A High-Tech Fortress

Sep 1, 2003 12:00 PM, By PETER CASSIDY

Ten years ago, Synopsys Inc. decided it needed a secure means of working out conflicts in its chip-design software. The company wanted to protect its intellectual property (IP) — and that of its customers. A central asset in the world of semi-conductor design, IP is often the backbone of a company's proprietary secrets and its most valued ideas and data.

To protect intellectual property during product development, Synopsis decided to erect its own miniature industrial “Camp David” right on its Mountain View, Calif. campus. The facility would provide a neutral venue for IP-rich discussions, and customers could be assured no IP would be kept or recorded by Synopsys or third parties.

According to director of quality and interoperability Karen Bartleson, customers were previously faced with the hard choice of working around a problem or exposing their IP to Synopsis — some of it involving trade secrets not yet protected by patents.

“We had to come up with a way to deal with customers, protect them, solve their problems and secure their intellectual property,” says Bartleson.

To ensure Synopsis and its customers could work together while keeping control of their IP, Synopsys created a Secure User Research Facility (SURF), a set of technically isolated office spaces. There are 16 different SURF offices, each one completely isolated and off the network, with its own printers and computers and locking doors secured by smart cards and keypads that are controlled by the visiting customers' and business partners' pass codes.

The facility enables customers' engineers to arrive with their software and mount it on the isolated computers and work with Synopsys engineers, secure in the knowledge that their software will be wiped off the non-networked computers when they leave.

The SURF solution demonstrates the enduring relationship between physical security and information security. By creating a solution constructed of off-the-shelf technologies and security protocols, Synopsys was able to satisfy its customers that a critical security issue had been resolved.

The SURF is a secured, 24-hour accessible location for electronic design automation (EDA), tool interoperability development and testing with selected Synopsys products and design flows. The SURF is generally available to EDA vendors to address customer interoperability issues with on-site application engineering and system administration support. SURF can be used by two types of companies:

• Non-EDA companies that have purchased Synopsys products: i.e., commercial customers (designers); and
• Qualified EDA companies looking to validate tool interoperability.

The EDA vendors applying to SURF must adhere to all security requirements. The following criteria must be met:

• There is a clear customer demand for the flow(s);
• Synopsys IP protection is guaranteed; and
• Access is approved by Synopsys product teams and the legal department.

To access the SURF, a company representative completes an Access Agreement application, a Usage Agreement, and a Non-Disclosure Agreement (NDA), and submits them to the SURF program manager.

The Usage Agreement restricts use to what is specified in exhibit “A”. An “audit” capability in the agreement is defined to enforce the restriction while simultaneously protecting any intellectual property brought into the SURF area.

The application is then reviewed by the SURF program manager who validates the proposed tool interoperability test plan, and secures authorization from Synopsys' legal department and the involved product marketing teams.

On a day-to-day basis, the SURF offices are administrated by the Synopsys security department. Once the SURF office is assigned to a customer/EDA vendor, that customer is in charge of authorizing access to his SURF office/lab via coordination with the Synopsys Security Department. The Access Agreement commits the Lab User to the “rules” of the SURF area.

It also records who is allowed to gain entry to the private office. In the case of multiple users, each person must be listed on the Access Agreement to gain entry.

The entry and usage protocols of SURF are straight-forward, allowing for ease of use and administration. Based on the user's need (hardware, platform, memory, disk space, etc.) the Strategic Market Development team SURF coordinator assigns an office/lab to the qualified EDA vendor.

To maintain physical access control to the SURF facility, the Synopsys security department provides photo smart cards protected by pass codes for each individual user. A Synopsys security officer programs the keypad with a unique seven-digit numeric code for each SURF user, and the seven-digit code is provided to the user in a sealed envelope.

Designated movement around the Synopsys campus is strictly enforced. SURF users' smart cards are bright orange, indicating access only to the SURF facility. All other areas are off limits to SURF users.

Users come and go through the outside entrance for the duration of their lab use. During business hours (Monday - Friday, 8 a.m. to 5 p.m.) lab users can also come through the lobby of Building A to get into the lab. There is no need to check back in each time entry is desired.

To eliminate any chance of unauthorized access each time a company is assigned to a SURF lab office, a security officer resets the codes and assigns new unique seven-digit codes to the SURF lab user(s). The SURF area is monitored by security cameras and guards.

The SURF badges and access codes to the private offices are reset at the end of a designated period. This will occur automatically so extensions to scheduled time must be prepared and executed with enough advance notice to prevent code expiration and are subject to open and available lab time.

The bottom line: Once the SURF private room is assigned to a company, that company owns the room. If the company brings a customer or a Synopsys employee to its private room, the guest must be escorted, and if necessary, must have completed the appropriate non-disclosure agreements.

Electronically speaking, the security of SURF users' data is ensured through isolation and a self-service data scrubbing protocol built into the system. It can only really be neutralized through fairly extreme neglect. SURF offices are not on any network. Users can't get e-mail at a SURF facility — it is completely offline.

Each time a SURF coordinator assigns a new company to the SURF private room, he or she re-images the Sun Solaris machine with default images, installs necessary Synopsys software and keys, and creates a new user name and home directory. SURF users load whatever software tools they have brought with them for interoperability testing onto the lab equipment.

When a user is through with his project at the campus, Synopsys security strongly recommends that the IP is deleted from the hard disks before handing over the room after completion of the project. In addition, the SURF lab coordinator deletes the user name and directory, and reformats the hard disk before assigning the room to another company.

Although it has been very successful for resolving user operability issues, Bartleson says, it has also become a venue for important interoperability summits between Synopsys and its competitors.

As the industry matured, Bartleson says, interoperability became a bigger issue for customers using a number of software products to manage and inform their designs. With SURF, Synopsys and its competitors had the use of a venue to respond safely to customer demand that its software work together.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue