Security is a top concern at Illuminosi
We spend a lot of our time and focus on security issues. There are specific groups such as the Trusted Computing Group (TCG) that focus on keeping the media data secure. This is a major part of what the TCG Storage Work Group does and why we are involved there. Then, there have been several revisions in NVMe concerning the proper implementation of the SANITIZE command.
There has been a focus in the USB-IF to secure the connection between the computer and devices so that only trusted devices will be connected. This has now been taken up in the PCI-SIG so that device authentication will become a part of the PCIe specification in the future. Expect this to be an issue in enterprise and data center markets, as this will help protect them from supply chain security vulnerabilities.
We will help you to correctly implement secure firmware and interconnects so that your products (and reputation!) are protected from supply chain attacks.
Your secrets are safe with usOf course, our desire for security follows to our confidentiality practices. As with any other business in this world, our confidentiality is governed by the miriad of NDAs that we sign. Bring us your NDA and we will discuss your concerns.
Security is part of everythingThis is a lesson we all learned long ago. There are aspects of security in mechanical design, SoC and PCB designs, firmware, test, and manufacturing. There are a number of guidelines for each discipline that need to be followed so that your devices are completely trusted by your customers. These are just a few:
NIST standards for device security impact mechanical design of form factors in FIPS 140-2. BTW- did you know that FIPS 140-3 is coming soon? Testing begins in September 2020.
The debug port (JTAG) on your SoC should have a fusable link so that it can be permanently disabled post manufacturing.
That standard JTAG connector on your PCB should not be there. That is a very obvious place for hackers to access your firmware. There are other ways to access debug functions if needed for manufacturing. We can help you design test fixtures to meet those needs.
Debug versions of your firmware should never be sent to customers. The extra information present is a big gift to hackers about the structure of your code.
Firmware images must be cryptographically signed, and there are a number of other inspection points that must be followed in order for them to accepted for uploading to your devices. Your customers will review your policies on this, and may even design review it. Implications are in many places- field service, customer support, manufacturing and engineering.
More about Security
Occasionally, others we respect have things to say about security. We link some of these sites here for you to peruse at your leisure.
The NSA started it...
Krebs on Security is a great blog on all things related to IT, network and internet security.
Schneier on Security is another great blog on a wide range of security issues.
Internet Storm Center is an interesting read when you want to know about the latest malware threats.
Secure Thoughts is a source for consumer level information in security.
Scott Helme writes a blog about web server security issues that occasionally gets in to network security issues our storage world might find interesting.
This is where you can find some of the more common security tools that we use.