Built-in Security at Scale through Hardware Support
The Center for Internet Security® (CIS®) works to help cyber under-resourced organizations holistically improve their cybersecurity posture. One of the ways it does this is by coordinating expert collaboration around the ongoing development of the CIS Critical Security Controls® (CIS Controls®) and CIS Benchmarks™, prioritized security best practices which organizations can use to focus resources where they will have the greatest impact. Many vendors have taken steps to integrate the CIS Controls and CIS Benchmarks directly into products at the time of purchase, thus easing the configuration and expertise burden on individual organizations. However, this practice of building in security at the time of purchase is not yet universal. As a result, many organizations have struggled to maintain their secure configurations and policy settings.
Recognizing this issue, the Chief Technology Office (CTO) at CIS began researching built-in security back in 2018. It looked at managing security at scale for the end organization, remote attestation, trusted assurance simplified, and how to make security simpler. It also examined the development of the Trusted Platform Module (TPM) and the Trusted Execution Environment (TEE). Use of these components provides a higher level of trust and enables a shift left for security both in the initial deployment and later to enable management at scale. TPM and TEE form a basis to provide built-in security, protecting workloads from tampering to automation of security assurance at scale. They have been proven in the near-universal deployment of a trusted boot process, eliminating doubts that had been present with earlier versions of these components and the supporting tools.
The goal of this paper is to accelerate use of TPM and TEE by the vendor community, especially application, operating system (OS), cloud native infrastructure, and traditional infrastructure developers and providers. CIS is interested to see this work advance for two reasons. First, it sees greater use of these hardware components as an avenue to continue to support of built-in security by default and by design in alignment with Cybersecurity & Infrastructure Security Agency (CISA). Second, it recognizes how more widespread use of TPM and TEE can enable security management at scale over time to ease the distributed burden on organizations. These are important capabilities to shift security left, aiding the cyber under-served by reducing the ongoing security management burden for years to come.