Digging Deeper On HPE’s Latest Security Announcements

HPE Trusted Supply Chain.
 
HPE

October kicks off National Cyber Security Month. In what seems to be an annual event, HPE made some security-related announcements that set the company up uniquely in the IT solutions provider market. What are those announcements, and what do they mean for IT organizations? I’ll unpack all of this and give my perspective in the next few paragraphs. 

Setting the table 

Cybersecurity is always a hot topic. However, it took on new importance in the wake of some very high-profile attacks over the past 10+ years. Target, Sony, FedEx, Maersk, The US Government, The Singaporean Government, Experian and Yahoo! are just a few organizations across the globe that have made headlines for large scale cyber-attacks. These incidents crippled productivity, captured personal data, and in many cases, tarnished brands and reputations.

In recent years, companies like HPE, Dell Technologies, Lenovo and others have introduced mechanisms that enable security on a deeper level. Likewise, CPU vendors like AMD introduced low-level security technologies that securely boot servers and encrypt data.  

HPE, in particular, has been very aggressive in its efforts to secure infrastructure throughout the product’s lifecycle. In the IT market, most departments are familiar with HPE’s silicon root of trust and other protections through its integrated lights out (iLO) products. However, the company puts an equal amount of emphasis on server integrity before even building the servers.

HPE, like other server manufacturers, has a global team that ensures the materials and components that make up its server portfolio are free of tampering and from the most trusted sources (see my previous coverage here). This focus on ensuring the integrity of server platforms during the manufacturing gives customers peace of mind with higher security and quality demands.

However, recent geopolitical issues coupled with the Covid-19 pandemic have put further demands on government organizations or those companies in heavily regulated industries. In addition to ensuring they’ve secured their supply chain and lifecycle management; more and more companies want to know a trusted entity built their datacenter infrastructure in a trusted environment.

The announcement

HPE’s announcement is part process and part product. 

From a process perspective, HPE announced that it is manufacturing servers in the United States, with a “Country of Origin, USA” designation. HPE’s secure manufacturing facility is staffed by employees that have gone through a stringent background and security screening process. This process, combined with the scrutiny the HPE team puts on its supply chain vetting process, ensures the company can deliver platforms that meet the ever-increasing security demands of customers such as the US Government or those in regulated industries. 

From a product perspective, the company announced the immediate availability of the server built in its secure US facility – the HPE ProLiant DL380T Gen 10 Server (note the “T” designation). 

It’s important to note that who manufactured the DL380T (and where) are not the only things that differentiate it from the traditional ProLiant DL380 server. The DL380T also includes the following product differentiation: 

  • Shipping in high-security mode with UEFI secure boot, which further hardens the DL380s security profile in conjunction with silicon root of trust
  • Activation of server configuration lock, which prevents any intrusion or tampering of the DL380 when in transit to the customer
  • Inclusion and activation of server intrusion detection latch
  • The ability for customers to choose delivery service – standard, express or white glove

Combined with the already robust security and resilience capabilities built into the DL380 via silicon root of trust and iLO 5, HPE looks to be executing its vision of driving cradle-to-grave security of its servers and the data generated on those servers. 

I had a chance to speak with HPE’s John Grosso, Vice President of Global Operations Engineering, Global Supply Chain, recently to ask a few questions IT practitioners would ask. Here are some of those questions and answers. 

Why did HPE make this big “Country of Origin” investment?According to Grosso, this stems from the requirements that many of HPE’s customers have been requesting. Specifically, government entities, companies that deal with the government, and other security-conscious companies such as financial services and health care. 

Why is HPE only offering the ProLiant DL380T, and what about other servers? HPE led with the DL380 because of its popularity both in the market and with the customers who are most interested in the additional security capabilities built into the DL380T. The company is being careful in achieving ramp with this SKU before expanding availability. Other servers will be rolling off the manufacturing over the next year or so, including:

  • ProLiant DL360 Gen10
  • Apollo 2000 Gen10
  • DL385 Gen10 Plus
  • Synergy SY480 Gen10
  • Edgeline EL8000

It’s important to note that while the DL380T has additional security capabilities, customers can deploy it alongside existing ProLiant servers and manage it from the same HPE tools they’re accustomed to using.

What is the cost of the “T” server? While HPE did not divulge exact pricing, expect to see a 10%-15% markup on the DL380T (relative to a comparable DL380 configuration). Considering the investment HPE is making into its trusted supply chain program, this increase seems negligible. It’s undoubtedly acceptable to the organizations that put a premium on both the “Country of Origin” designation and the additional security hardening.

What about other companies in other countries and other regions? There are two responses. First, the DL380T is available to any company. So, companies with a presence in different countries and regions can purchase the DL380T. Second, according to Grosso, HPE is hearing customer interest to stand up similar facilities in other countries and regions. While he did not explicitly state that the company will model this program across the globe, I would expect to see this over time. 

Is the DL380T available through GreenLake? Per Grosso, HPE intends to make the DL380T available through the company’s consumption-based GreenLake offering. 

To hear the full interview with Grosso, listen to my podcast with MI&S colleague, Steve McDowell, here

What this all means

In today’s geopolitical climate, cybersecurity has never been more top of mind. There can be no argument about this statement. However, securing infrastructure takes on different importance to organizations depending on several factors – company size, industry, and the like. While the ProLiant DL380T will benefit any company, its Country of Origin designation (and what it carries) should be especially attractive to organizations in specific industries, including US government entities, financial services, and those in critical infrastructures such as power, water treatment, and aviation. 

My take

Generally speaking, the IT infrastructure market has done a good job of driving more granular levels of security in the products that populate enterprise datacenters. At the silicon level, both AMD and Intel have built unique capabilities to ensure secure boot and the encryption that protects instructions and data. Likewise, each OEM is developing security mechanisms for the server market that integrate with the CPU and surface through management consoles. 

HPE has emphasized its security capabilities, back to the release of its silicon root of trust in its Gen10 platform. The company has continued to build on this theme over time by introducing products like Server System Restore and integrating security across its product portfolios.The country of origin designation and availability of the “T” series ProLiant server is another example of HPE’s strategy of delivering everything as a service, securely.

I can see the immediate appeal of the DL380T to current HPE customers. I can also imagine an immediate demand for these products from those customers in specific segments. I’m curious how broad the “T” designation’s appeal will be as more server SKUs become available. Will companies beyond those initial target industries begin to adopt it for the peace of mind factor? As an ex-IT executive, a 10-15% premium would be well worth it to me.

I wonder if this marks the beginning of a manufacturing shift across the globe, to localized facilities. “Buying local” (in the global sense) is not just good for security; it’s good for the economy. The premium seems like a small price to pay to achieve both of these aims.