Above all, chip designers want to be sure that their designs and their IP are safe in the environment in which they’re working. It’s imperative that as we transition chip design and verification flows into cloud environments, we also embed security in all aspects of the software development lifecycle, infrastructure, and platforms.
Typically, cloud providers operate under a shared responsibility model. Security of the cloud, such as the data centers, is the provider’s responsibility; as such, it’s in their best interest to build in security from the ground up in their infrastructures and applications.
Cloud service providers are responsible for the security of the underlying cloud infrastructure, such as physical security of the environment, security of the hypervisor for the compute, network security of the multi-tenant software-defined network environment, and security of the provided applications/services used for management of certain operations. Cloud customers are responsible for securing workloads such as infrastructure setup, network security within the environment, ingress/egress control, and application security.
If you’re considering best practices, much of this comes down to a shift left: putting security at the inception phase of a project and integrating security into all aspects of the environment. When building the cloud infrastructure, for instance, the architects should have answers to several key questions:
- How will we segment the environment?
- How will we monitor and manage access?
- How will we ensure compliance to the requirements put into place?
- How will we protect data when it is in cache, in storage, and in transit?
At the application level, it’s essential to scan the code for security vulnerabilities throughout the software development lifecycle. Access to the applications should be controlled as well as secured via techniques such as multi-factor authentication. Establishing different levels of data classification, along with associated access permissions, may be appropriate. Cloud workload protection should be applied to virtual machines and containers, with monitoring for critical vulnerabilities.