Welcome to the final installment in our series on building, powering and securing data centers. In Part 1: Building Data Centers, we explored the semiconductor ecosystem, compute, connectivity, storage and power solutions, for building today’s most demanding data center infrastructure. In Part 2: Powering Data Centers, we examined the critical need for highly efficient, scalable and reliable powering solutions that meet the escalating energy demands of Artificial Intelligence (AI) workloads.
This edition addresses an equally consequential challenge: a security threat landscape that is evolving faster than many organizations can respond. Cyberattacks have shifted from the application layer and operating system down to hardware and even firmware, and Microsoft estimates more than 80% of all businesses have experienced breach-related costs averaging $4.88 million each. The emergence of quantum computing adds a new dimension of urgency: the cryptographic algorithms that protect today’s data center communications could become vulnerable, making post-quantum readiness a critical consideration for infrastructure being deployed now.
The Industry Response
Cybersecurity requires relentless attention, ongoing investment and coordination with other companies in the data center business so that this critical infrastructure can be built from a mixture of equipment from different vendors.
The Open Compute Project Foundation is a big driver for these efforts as the leading forum for open systems in data centers and other compute environments. Arguing that security cannot be adequately implemented in software alone, it proposed a Hardware Secure Boot framework where every subsystem is equipped with immutable firmware that serves as the basis for verifying, validating and authorizing each piece of equipment before the server even boots. The Platform Firmware Resiliency Guidelines (SP 800-193) published by the National Institute of Standards and Technology (NIST) formalized this proposal in 2018.
While asymmetric cryptographic algorithms like Rivest-Shamir-Adleman (RSA) and Elliptic-Curve Cryptography (ECC) currently protect everything from online banking to government secrets, they could be broken in hours by a future, sufficiently powerful quantum computer. The National Security Agency (NSA) has addressed this with its Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) specifications for a new class of Post-Quantum Cryptography (PQC) cryptographic algorithms and larger key sizes for symmetric key cryptography such as (Advanced Encryption Standard (AES) and Secure Hash Algorithm (SHA). Hardware-based PQC offers advantages ranging from performance optimization and energy efficiency to tamper resistance, secure key storage, a reduced attack surface and the superior consistency and reliability to help mitigate timing-based side-channel attacks.
These standards and best practices are shaping security requirements across every element of the data center, but solutions are still not all created equal. Following are examples of how standards-compliant security is being tailored to the needs of the application in interconnect, storage and power use cases.
Secure Interconnect: Built-in PCIe Switch Protection
PCIe switches are a critical connection point between various endpoints as well as Central Processing Units (CPUs), Graphics Processing Units (GPUs), AI accelerators and storage, making them a natural place to embed security at the hardware level. These switches are also taking on many new tasks that have different needs, including security.
Consider the differences in security capabilities that have been embedded into our PCI100x series Switchtec™ PCIe® Gen 4.0 16-Lane switch and our Switchtec PCIe Gen 6 product. While Gen 6.0 addresses cutting-edge infrastructure needs, PCIe Gen 4.0 continues to expand its footprint across an increasingly diverse range of computing domains. Each operates in its own threat environment.
For instance, PCI100x Gen 4.0 16-lane packet switches are designed to enable seamless data flow across up to six endpoints, combining ultra-low latency and high-bandwidth with robust security for high-speed applications such as AI at the edge, GPU accelerators and SSD enclosures. They enable multi-host support through Non-Transparent Bridging (NTB) to allow secure domain isolation for redundant or safety-critical architectures. Independent systems can share PCIe infrastructure without sacrificing performance or reliability, a critical advantage for system-on-module (SOM) customers and industrial users. Each switch is equipped with an embedded processor that enables hardware-based secure boot, safeguarding systems against tampering and unauthorized code deployment and confirming that only trusted firmware is executed.
Meanwhile, the new generation of Gen 6 PCIe switches brings faster data movement, lower latency and a bigger data pipeline to keep even the most powerful AI accelerators consistently supplied. Microchip’s industry-first 3 nm Switchtec Gen 6 PCIe switches for these applications add a hardware root of trust and secure boot that utilizes CNSA-2.0-compliant post-quantum safe cryptography. Building this directly into the switch hardware helps data center architects deploy infrastructure that is designed to remain secure in the post-quantum era and can scale to the potential of next-generation AI and cloud capabilities.
Secure Storage: Protecting Data
Fast storage access is vital for high-performance AI workloads, but the security of the data is equally critical. Microchip’s Adaptec® SmartRAID 4300 NVMe® RAID storage accelerators are designed with multiple, end-to-end data-integrity safeguards include hardware root of trust, secure boot, secure firmware update and attestation. Additionally, Self-Encrypting Drive (SED) support provides an enterprise-class solution for protecting data at rest, and the accelerator’s Security Protocol and Data Model (SPDM) enables verification of device identity and integrity.
SmartRAID 4300 series accelerators are also supported by Microchip’s Trust Platform Design Suite (TPDS) for onboarding security-related solutions. The experience includes security concept training, education, prototyping and accessing Microchip’s provisioning system through a secure sub-system configurator and exchange process. The same experience applies to onboarding security-related power solutions as described below.
Secure Power Supplies: Protecting Against Spoofing, Other Threats
The OCP recommends adoption of its Modular Hardware Common Redundant Power Supply (M-CRPS) specification to protect this equipment against spoofing and tampering attacks. This requires firmware attestation and device authentication mechanisms using cryptographic algorithms such as asymmetric public/private key pairs and hashes.
Microchip has addressed this with its OCP Power Supply Solution Demonstration implementing the same Security Protocol and Data Model (SPDM) specification referenced in the secure storage example above. This is executed over PMBus between the power supply and the Baseboard Management Controller (BMC). The SPDM protocol enables the BMC to perform firmware attestation and device authentication on the power supply, and can be extended to support secure remote monitoring and secure firmware upgrades. The reference design uses a dsPIC33C DSC coupled with the TA100 Security IC to create a secure solution with digital power capabilities that satisfies the security requirements of an OCP-compliant power supply.
To simplify the implementation journey, Microchip’s TDPS guides customers through configuring security use cases, from secure boot and firmware update to attestation and key management. Microchip’s certified secure provisioning facilities then produce devices at scale, each with custom sets of keys.
Looking Back on the Series
Over this three-part series, we’ve explored what it takes to build, power and secure data centers for the AI era. A variety of technologies work together to meet the demands for seamless connectivity, maximum performance, power efficiency and robust protection. As post-quantum cryptography moves from a forward-looking consideration to a modern deployment imperative, the security built into today’s solutions will define the resilience of data center infrastructure for years to come.
Learn more about the hardware, software and tools that support the latest data standards on our Data Center Solutions page, and explore our Data Center Security page and Security Product Portfolio for more.
