Data is the new currency, and the rapid adoption of emerging technologies is greatly increasing business efficiency while adding dynamic cybersecurity challenges for organizations. Cyberattacks have moved beyond identity theft and online account hacks. They leverage our hyperconnected world through the Internet of Things (IoT) devices, cell phones, and the internet to threaten businesses, cities, infrastructures, and even our homes.
Cybercrime is putting every organization at risk for financial damage, regulatory fines, tainted customer relationships, reputational loss, and infrastructure harm. Cybercriminals are becoming more sophisticated and organized in their tactics because they see the financial gain; this illegal practice is more lucrative than the global illegal drug trade.
Companies need to have a cyber-resiliency plan in place to be prepared, as the question is not anymore if they will be attacked but a matter of when it will occur.
Protect your business with a holistic 360-degree view to security needed to address threats both today and tomorrow
HPE servers are known for the world’s most secure industry-standard server portfolio, which provides an enhanced holistic, 360˚ view of security that begins in the manufacturing supply chain and concludes with a safeguarded, end-of-life decommissioning.1
1. Supply chain security
- Secure supply chain from HPE reduces the risk of supply chain threats—such as counterfeit materials, malicious software, and other untrustworthy components—by vetting component vendors and sourcing from Trade Agreements Act (TAA) of designated countries. HPE further reduces security concerns and threats by developing the BIOS, management firmware, and HPE iLO 5 chip in-house. Secure server options such as a chassis intrusion detection kit can further reduce the risk of tampering—even when the server is powered off.
-
-
- Server configuration lock enables you to lock server hardware configuration using a password. Once a server configuration is locked, any changes will brand the server unbootable. This ensures secure transit and provides customers peace of mind that their servers have not been tampered with.
- Platform certificates are based on hardware manifest at the birth of the server prior to shipping—providing assurance that the integrity of the system throughout the supply chain lifecycle has not been tampered with upon arrival at the customer site.
- HPE Trusted Supply Chain builds on the foundation of our current secure supply chain with an option for Assembled in the USA industry-standard servers in our Chippewa Falls factory and HPE Server Security Optimization Service for our most popular product lines globally including many industry-leading HPE ProLiant servers like the DL360, DL380, and DL385.
-
2. Automated security—Protect. Detect. Recover
-
- Protect
- Silicon root of trust—Key selling point is an HPE-exclusive immutable digital fingerprint in the HPE iLO silicon. The silicon root of trust validates the lowest level of firmware to BIOS and software to ensure the system is secure and in a known good state before the server even boots. Competitors who purchase off-the-shelf BMC silicon are unable to properly anchor their firmware. HPE makes the silicon in-house for better control.
- Secure boot—This is an industry-standard security feature that is implemented in the BIOS. Secure boot ensures that any drivers launched during the boot process and the OS bootloader are digitally signed and validated against a set of trusted certificates securely stored by the BIOS. With secure boot enabled, only validated drivers and OS boot loaders are implemented.
- Protect
-
- Detect
- Runtime Firmware Validation—It validates the HPE iLO and UEFI/BIOS at runtime. Detection during server runtime is provided by an exclusive HPE technology that can conduct daily checks of the server’s essential firmware. If compromised code or malware is inserted in critical firmware, an HPE iLO audit log alert is created to notify you that a compromise has occurred.
- HPE iLO security dashboard—It helps users to detect possible security vulnerabilities in a current server setup, enabling users to fix potential vulnerabilities from within the dashboard.
- Recover
- Should a server become compromised, the server system restores automatically, takes the server offline, and performs recovery and restoration of validated firmware, as well as facilitated recovery of the operating system, application, and data connections. In the event of a ransomware attack or other breach, you can automatically or manually recover the server’s essential firmware, firmware configuration settings, OS, and host environments back to an operational state.
- Should a server become compromised, the server system restores automatically, takes the server offline, and performs recovery and restoration of validated firmware, as well as facilitated recovery of the operating system, application, and data connections. In the event of a ransomware attack or other breach, you can automatically or manually recover the server’s essential firmware, firmware configuration settings, OS, and host environments back to an operational state.
- Detect
3. End of life
- When servers reach end of life (EOL), they are either returned as part of a lease, recycled, donated, or disposed of. Despite the attempts of professionals managing the EOL, bits of data still exist and can be gleaned through a variety of techniques by those looking to exploit a business.
- One button secure erase makes server retirement simpler. It completely erases every byte of data that sits on an HPE server when retired, so customers can have confidence that there will be no traces of data or proprietary information remaining. National Institutes of Standards and Technology (NIST) level crypto-erase with a single command ensures no data can be recovered for nefarious purposes.
- Secure erase speeds and simplifies the complete removal of passwords, configuration settings, and data preventing inadvertent access to previously secured information.
How HPE’s unique security services are designed to build an immutable chain of trust from the supply chain to the workload
HPE’s Project Aurora is the centerpiece to building a secure trust chain.
Starting at the HPE Trusted Supply Chain, here HPE makes use of industry-standard platform certificates that attest the validity of major server hardware components when leaving HPE factories. This allows HPE to securely validate any hardware change, up to the point where it’s delivered to a customer location.
The next project layer is Infrastructure Trust. HPE has its own Baseboard Management Controller, or BMC. This is the management chip in HPE servers. This is called HPE integrated Lights Out (HPE iLO). At this infrastructure layer, HPE iLO measures and verifies the integrity of firmware and key hardware components. Project Aurora leverages these measurements and verifications from the moment the server is powered on. This is our silicon root of trust.
OS Trust is the next layer up. Here, Project Aurora protects against rootkits and bootkits by verifying the BIOS and securely measuring the hardware for comparison with the platform certificates. HPE also checks various operating system components, including the kernel, device drivers, and critical processes for tampering.
With platform trust and workload trust, HPE measures critical platform and workload executables, as well as their configuration files, before they can begin executing.
These attestations are protected by Trusted Platform Modules or TPMs that are available within HPE servers today. TPMs are industry-standard micro-controllers designed to securely measure the state of a device. HPE also utilizes TPMs to protect digital credentials shipped with the device to ensure they cannot be exploited by hackers. They also follow standards and recommendations from the Trusted Computing Group on how to use Device Identities (DevIDs) with TPMs.
As you can see, each layer protects the next higher layer, from silicon to workload.
The fundamental principle of Project Aurora is to maintain a trusted repository of expected state that’s then compared with current state to determine any potential and unexpected deviations. For example, we HPE can detect when unauthorized hardware or firmware is being plugged in, if the kernel has been tampered with, or if there are unauthorized workloads running on the host. And, it can all take place from edge to cloud.
To learn more about how HPE Compute can help protect your business, visit https://www.vlcm.com/server-security.
- Based on external security firm conducting cybersecurity penetration testing of HPE Gen10 servers and three leading server competitors, September 2019
