP), the nonprofit organization bringing hyperscale innovations to all, announced a new program, OCP Security Appraisal Framework and Enablement (S.A.F.E.) designed to improve the trustworthiness of devices across all data center IT infrastructure. The OCP S.A.F.E. program is expected to reduce cost overhead and redundancy of device security audits with an OCP Community developed per device security checklist, and advance the security posture of device hardware and firmware components across the supply chain.
The S.A.F.E. program adds a new dimension to the services offered by the OCP Foundation. It all starts with the OCP Community developing a standardized device specific audit checklist and criteria for selecting 3rd party device security review auditors. Both the device audit checklist and auditor selection criteria will be open sourced and available to all. Device auditors will do a self-assessment and those that qualify will be designated as OCP Security Review Providers (SRP). Device vendors will commission an OCP recognized SRP to conduct a device specific security review based on the appropriate OCP Community provided checklist.
“The OCP S.A.F.E. Program is designed to be a catalyst for upleveling the effort on security across the OCP Community and the industry. The OCP S.A.F.E. program is an OCP Community led effort to bring standardizations to device firmware security validation to help data center operators maintain a consistent security posture with reduced costs through removing duplication of efforts which can be replicated by other market segments. Security is the underlying foundation which makes OCP core tenets of efficiency, openness, scale, impact and sustainability possible,” said Steve Helvie, VP Emerging Markets at the Open Compute Project Foundation.
“Creating a standardized approach for provenance, code quality and software supply chain for firmware releases and firmware patches that run on data center IT devices benefits the broader community; from democratizing the review process to streamlining efforts. Google is pleased to be a founding member of the OCP S.A.F.E. program and together, with the community, we will accomplish our mutual goal of increased security assurance for the industry,” said Phil Venables, CISO, Google Cloud.
Independent third-party audits present significant challenges. These results are often available only to a certain set of customers, limiting their market impact. Also, these reviews are often commissioned by device consumers at the time of purchase, with device reviews are only performed once and subsequent security issues introduced by firmware upgrades and patches go undetected. The OCP driving a standardized approach, across all data center operators, will effectively and efficiently address these issues.
“We have partnered with OCP to create SAFE, a framework that promotes systematic security evaluations across the hardware ecosystem. This initiative provides enhanced levels of quality and security assurance to all hardware consumers,” said Mark Russinovich, Azure CTO.
The OCP S.A.F.E. Program is designed to reduce cost overhead and redundancy of device security audits, (1) provide security conformance assurance to device consumers (2) increase the number of devices whose firmware and associated updates are reviewed on a continuous basis, rather than only once when the device is 1st manufactured. (3) advance the security posture of device hardware and firmware components, through iterative refinement of review areas, testing scopes and reporting requirements.
The program has received strong support from both 3rd party auditors, device and silicon vendors. Currently Atredis Partners, IO Active, and NCC Group are enrolled as OCP Security Review Providers, with participating device vendors AMD and SK Hynix, and silicon vendor Intel.
“The OCP S.A.F.E. program with the increased level of security assurance it can provide should bring a new level of confidence to the market for data center IT device consumers and ultimately end users of cloud provider provided services. The efficiencies it drives at the same time as improving security is refreshing for the industry. This is just one example of how open collaboration within a community such as the OCP can benefit everyone,” said Ashish Nadkarni, Group Vice President and General Manager, Worldwide Infrastructure at IDC.
About the Open Compute Project Foundation
The Open Compute Project (OCP) is a collaborative Community of hyperscale data center operators, telecom, colocation providers and enterprise IT users, working with the product and solution vendor ecosystem to develop open innovations deployable from the cloud to the edge. The OCP Foundation is responsible for fostering and serving the OCP Community to meet the market and shape the future, taking hyperscale-led innovations to everyone. Meeting the market is accomplished through addressing challenging market obstacles with open specifications, designs and emerging market programs that showcase OCP-recognized IT equipment and data center facility best practices. Shaping the future includes investing in strategic initiatives and programs that prepare the IT ecosystem for major technology changes, such as AI & ML, optics, advanced cooling techniques, composable memory and silicon. OCP Community-developed open innovations strive to benefit all, optimized through the lens of impact, efficiency, scale and sustainability. Learn more at www.opencompute.org.
Dirk Van Slyke
Open Compute Project Foundation
Vice President, Chief Marketing Officer
Mobile: +1 303-999-7398
(Central Time Zone/CST/Houston, TX)