A Principled Technologies report: Hands-on testing. Real-world results.
Enable security features with no impact to OLTP performance with Dell PowerEdge R7625 servers powered by 4th Gen AMD EPYC 9274F processors
Get comparable online transaction processing (OLTP) performance with or without enabling AMD Secure Memory Encryption and AMD Secure Encrypted Virtualization - Encrypted State
Security is a critical concern for any business with sensitive data to protect—which is pretty much every business. And, the larger the business and more sensitive the data, the greater the importance. Each security breach carries a tremendous cost in time, reputation, and dollars, with the average cost of a data breach in the US amounting to over $9.4M in 2023.1 Hardware-level security is a key piece of the puzzle for those securing data centers, but IT teams may worry that enhancing CPU security will diminish CPU performance. That doesn’t have to be the case.
To look at how well security and performance can coexist, we assessed the impact of two security features—AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization-Encrypted State (SEV-ES)—on the online transaction processing (OLTP) performance of an AMD EPYC® 9274F processor-powered Dell™ PowerEdge™ R7625 server. We ran an industry-standard database benchmark twice, first with the security features enabled and then with the features disabled. We found that enabling AMD SME and AMD SEV-ES did not negatively impact OLTP performance, resulting in a less than one percent difference in orders per minute—well within acceptable variance. Our results show that with this Dell and AMD solution, you can boost security without reducing the performance of your OLTP database workloads.
Average number of orders per minute the environment processed during the DVD Store 3 benchmark workload, using settings of 16 threads and 100ms think time. Higher is better. The configuration with AMD SEV-ES and SME enabled supported 63,069 orders per minute. The configuration with AMD SEV ES and SME disabled supported 62,577 orders per minute
What we found
The more sensitive the data your organization handles, the more vital security becomes. Because strong performance is also critical, some IT teams may worry that enabling optional security features will cause a hit to performance. We investigated this concern by assessing an AMD EPYC 9274F processor-powered Dell PowerEdge R7625 server’s OLTP performance with and without AMD SME and SEV-ES enabled.
For our test workload, we used DVD Store 3, an industry-standard online transactional database benchmark that simulates the activities of an online store. We compared how many orders per minute (OPM), on average, the PowerEdge R7625 server could process with and without the AMD processor-level security features enabled. (For a detailed methodology and hardware and software disclosures, see the science behind the report.)
When we ran the workload with the AMD SME and SEV-ES features enabled, the server’s OLTP performance was actually very slightly higher than it was with the features disabled. The servers with the added encryption processed 63,069 OPM on average, while those without the extra security processed an average of 62,577 OPM—a less than one percent difference in OPM and well within acceptable variance. Average CPU utilization hovered around 75 percent in both cases, a level of utilization that we believe is in line with the upper range of typical OLTP usage in the real world.
Center: Average number of orders per minute (OPM) the environment processed during the DVD Store 3 benchmark workload, using settings of 16 threads and 100ms think time. Higher is better. Right: Average CPU utilization of the environment during the DVD Store 3 workload. Our virtualized environment consisted of a Dell PowerEdge R7625 server powered by AMD EPYC 9274F processors. The server ran Red Hat Enterprise Linux 8. Source: Principled Technologies.
About AMD EPYC 9274F processors
4th Gen AMD EPYC 9274F processors, part of the AMD EPYC 9004 series with AMD Infinity Architecture, offer 24 cores, 48 threads, and 256MB L3 cache.2 The F in the processor name means that it’s a high-frequency processor. They support AMD Infinity Guard, which can “help minimize potential attack surfaces as software is booted, executed, and processes your critical data,” and, according to AMD, are ideal for high-performance and VDI workloads, among others.3
With no impact to performance, AMD SME and AMD SEV-ES can add an extra layer of security for data in memory, even in cases when the VM fails or experiences an interruption. This is particularly critical if your data center hosts data from multiple groups or organizations, each with its own sensitive data that must remain confidential from the others. In conjunction with standard security measures such as role-based access control and two-step verification, enabling these two AMD features can help prevent bad actors from accessing sensitive data.
About the Dell PowerEdge R7625 server
The Dell PowerEdge R7625, powered by 4th Generation AMD EPYC processors, is “designed to be the backbone of your data center,” per Dell.4 This 2U server incorporates PCIe Gen5, optional GPUs, and more memory than previous generations; it also comes in air or liquid-cooled configurations. In a recent Principled Technologies study, which you can view at https://infohub.delltechnologies.com/en-us/p/the-case-for-upgrading-your-servers-to-dell-poweredge-r7625-servers-powered-by-4th-gen-amd-epyc-processors-2/, we saw the PowerEdge R7625 deliver significantly higher throughput on Bayes and k-means workloads compared to an older PowerEdge R7525 server.
There were 72 percent more data breaches in 2023 than in 2021, representing a surge in cyberattacks.5 Savvy organizations must prioritize security at all levels, including hardware. Both AMD and Dell offer a host of hardware-level security features, including AMD Platform Secure Boot, AMD Platform Secure Processor, and UEFI Secure Boot through iDRAC, among other features.6AMD SME and SEV-ES add a layer of protection for data in use, taking a confidential computing approach.
Confidential computing
The National Institute of Standards and Technology (NIST) defines confidential computing as a set of “hardware-enabled features that isolate and process encrypted data in memory so that the data is at less risk of exposure and compromise from concurrent workloads or the underlying system and platform.”7 These aspects of confidential computing aim to provide an additional layer on top of encryption or other security measures to protect data in transit or data in storage, so other applications or actors on the same system cannot compromise it.
AMD incorporates several confidential computing features into their processors, including AMD Secure Memory Encryption, which offers in-memory data encryption, and AMD Secure Encrypted Virtualization-Encrypted State, which encrypts each virtual machine (VM) separately and prevents neighboring VMs or hypervisors from accessing the data on that VM. In the following pages, we examine how these two features work and how your organization can benefit from enabling them on your Dell PowerEdge servers.
AMD Secure Memory Encryption (SME)
AMD SME protects data in memory, meaning that it shields sensitive data while the server is using that data.
Every time you boot up an SME-enabled system, such as the Dell PowerEdge R7625 we tested, an encryption engine on the AMD processor randomly generates an encryption key. Applications running on the CPU cores cannot “see” these keys, adding an extra layer of security. The system then encrypts all the data present in memory, while the processor’s memory controller uses the encryption key to securely access the information. SME offers two encryption models: full memory encryption and partial memory encryption.
Full memory encryption, as you might expect from the name, encrypts all of the data in memory using the random encryption key we discussed above. According to AMD, full memory encryption is ideal “when physical attacks on the system are of concern, including government data centers and/or smaller or remote enterprise data centers that have more limited physical security.”8
Partial memory encryption allows you to encrypt just some of the memory, protecting sensitive data more comprehensively while leaving less-sensitive data unencrypted. This offers the potential to help “provide a layer of isolation for critical workloads” while removing any performance impact—even a modest one—for your non-sensitive data.9
Secure Encrypted Virtualization – Encrypted State (SEV-ES)
AMD SEV-ES is an extension of AMD Secure Encrypted Virtualization (SEV), which allows IT teams to encrypt virtual machines with unique encryption keys for each VM, thus protecting them from hypervisor corruption or threats from other VMs on the system.10 If a VM stops running for any reason, however, the system saves the data that VM was using to the hypervisor’s memory. If the hypervisor is compromised, a bad actor could access the data from that VM via the hypervisor.
The SEV-ES extension eliminates this potential attack vector by encrypting a VM’s data as soon as the VM stops running. According to Dell, “Each VM, upon creation, receives a unique key, ensuring that any unauthorized attempt to access its memory results in incomprehensible data,” and per AMD, SEV-ES “can even detect malicious modifications to a CPU register state.”11,12
Establishing a root of trust
A root of trust is a source of data that is always trustworthy because it has passed a verification check. Both of the AMD security features we looked at work by establishing a root of trust with incoming data. When a system boots up, an isolated encryption engine on the AMD processor randomly generates an encryption key that serves as the passphrase the system will use to establish root of trust. This root of trust ensures that only authorized system components can access sensitive data.
About cyber-resilient security in Dell PowerEdge servers
Dell PowerEdge servers include a range of Cyber Resilient Architecture features, anchored in a silicon-based root of trust and spanning the entire server life cycle.13 These start with a Secure Development Lifecycle that prioritizes security and incorporates security best practices. Dell also weaves security into the physical server and its components, its firmware and software, and its management tools, including iDRAC and OpenManage.14
You’ve likely already implemented many security measures for your servers, which may include physical security for the data center, hardware-level security, and software-level security. With the cost of data breaches high and still growing, however, wise IT teams will consider what additional security measures they may be able to implement.
AMD SME and SEV-ES are technologies that are already available within your AMD processor-powered 16th Generation Dell PowerEdge servers—and in our testing, we saw that they can offer extra layers of security without affecting performance. We compared the online transaction processing performance of a Dell PowerEdge R7625 server, powered by AMD EPYC 9274F processors, with and without these two security features enabled. We found that enabling AMD Secure Memory Encryption and Secure Encrypted Virtualization-Encrypted State did not impact performance at all.
If your team is assessing areas where you might be able to enhance security—without paying a large performance cost—consider enabling AME SME and AMD SEV-ES in your Dell PowerEdge servers.
Dell, “Cyber Resilient Security in Dell PowerEdge Servers.”
This project was commissioned by Dell.
May 2024
Principled Technologies is a registered trademark of Principled Technologies, Inc.
All other product names are the trademarks of their respective owners.
Principled Technologies disclaimer
Principled Technologies is a registered trademark of Principled Technologies, Inc. All other product names are the trademarks of their respective owners.
DISCLAIMER OF WARRANTIES; LIMITATION OF LIABILITY: Principled Technologies, Inc. has made reasonable efforts to ensure the accuracy and validity of its testing, however, Principled Technologies, Inc. specifically disclaims any warranty, expressed or implied, relating to the test results and analysis, their accuracy, completeness or quality, including any implied warranty of fitness for any particular purpose. All persons or entities relying on the results of any testing do so at their own risk, and agree that Principled Technologies, Inc., its employees and its subcontractors shall have no liability whatsoever from any claim of loss or damage on account of any alleged error or defect in any testing procedure or result.
In no event shall Principled Technologies, Inc. be liable for indirect, special, incidental, or consequential damages in connection with its testing, even if advised of the possibility of such damages. In no event shall Principled Technologies, Inc.’s liability, including for direct damages, exceed the amounts paid in connection with Principled Technologies, Inc.’s testing. Customer’s sole and exclusive remedies are as set forth herein.
Twitter
Facebook
LinkedIn
Email
