Security

Key Requirements

• ✓SOC 1 or SOC 2 Type II compliance
• ✓ISO 27001 certification
• ✓GDPR, PCI, HIPAA, FedRAMP compliance
• ✓Ability to sell to secure government customers globally
• ✓Penetration testing conducted (provider, scope, and coverage documented)
• ✓SOC 2 & pentesting specifically cover InfiniBand/RoCEv2 fabric
• ✓Security firms with expertise in high-speed IB/ETH networking
• ✓VLAN isolation between tenants for RoCE
• ✓PKeys set for InfiniBand tenants
• ✓InfiniBand Security Keys Management (SMKey, SAKey, CKey, VSKey)
• ✓AM Key configuration (if SHARP is available)
• ✓InfiniBand CSPs enable the UFM "Secured Bare Metal Cloud" profile, providing a comprehensive set of security features required for secure multi-tenant cloud environments
  • •Full MAD key protection with randomized seeds: MKEY, VSKEY, PMKEY, CCKEY, Class C key (N2N), AM and job keys, SMKEY, and SAKEY
  • •GUID-based access control using the allowed_guid_list feature
  • •Service-level authentication via service_key (e.g., for AM services)
  • •Enhanced SA trust model applied to all commands
  • •MAD rate limiting (MAD Limiter) to protect against abuse and congestion
  • •DoS/DDoS protection: automatically identifies and limits excessive packet rates from individual nodes to protect the management node
  • •Source-based rate limiting: monitors and controls traffic based on the source LID address of each node
• ✓SR-IOV with QP0 & MAD disabled when passing Virtual Function pointer into VM
• ✓vCluster or similar isolation beyond container-based onlyKubernetes
• ✓Protection against container escalation vulnerabilities
• ✓Updated NVIDIA Container Toolkit preventing CVE-2024-0132 and related vulnerabilities
• ✓Protection against CVE-2025-23359, CVE-2025-23266
• ✓Part of NVIDIA security program for embargoed access to latest security patches
• ✓Automated rollout of new NVIDIA Container Toolkit versions upon CVE discovery
• ✓Process in place for future security improvements