Pushing Security From The Datacenter Out To The Edge

As readers of The Next Platform know, the edge – that area where the rapidly growing numbers of mobile, intelligent and connected devices live, running applications and generating mountains of data – is where a lot of the IT action is these days.

IT is becoming increasingly decentralized. It no longer is simply a central enterprise datacenter and a handful of branch or remote offices, where corporate applications and data live. Instead, trends like the proliferation of mobile devices, the adoption of clouds, everything-as-a-service and the Internet of Things (IoT) is reshaping the corporate IT environment. Workloads and data can now reside in the cloud or at the edge with those intelligent devices.

Those devices are generating massive amounts of data, all of which needs to be collected, stored, accessed and analyzed to get the important insights as quickly as possible to fuel business decisions, and all of this is driving the rapid development of such emerging technologies as artificial intelligence (AI), machine learning and data analytics. Moving all that data over the network to the cloud or datacenter to be analyzed is costly, putting pressure for more bandwidth and lower latency.

All of this is pushing tech vendors to get as much infrastructure – not only compute, storage and networking, but also virtualization and management software – out to the edge, so that the analytics and other work with the data can be done closer to where it’s created rather than having to transport all of it over the network. This is important for not bandwidth reasons, but also for data privacy and to ensure a real-time response to the data.

Arm, whose power-efficient chip designs have for years been the backbone of mobile devices like smartphones and tablets as well as smaller embedded systems, sees the IoT and edge world of gateways, sensors and other such intelligent systems as a natural extension of its capabilities. The company last year launched its Neoverse infrastructure platform aimed at hyperscale datacenters and edge environments, and most everything in between. Earlier this year, the company released the second version of Neoverse and has unveiled a Neoverse roadmap for two more between now and 2021.

The edge becomes important as the number of devices and the amount of data grows. Arm is expecting that by 2035, there will be more than a trillion connected devices worldwide, and that the volume of data will continue to outrun the available bandwidth.

“Consider just one use case: in the future, we anticipate 500 million HD image sensors will produce 300 exabytes of data per month,” Arm writes in a white paper being released this week at the company’s TechCon event in San Jose. “That will exceed available bandwidth to the edge network, let alone the cloud. The same trend is occurring across the board, and backhauling is not an option. The only way to deal with this deluge of data is to process it at or near the edge. Sufficient compute horsepower at the edge allows organizations to process sensor data and send only what’s critical upstream.”

The chip designer sees a key role in helping to secure the edge environment, where the growth in mobility and the rise of the IoT has increased the attack surface for cyber-criminals. In 2017, Arm introduced the Platform Security Architecture (PSA), a framework of common rules that Arm partners and other third parties could use to help build security into their IoT devices. It was created to address security concerns of the IoT edge, comprising small, fixed- and single-function devices like sensors and microcontrollers.

At TechCon, Arm is unveiling a plan to bring the PSA idea to the infrastructure edge, adapting the platform to address the security needs of systems like gateways and network routers, systems that run rich operating systems like Linux, an edge software stack and such technologies as containers.

“Even though the edge is nascent, that it is emerging, security is really important,” Rob Dimond, Arm Fellow and system architect at the company, tells The Next Platform. “Security is important in IT in general. The concerns about privacy of the data and the threats exist. If everything is being connected and the benefits are going to be realized, you have to secure all parts that have access to the data. We’re talking about processing data at the edge, so there needs to be a security story that includes the edge. This is emerging, so there’s not a clear set of solutions today. What we’re doing is we are looking to show leadership in solving those problems and using the knowledge that we have and the momentum we have developed around PSA. It’s constrained IoT at the endpoints and then translating that into the infrastructure because ultimately, the infrastructure is there to service the endpoints, whether it’s cell phones or on cameras or whatever.”

The challenge is to evolve the PSA technology that is designed for Arm’s M-Profile architectures, for microcontrollers and embedded systems, to its A-Profile architecture, for higher performance segments like the enterprise and mobile. This is a major focus of what Arm is talking about at TechCon.

“Where you have architecture-specific components – some of the specifications and the reference software – you need to essentially recreate that new architecture,” Dimond says. “The good news is actually many of the specifications and reference software already exist. Trusted Firmware-A [for Armv8-A] exists and has some good traction in the marketplace. Partners are using it because it’s a reference for the secure world’s software that’s needed in Arm A-Profile architecture. With PSA, we’re talking about extending that to cover features that we think are needed in the infrastructure. Similarly, on the specifications in the M-Profile, there’s a specification called the Firmware Framework, which basically says how you isolate your security services from the rest of your applications. If the application gets hacked, then how do you protect all of the important assets that your secure services are using? And there’s already a specification called SPCI [Secure Partition Client Interface] in the A-Profile space, which already solves that problem. In many cases there’s already something that exists that we’re adapting and that thing already has some traction in other areas.”


The PSA has a number of components, including an API, reference software – which Arm has open-sourced – and a certification scheme, all designed to give companies making microcontrollers using Armv7-M and Armv8-M CPUs a common platform for ensuring security.

Arm will make various adaptations to PSA for the infrastructure edge. New threat models and security analysis (TMSA) documents will be needed, the existing Trusted Base System Architecture (TBSA) will be modified and Firmware Framework-A – which had been named SPCI – which will be available soon. The Server Base Security Guide (SBSG), which outlines requirements for infrastructure, is available now, and Arm is working with container vendor Docker to create ParSec, a security microservice. The design will be open-sourced, Dimond says. Arm is unsure whether a certification scheme is needed for the infrastructure edge.

“PSA contains components – such as threat models, APIs and a certification scheme – that are generic and independent of the Arm architecture,” the company writes in the white paper. “As we extend the generic components to comprehend the requirements of the Infrastructure edge, we are creating new specifications that describe ways to meet these requirements using tools in the Arm architecture. These Arm-specific specifications include the Server Base Security Guide (SBSG) and core PSA specifications for the Arm A-Profile architecture. The core PSA specifications describe a way to build the RoT [root of trust] and services based on the Arm architecture. We expect these core specifications [including Firmware Framework and TBSA] to be common across all markets that use the A-Profile architecture and to be developed from both the current PSA for M-Profile and Client (handset) architectures.”

Sign up to our Newsletter

Featuring highlights, analysis, and stories from the week directly from us to your inbox with nothing in between.
Subscribe now

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.