Firmware enables the world around us – from retail to medical and military technology, energy, transportation and aviation, and more. Phones, tablets, computers and smart home tech devices include firmware. But firmware is often overlooked as a security threat. Firmware is vulnerable to attack by hackers and is considered a “single point of failure” for technology systems. According to the March 2021 Security Signals report from Microsoft, more than 80 percent of enterprises experienced a firmware attack within the past two years. How do we prioritize security?

That’s where zero trust comes in.

What is zero trust?

Zero trust is a mitigation measure based on the simple premise of “never trust, always verify,” meaning all users must be authenticated, authorized, and continuously validated for security configuration before being granted or keeping access to applications and data.
Traditionally, everyone and everything inside a network had access to that network. This is called implicit trust. Today, data is coming from everywhere—networks can be local, in the cloud, or both. With zero trust, conventions are established within networks to limit trust and lock down certain communications between different applications and their associated ports. Data protection is enhanced by safeguarding the network at all points –communication is allowed only between specific applications, and access is provided only when and where it’s needed.

Zero Trust strategy requires firmware security

Implementing a zero trust security framework is essential for protecting an organization’s infrastructure and business critical data. But without secure firmware running on infrastructure, a zero trust security strategy may not meet its objective.

A new report issued by the U.S. Department of Homeland Security (DHS) and Department of Commerce showed that firmware is a priority target for hackers and a single point of failure in devices. On average, firmware typically receives one update over its lifetime, which is rarely enough to keep up with rapid changes in the industry. Fundamentals of firmware security requires six basic principles:

1.  Secure system designs and firmware upgrade capabilities in data centers result in enhanced security from system inception to vulnerabilities.
2.  Secure coding requires massive experience in firmware development and deployment through the compute supply chain.
3. Closely connected security threat ecosystem that includes collaborative research and vulnerabilities sharing.
4. Need for a test infrastructure with automatic and continuous vulnerability testing
5. Ability to closely monitor open-source and accountability for repairing and disclosing security vulnerabilities.
6. Disciplined approach to communicating vulnerabilities and remediation

With more than 30 years of experience, trusted firmware solutions, like the Tektagon family of products, and a sophisticated testing environment, AMI is uniquely positioned to secure firmware for clients across cloud services, telecommunications, the automotive industry, business, edge computing and beyond.

To learn more about firmware security, contact us at ami.com/contact-us.