According to OCP, the S.A.F.E. program is expected to reduce cost overhead and redundancy of device security audits with an OCP Community developed per device security checklist and advance the security posture of device hardware and firmware components across the supply chain.
The S.A.F.E. program adds a new dimension to the services offered by the OCP Foundation. It starts with the OCP Community developing a standardized device-specific audit checklist and criteria for selecting third-party device security review auditors. The device audit checklist and auditor selection criteria will be open-sourced and available. Device auditors will do a self-assessment, and those who qualify will be designated OCP Security Review Providers (SRP). Device vendors will commission an OCP-recognized SRP to conduct a device-specific security review based on the appropriate OCP community-provided checklist.
“The OCP S.A.F.E. program is an OCP Community-led effort to bring standardizations to device firmware security validation to help data center operators maintain a consistent security posture with reduced costs through removing duplication of efforts which other market segments can replicate. Security is the underlying foundation that makes OCP core tenets of efficiency, openness, scale, impact and sustainability possible," said Steve Helvie, VP of Emerging Markets at the Open Compute Project Foundation.
There are several challenges with independent third-party audits. These results are often available only to specific customers, limiting their market impact. Also, these reviews are frequently commissioned by device consumers at purchase, with device reviews only performed once and subsequent security issues introduced by firmware upgrades and patches go undetected. The OCP, driving a standardized approach across all data center operators, will effectively and efficiently address these issues.
OCP’s S.A.F.E. Program is designed to reduce cost overhead and redundancy of device security audits by addressing three key issues: security conformance to device consumers, increased reviews of devices whose firmware and associated updates are reviewed continuously and advancing the security posture of device hardware and firmware components through iterative refinement of review areas, testing scopes and reporting requirements.
The program has received strong support from third-party auditors and device and silicon vendors. Atredis Partners, IO Active, and NCC Group are currently enrolled as OCP Security Review Providers, with participating device vendors AMD and SK Hynix and silicon vendor Intel.
"The OCP S.A.F.E. program, with the increased level of security assurance it can provide, should bring a new level of confidence to the market for data center IT device consumers and ultimately end users of cloud provider provided services. The efficiencies it drives at the same time as improving security are refreshing for the industry. This is just one example of how open collaboration within a community such as the OCP can benefit everyone," said Ashish Nadkarni, group VP and GM, Worldwide Infrastructure at IDC.
For related articles, visit the Data Center Topic Center.
For more information on high-speed transmission systems and suppliers, visit the Lightwave Buyer’s Guide.
To stay abreast of fiber network deployments, subscribe to Lightwave’s Service Providers and Datacom/Data Center newsletters.