Over the the past few months, I’ve written several different columns focused on the changing landscape of datacenter cybersecurity. First, I wrote about the changing nature of these threats—what new trends have been emerging, and what we as an industry need to be focusing on. The next topic I tackled was a deeper dive into some of the recent high-profile cyber-attacks, and what we can learn from them. Third, and most recently, I wrote about the various kinds of Denial of Service (DoS) attacks, and what businesses can do to better protect themselves from this emerging threat.
Moor Insights & Strategy today published a deeper dive white paper on Hewlett Packard Enterprise ‘s Gen 10 security efforts and you can find it here. I wanted provide a shorter flyover of the white paper. Net-net I believe HPE’s Gen 10 infrastructure is breaking new ground at addressing many of the various security issues we’ve been writing on.
Changing landscape, changing threats, changing security needs
I’ll first spend a little time on security background much of what I addressed in my previous three columns. The advent of IoT, hybrid IT, and mobility have really blown open the threat landscape in the last several years—there’s a whole raft of new weaknesses to exploit, and cyber-criminals are already taking advantage of them. The introduction of cloud technology providers adds a whole new layer to the mix—there’s now much more east-west traffic, disrupting the traditional hierarchical structure of data access. To top it off, most cloud providers don’t have very strong security SLAs. While addressing security at just the software level used to be sufficient, it really doesn’t cut it anymore. We as an industry need to start baking security into the blueprints of our hardware and firmware, if we want to be truly protected—there’s currently a huge blind spot there, and cyber-criminals know it. We also need to get smarter in detecting and more quickly recovering from attacks.
Along with all of this, we’re seeing new cyber-crime trends arise, and old ones evolve. Ransomware is really hot right now—locking individuals or businesses out of their data, and demanding financial “ransom” to have access returned. The recent massive WannaCry attack is a good example of this. Ransomware-as-a-Service is another new, worrisome development—it basically lowers the barrier for entry for amateur cybercriminals, and could lead to a drastic increase in attacks. DoS attacks (like the Mirai/Dyn incident last year) are also likely to pose a real big problem in the years to come— with potentially more costly consequences (major data loss and theft, etc.) than what we’ve seen so far. These DoS attacks often originate from unsecured devices on the edge with outdated firmware and/or factory-default passwords—a particular threat surface that is obviously going to continue to expand with the proliferation of HIoT and IIoT devices. PDoS (permanent denial of service) attacks occur when the firmware is ruined beyond repair, essentially permanently bricking infrastructure.
One final, alarming trend is that there’s been a noticeable shift from one-and-done opportunistic crimes to more sophisticated, long-term attacks—threats can lie dormant indefinitely in firmware, or in a state where the user can continue to use it while an attacker uses it simultaneously for malicious purposes. Nefarious to say the least.
HPE silicon root of trust
On the server/hardware level, a big differentiator of HPE’s 10thgeneration platforms is its silicon root of trust. Burned into the motherboard, the root of trust renders it impossible for attackers to compromise BIOS—the system just plain refuses to boot up without its necessary circuitry. No unscanned or non key encrypted code will run. When the server boots up, the root of trust’s iLO management controller is the very first device engaged—if the so called “handshake” doesn’t take place, then the system can’t continue with the startup process. This process occurs again at every step up the chain, so the protection is seamless all the way to the top.
While the silicon root of trust is intended to reduce if not eliminates threats, what if someone or something gets in? For instance what if someone broke into the server room to muck with firmware? HPE’s firmware automatically scans itself on a daily basis—whenever malware or compromised firmware code is detected, the server immediately engages recovery mode. At that point, the firmware will revert back to a previously authenticated state—if threats are also detected there, then the firmware will revert back to its original factory settings. While there are other generic options for roots of trust, one of the main benefits of HPE’s strategy is that the HPE iLO is based on an HPE-specific design. HPE owns the intellectual property of the iLO, as well as the firmware—so HPE has total control over who can access and sign off on changes.
HPE enterprise key management
Gen 10 also adds an Enterprise Secure Key Management tool designed to ensure greater security consistency, by allowing companies to secure cloud, storage, and server together. For stationary data, Gen 10 also employs 3Par storage’s self-encrypting drives, and automatic data encryption through HPE’s Secure Encryption. The platform also utilizes HPE/Aruba ClearPass Policy Manager to protect the network by identifying devices and enforcing polices. Last but not least, the Gen 10 employs recently acquired Niara technology (which I previously wrote about here), to perform advanced monitoring and behavioral analytics to quickly identify and respond to suspicious anomalies. As I’ve discussed many times before, many enterprises don’t even know they’ve been hacked and continue to be hacked like a parasite for months. Niara brings next-level security to HPE’s portfolio, uses AI to determine if someone entered, and if you ask me—it was a smart purchase.
Another element of HPE’s Gen 10 security story is focused on securing the supply chain. This is another area in the industry where there are currently a lot of security blind spots, and attackers have definitely wised up to it. Remember the reports on Apple ODM servers with infected firmware? If not, Google it. HPE’s doing a couple different things to secure the supply chain—first, it only sources from Trade Agreements Act designated countries, and makes it a practice to vet all component vendors against anti-counterfeiting laws. Secondly, when we talk about securing the supply chain, we’re really talking about going deep-down and securing the very firmware code. Like I mentioned earlier when talking about HPE’s silicon root of trust, the fact that HPE develops so much of their own designs really helps out here—it has the ability to strictly control access to its firmware. Naturally, HPE does have to buy third-party devices to integrate into their technologies—however, even when they do, they still write their own software and drivers in order to maintain their level of control over products and processes. HPE says they regularly performs various verification testing, such as penetration testing, across their whole supply chain. Really, enough emphasis cannot be placed on how important securing the supply chain is right now. HPE absolutely has the right idea here.
HPE’s security certifications and compliance
HPE takes its security certifications and compliance very seriously, and they’ve got an impressive collection to show for it. To name a few: the Commercial National Security Algorithms, or CNSA, which is used specifically for handling top secret information, US FIPS 140-2 validation, the Common Criteria for Information Technology Security Evaluation. A complete list is available in the white paper, click on it if you want all the details. All of this demonstrates all the necessary legwork to comply with governments and regulatory bodies—important for maintaining critical standards.
HPE Pointnext security services
One other new offering from HPE is its Pointnext portfolio of security services, geared specifically towards simplifying security as companies embark on planning and executing hybrid IT and digital transformation projects. No every enterprise wants to do everything themselves and need help getting there. HPE says Pointnext helps businesses out on a strategic level, by offering digital transformation advising, modernizing edge-to-core-to-cloud security infrastructure, hardening infrastructure, and more. On a tactical level, Pointnext tackles professional and operational security assurance services, data protection and access control, risk and compliance management, and more. Pointnext looks to be a pretty all-inclusive set of services—again, you can read in greater detail in the white paper if you’re interested in learning more.
As I’ve said before, data-center security in this day and age is a constantly moving target—enterprises need to be covered from the edge, to the core, and to the cloud, and spending as much effort securing hardware and firmware as they do software. With HPE’s release of the Gen 10 platform, it appears to be addressing most of these crucial data-center security issues facing us today. I think it’s clear that HPE gets data-center security, has broken new ground with Security Assurance and has a good eye on where it’s going in the future. This column here just begins to scratch the surface—be sure to read the full-length white paper on the topic here.