Thomas Rosteck joined Infineon Technologies AG back in 1998. Since 2017 he has been Division President Chip Card & Security. What is less well know, is that Rosteck is one of the original architects of The Silicon Trust, and as we run up to its twentieth anniversary next year, we thought it would be interesting to hear his views on a variety of security-based topics; from hardware versus software security solutions to open standard solutions, and from the Internet of Things to regulations on the security market. Here’s what he had to say.
Q: Hardware-based security in various verification and secure solutions was very prevalent in the past ten years, but now we seem to hear more about the importance of software-based solutions. Is having a hardware-based security solution still as important as it once was? Has it been succeeded by software based security solutions?
A: Security involves more than just software or just hardware. Our experience in security of more than 30 years tells us that we need a system approach for security which involves all the necessary elements – hardware and software included. Hardware based security provides the critical element of root of trust, which is missing in software-only security solutions. Actually, we are experiencing a greater demand for hardware- based security as a software-only approach is not enough in many applications to ensure the right level of security required in the system. The recent security attacks – be it hacks, data breaches or identity thefts, the industries and customers are more and more aware of the aspect of hardware-based security. Additionally, the customers are aware of benefits beyond just better security: hardware-based security provides key advantages like time-to-market, scalability and even cost and logistical benefits over a software-only security solution. With this, the importance of hardware-based security is on the rise.
How can both hardware and software-based security co-exist to form a successful system defence?
Security requires a system approach. Hardware and software go hand in hand in making a system secure. Therefore, the co-existence of these two elements of a system approach to security is necessary. However, separating critical information or secrets like keys from the main processing environment and storing and executing them in a secure trust anchor eliminates a lot of potential attack paths.
The market for hardware-based security has changed over the past decade thanks to the Internet of Things. What is the role of Infineon in this new area and what products and solutions are being developed to address the security of this growing market?
Infineon has been in the field of securing connected devices long before it was called IoT – helping to safely authenticate, store secrets and safeguard the integrity of the devices. However, now as connectivity is also reaching devices that have not been connected before, the number of applications and customers in the field of IoT is rising. The main challenge for the manufacturer of an IoT device, is that they usually have limited knowledge about security and they cannot invest in research of attacks and potential countermeasures, thereby protecting devices for 3 to 10 years or more, depending on the device type. Therefore, the customers in the area of IoT need easy-to- integrate, ready-to-implement security solutions. Here we can help, as we put the experience of 30 years in security and the research on new security concepts into our chips and provide them to our customers as the basis for their IoT solutions. With our products like OPTIGA TrustTM or OPTIGA TPMTM, we offer just that: a complete, easy-to-implement security solution tailored to address the needs of specific markets of IoT.
The role of standardization remains a critical element for the ID and security industry. Why is it so important to continue to pursue standardisation within the ID and security industry?
Standardization offers a couple of major benefits although the word “standard” many not sound very appealing as a start. Standards help critical elements of any system addressed well enough, so that the system delivers a minimum level of performance that is promised to a customer or end user.
Standards are especially critical now in the connected world – be it about authenticity, confidentiality or integrity of data, personal identities or systems. The other advantage of standards, which is often overlooked, is the advantage of time- to-market. Standards offer a consistent base of requirements that are to be met before a product hits the shelves. This helps a manufacturer provide the framework to play and hit market sweet spots by concentrating on other aspects of differentiation or features. Therefore, standards are and will remain important for the connected world.
FIDO and CIPURSE are open standard solutions. What are Infineon’s long term plans in these specific areas and what are Infineon’s plans for pursuing open source solutions in the future?
At Infineon, we are committed to open standards like FIDO or CIPURSE, but also the Trusted Computing Group, as we are aware of the benefits of these in protecting the interests of fair market competition – be it about the choices that end consumers have got to choose from or the level playing ground that manufacturers compete with each other. We will continue along this path and work actively to allow for more choices for all market players and end users.
New market segments (such as IoT) will require a lot of cross fertilization of information and communication between different actors in the security value chain who are offering solutions to these new segments. How important is it to have a formalized structure (such as the Silicon Trust) to help facilitate this?
Information is useful only when it is utilized. Information has to flow across the ecosystem in a manner that is readily usable, in a manner that is universally agreed with and understood. Organizations like Silicon Trust do just that – upholding the interest of an industry and not pushing the particular agenda of an entity or company. Therefore, the act of facilitation and constructive, agenda-oriented dialog that these organizations allow for, are so important for the new markets and the related market players.
What would be the impact of regulations on the security market?
Regulations can be helpful and regulations can be restrictive. The fine line between these two extremes is what any regulation needs to balance. This is true for all markets and the security market is no exception here. As security is a critical topic with an impact beyond the single device which can be used as an attack path, regulations can help to set the appropriate level of security that you need for a given infrastructure. In this case, regulations also help to safeguard investments as the requirements are set. I would expect regulations in the security market to be providing a good base for protecting consumer interests. The regulations need to be compatible across countries and regions of the world, as well as security products are being used internationally and therefore as interoperable as possible. Regulations therefore should help to foster security.
What do you see as future developments within hardware for the ID and Security market?
For me it has two major aspects: First, security is a race. We always need to stay ahead of attackers and their capabilities. Therefore, a lot of research needs to be invested as the threats are increasing. Secondly, we have to deliver this level of security in an easy-to-integrate form factor to our customers who do not have security as a core competence, but can build on the delivered security components for their own solution. From my point of view, security will be an important differentiation factor for all connected devices in the future – at least a negative one if you have not done it right!.