The Open Compute Project Foundation (OCP) has launched a new Security Appraisal Framework and Enablement (S.A.F.E.) program aimed at improving the trustworthiness of devices across all data center IT infrastructure.
The OCP S.A.F.E. program is expected to reduce cost overhead and redundancy of device security audits with an OCP Community developed per device security checklist, and advance the security posture of device hardware and firmware components across the supply chain.
The OCP S.A.F.E. Program is designed to reduce cost overhead and redundancy of device security audits:
- provide security conformance assurance to device consumers
- increase the number of devices whose firmware and associated updates are reviewed on a continuous basis, rather than only once when the device is 1st manufactured.
- advance the security posture of device hardware and firmware components, through iterative refinement of review areas, testing scopes and reporting requirements.
“The OCP S.A.F.E. Program is designed to be a catalyst for upleveling the effort on security across the OCP Community and the industry. The OCP S.A.F.E. program is an OCP Community led effort to bring standardizations to device firmware security validation to help data center operators maintain a consistent security posture with reduced costs through removing duplication of efforts which can be replicated by other market segments. Security is the underlying foundation which makes OCP core tenets of efficiency, openness, scale, impact and sustainability possible,” said Steve Helvie, VP Emerging Markets at the Open Compute Project Foundation.
“Creating a standardized approach for provenance, code quality and software supply chain for firmware releases and firmware patches that run on data center IT devices benefits the broader community; from democratizing the review process to streamlining efforts. Google is pleased to be a founding member of the OCP S.A.F.E. program and together, with the community, we will accomplish our mutual goal of increased security assurance for the industry,” said Phil Venables, CISO, Google Cloud.
Independent third-party audits present significant challenges. These results are often available only to a certain set of customers, limiting their market impact. Also, these reviews are often commissioned by device consumers at the time of purchase, with device reviews are only performed once and subsequent security issues introduced by firmware upgrades and patches go undetected. The OCP driving a standardized approach, across all data center operators, will effectively and efficiently address these issues.
“We have partnered with OCP to create SAFE, a framework that promotes systematic security evaluations across the hardware ecosystem. This initiative provides enhanced levels of quality and security assurance to all hardware consumers,” said Mark Russinovich, Azure CTO.
