News

NVIDIA Introduces BlueField DPU as a Platform for Zero Trust Security with DOCA 1.2

Discuss (0)
Visual reprentation of NVIDIA DOCA software framework emphasizing the security component

Today NVIDIA introduced the NVIDIA DOCA™ 1.2 software for NVIDIA BlueField® DPUs, the world’s most advanced Data Processing Unit (DPU). This latest release, scheduled for late November, builds on the momentum of the DOCA early access program to enable partners and customers to accelerate the development of applications and holistic zero trust solutions on the DPU. New authentication, attestation, isolation, and monitoring features that make BlueField the ideal foundation for a zero trust, distributed security platform.

Previously, perimeter security was sufficient to protect from external threats, because users, devices, data, and applications inside the data center were implicitly trusted. But with cloud, private cloud, software as a service, bring your own devices (BYOD) and users downloading numerous apps into the data center, this implicit trust is no longer warranted or acceptable. Therefore, the zero trust model realizes that resources inside of the data center cannot be trusted any more than those outside. Zero trust starts with the assumption that all users, devices, applications, and data, even those inside the network perimeter, are untrusted.

Zero trust calls for enterprises to leverage micro-segmentation and granular authorization enforcement based on the user. Analyzing the users’ rights, locations, need to access data, and behavioral history will determine whether to trust a user, device, or application to access a particular resource. It monitors the behavior of every user, application and server, and checks traffic on every part of the network using technologies including; multi-factor authentication, role-based access controls, next generation distributed firewalls, and deep packet inspection. Users and devices are authenticated to make sure that only authorized users have access while encryption ensures privacy. Zero trust calls for granting users only the access needed to accomplish each specific task and no more.

A zero trust cybersecurity model recognizes that everyone and everything, both inside and outside the network, must be authenticated, monitored, and segmented. And even once authenticated, all actions should be isolated while protecting data in-transit and at-rest with encryption to minimize the blast radius of unauthorized data access when security is compromised.

BlueField DPUs redefine the secure perimeter with a best-in-class foundation for zero trust protection. The DPU enables network screening with encryption, granular access controls, and micro segmentation on every host and for all network traffic. BlueField provides isolation, deploying security agents in a trust domain separate from the host domain. In the event a host is compromised, this isolation prevents the malware from accessing the security software, helping prevent the attack from spreading to other servers.

BlueField DPU and DOCA bring zero trust to all layers of the data center

BlueField DPUs and DOCA offer a foundation for zero trust. Starting from a hardware root of trust to ensure the integrity of the DPU itself, we can add trust to every layer. This includes bringing attestation, authentication, and monitoring to every single touchpoint of computers, applications, and data, including servers, containers, storage, network infrastructure, and, of course, people.

Supporting elements BlueField DPUs and DOCA bring to Zero Trust Architecture.
Figure 1: BlueField DPU’s and DOCA offer a foundation for zero trust. 

BlueField DPUs and DOCA provide the foundational platform for partners and customers to build holistic zero trust solutions. BlueField DPU delivers three critical capabilities as part of this foundation including:

  1. The ability to authenticate the platform including:
    1. DPU secure and measured boot based on a hardware root of trust.
    2. DICE-based platform and remote attestation of the DPU software. DICE is a family of hardware and software techniques for hardware-based cryptographic device identity, attestation, and data encryption.
  2. Tools to accelerate authentication, access control, and encryption.
    1. Offload authentication and attestation using public key cryptography.
    2. Control access to assets and data with software-defined, hardware-accelerated microsegmentation and stateful connection tracking.
    3. Accelerate encryption of data on the wire and at rest.
  3. Implement a stance of “still don’t trust—verify always.”
    1. Monitor network traffic and report suspicious activity with DOCA Telemetry.
    2. Isolate software in a domain separate from the CPU/application.
    3. Shield host applications from corruption or malicious modification.

The previous notion of “trust, sometimes verify” now becomes “don’t trust, authenticate, and attest and then still don’t trust, so always monitor and verify.”  The core assumption is that any asset could become compromised even after authentication and thus continuous activity monitoring is required to protect users, devices, and data.

The BlueField DPU enables this at the lowest level by providing hardware root of trust with unique device IDs. Then it performs a measured, secure boot, which verifies that all of the software running on the DPU is signed and authenticated. Measured boot addresses the problem that a boot image can be properly signed and authenticated, and then the actual boot process is subverted to load different or additional code. Both secure and measured boot rely on the hardware root of trust as a starting point to extend the chain of trust. Measurement calculates a secure hash of the signed image and then measures that it is indeed the image that was loaded during the secure boot process.

Once the integrity of the DPU is attested, BlueField is able to accelerate public key/private key authentication and extend the chain of trust to other applications, devices, and users.

BlueField also acts as an accelerated SDN platform to limit each application or user’s access to assets using role-based access control (RBAC) and microsegmentation. For example, a containerized app that needs to analyze data on one storage device and pass it to a user can be put on its own network segment. There it can only see that storage device, that user, and nothing else. The use of security groups, network microsegmentation, and dynamic role-based-access-control prevents the spread of any malware via internal East-West traffic.

On the “still do not trust” front, BlueField accelerates the TLS and IPsec encryption as well as storage encryption. This now makes it possible for encrypted links to operate at 200 Gb/sec with zero CPU load. The implications are that encryption at multiple layers always desirable in a zero trust framework— now can be performed much more efficiently. This makes encryption practical for all servers and all network traffic, where previously, it was too computationally expensive to implement except on a few web and VPN connections. With all network connections and storage encrypted, any adversary that does break into the network will be unable to access data.

BlueField offers continuous monitoring of everything by leveraging the DPU’s built-in telemetry, and alerts SIEM and XDR systems when suspicious activity occurs. The network telemetry can be fed into NVIDIA Morpheus – which is NVIDIA’s AI accelerated, scalable cybersecurity framework. This allows partners to perform scalable AI malware detection, IDS/IPS, and auto quarantining of compromised assets. DOCA plus Morpheus can also use AI identify non-malicious but serious issues such as mis-configured servers and out-of-date software. It can even detect cases where sensitive information—such as passwords, credit card numbers, or medical information—is being transmitted in the clear when it should be encrypted.

Now, when the inevitable cyber breach happens, multiple layers of protection will limit the blast radius. The DPUs protect and attest system integrity, isolating threats and protecting security software agents. An infected server or VM will have access to only a few other assets thanks to RBAC and microsegmentation. Compromised applications are identified with App Shield. DOCA Telemetry working with Morpheus detects suspicious network traffic. Abnormal traffic flows are blocked by leading firewall software running DPU-accelerated security and without any performance or service degradation. And valuable information is encrypted both when in flight and at rest. By starting with the assumption of zero trust everywhere, DOCA and the DPU act as the foundation for security applications to safeguard all assets, everywhere.

Summary

A modern approach to security based on zero trust is critical to securing today’s data centers, since activity inside of the perimeter can no longer automatically be trusted as secure.​

This is even more important at the edge, because data centers are no longer just huge facilities with gates, guards, and guns. At the edge, there are tiny data centers in factories, robots, cars, stores, and radio towers – each containing valuable assets. But with physical access possible, these cannot be adequately protected by traditional firewalls. So the DPU starts from a hardware root of trust and builds security layer by layer and limits network access – protecting users, devices, data, and applications – which all meet in the data center.​

BlueField DPUs and the DOCA software stack provide the ideal open foundation for partners to build zero trust solutions and extend them to all parts of the network, to address the cybersecurity of the modern data center.

Learn more about enabling zero trust security with DOCA

Apply for the DOCA Early Access Program >>
Register for the North American DPU Hackathon >>
Take the Introduction to DOCA for the BlueField DPU Course >>
Download the App Shield Solution Brief >>
Read how NVIDIA creates a new zero trust cybersecurity platform >>