From Silicon To Software

 

Robust Security for Cloud-Based Chip Design and Verification

cloud based chip design security
By Wagner Nascimento, VP and Chief Information Security Officer, and Venkata Ravella, IT Group Director, Synopsys

While an array of industries began migrating their functions and processes to the cloud years ago, the electronic design community has taken a more guarded approach. It’s no wonder, given the valuable intellectual property at stake. However, it hasn’t taken long for the chip industry to recognize that the benefits of cloud-based design flows, particularly when bolstered by robust security, are too attractive to pass up.

Semiconductor design has long been driven by exacting quality requirements and aggressive time-to-market targets, with burgeoning costs infringing upon the bottom line. What’s more, emerging applications in compute-intensive areas such as artificial intelligence (AI) and high-performance computing (HPC) continue to place enormous pressure on chip designs. And the push continues for reduced cycle times for chip design and verification.

Cloud-optimized electronic design automation (EDA) solutions alleviate these challenges, while providing an avenue for continued innovation even as Moore’s law slows. The key advantages?

  • Faster time to results, as the cloud opens vastly more compute resources to accelerate design and verification processes, compared to running EDA solutions on an on-premises data center. In addition, engineers also benefit from the flexibility to quickly scale up or down their resources based on a project’s needs.
  • Enhanced quality of results, as the virtually unlimited compute resources of the cloud mean that engineers can pursue the massive simulation, timing signoff, and physical verification tasks that would severely strain on-premises compute resources.
  • Better cost of results, as the cloud delivers access to the latest compute and storage resources when they are needed, with flexible pay-as-you-go pricing models.

As attractive as these advantages are, cloud-based chip design and verification cannot thrive without the highest levels of security. In this blog post, we’ll take a closer look at how EDA vendors are building trust in their cloud-optimized solutions via modern cloud security and cloud-native processes and technologies.

A Shift Left on Cloud Security

Above all, chip designers want to be sure that their designs and their IP are safe in the environment in which they’re working. It’s imperative that as we transition chip design and verification flows into cloud environments, we also embed security in all aspects of the software development lifecycle, infrastructure, and platforms.

Typically, cloud providers operate under a shared responsibility model. Security of the cloud, such as the data centers, is the provider’s responsibility; as such, it’s in their best interest to build in security from the ground up in their infrastructures and applications.

Cloud service providers are responsible for the security of the underlying cloud infrastructure, such as physical security of the environment, security of the hypervisor for the compute, network security of the multi-tenant software-defined network environment, and security of the provided applications/services used for management of certain operations. Cloud customers are responsible for securing workloads such as infrastructure setup, network security within the environment, ingress/egress control, and application security.

If you’re considering best practices, much of this comes down to a shift left: putting security at the inception phase of a project and integrating security into all aspects of the environment. When building the cloud infrastructure, for instance, the architects should have answers to several key questions:

  • How will we segment the environment?
  • How will we monitor and manage access?
  • How will we ensure compliance to the requirements put into place?
  • How will we protect data when it is in cache, in storage, and in transit?

At the application level, it’s essential to scan the code for security vulnerabilities throughout the software development lifecycle. Access to the applications should be controlled as well as secured via techniques such as multi-factor authentication. Establishing different levels of data classification, along with associated access permissions, may be appropriate. Cloud workload protection should be applied to virtual machines and containers, with monitoring for critical vulnerabilities.

Cloud Security By Design

Synopsys offers our expansive portfolio of design and verification solutions in the cloud, backed by our commitment toward security. The silicon design solutions are production proven on major public cloud platforms and also endorsed by major semiconductor foundries to work with their libraries and process design kits. The verification solutions can accelerate software bring-up and system validation.

Our cloud security pillars provide an end-to-end approach for our cloud-optimized EDA and IP solutions as well as for customers who are migrating their own software or applications to the cloud. The pillars address these key areas:

  • Identity and access management via multi-factor authentication enforcement and role-based access control and permissions
  • Data, which involves encryption of all sensitive information in transit and at rest, and the use of secrets and certificates
  • Infrastructure, which includes monitoring cloud environments for security threats and misconfigurations; protecting virtual machines and containers in the public cloud and throughout the software lifecycle; providing vulnerability scanning on virtual machines and containers; and reducing the attack surface through restrictions on network traffic and other access controls
  • Applications, which includes secure continuous integration (CI)/continuous delivery (CD) DevSecOps to develop and implement security controls into the cloud service delivery pipeline, application code scanning for vulnerabilities using static application security testing (SAST) and dynamic application security testing (DAST), open-source vulnerability scanning, and penetration testing
  • Threat and vulnerability management, which involves the scanning of the assets and insights into a vulnerability management and patching program.
  • Incident response, which provides secure logging and monitoring, threat intelligence services, documented and tested runbooks, and resources for escalations, logging, and monitoring, which involves cloud activity logging, sign-in and audit logging, and correlation with log sources for improved situational awareness
  • Compliance and governance, which involves assurance on industry certification and validation, as well as attestation to the effectiveness of controls

Synopsys as Security Differentiator

Our innovative tools offer advanced protection against vulnerabilities. And we’re uniquely positioned to provide these products built with security in mind from the start because we use the entire suite of Synopsys security tools and services.

Given Synopsys investments in security solutions, including offerings like our Black Duck® and Coverity® technologies, we have the expertise in house to understand where data breaches occur, to assess source code and application weaknesses and vulnerabilities, and to mitigate security issues. We also work closely with cloud providers to ensure that our mutual customers feel confident running their designs on our cloud-based tools.

cloud network security

A New Avenue for Semiconductor Innovation

When it comes to cloud adoption, the finance industry offers some parallels to the electronic design industry. Given the sensitivity of financial data, it’s no wonder that this sector also was slow to migrate to the cloud. But once big banks began doing so, others in the industry followed. The semiconductor design industry looks to follow a similar trajectory as more and more designers experience the benefits of designing and verifying chips in the cloud.

Cloud-based chip design and verification bring the flexibility in compute resources for better results and faster turnaround time. With chips growing in complexity and size, particularly for demanding applications like AI and HPC, the cloud provides a welcome and secure avenue for greater productivity and innovation.

In Case You Missed It

Catch up on our other recent blog posts highlighting trends and technologies for chip design and verification in the cloud: