your world is hybrid - hewlett packard enterprise...your world is hybrid: hpe secure compute...
Post on 12-Apr-2020
16 Views
Preview:
TRANSCRIPT
-
Your World is Hybrid: HPE Secure Compute LifecycleHPE ProLiant Gen10
Jay Hendrickson - Global Product Manager, HPE Servers
-
Agenda
–Cyber Attacks–HPE Security Overview–HPE Gen10 Server Security
–Secure Compute Technology and Silicon Root of Trust–Security as a chain–Server Security delivery & licensing–Security Modes & NIST Controls–NIST Controls
–Supply Chain–PointNext
2HPE Confidential. NDA required..
-
More vulnerabilities, smarter criminals
> 500K 99 daysbreach attempts every minute1 median time to detect breach2
Denial of service
Malware-infected firmware
1, 2 Substantiation for quantifiable benefits in speaker notes
Security
-
HPE Security Focus
4
Machine LearningNetwork Protection
Secure Sourcing Partners/Suppliers
Built In ProtectionDetection, Recovery
HPE Secure Compute
Server
Supply ChainSecurity
Network Supply
Security Assurance
1 42
HPE Confidential
Self EncryptingData Storage
Storage3
Secure Access to the Network
Secure Data Storage
Security and Protection Services
HPE PointnextServices
Service5
-
HPE Industry Standard Servers
The world’s most secure industry standard servers
5
-
HPE Secure Compute TechnologyThe World’s Most Secure Industry Standard Servers
Silicon Root of Trust– Only HPE offers industry
standard servers with major firmware anchored directly into the silicon
– HPE can do this because we build custom iLO silicon and write our firmware code.
– HPE has unique FW integration, competitors buy general purpose BMCs off the shelf without ability to tie the firmware to hardware
– HPE Secure Compute Technology protects millions of lines of FW code that run before the OS even boots.
Runtime Verification
– Periodic checking of firmware verifying integrity of essential key firmware.
– Verified good & malware free redundant firmware repository
– Detection of compromised code or tampering with essential key firmware
– Customer notification of detected compromised essential firmware code
Secure Recovery
– Recovering essential firmware to known good state after detection of compromised code
– Customer Options:– to factory settings– to last known good FW– halt and wait
– Ability to recover other server settings like smart array raid levels
6
CNSA Suite
– Commercial National Security Algorithms
– Typically used for handling the most confidential and secret information
– Uses the highest level of cryptography in the industry
BMC- Baseboard management controller
-
HPE Silicon Root of Trust vs SW Root of Trust
7HPE Confidential
FW UEFI OSVerification
Attack
Signature SignaturePubKey PubKey
Root of Trust
Verification
iLO5 FWiLO5 HWIn Silicon
UEFI OS
Signature Signature SignaturePubKey PubKey PubKey
HPE Gen10 Anchors First Crypto HASH in Silicon at FAB
VerificationVerificationVerification
Attack Attack Attack
compromised
-
8
-
9
-
10
-
11
-
Security Built into Every LevelNew iLO License Structure and supported features
iLO Advanced
iLO Standard
iLO AdvancedPremium Security Edition
Chassis Intrusion Detection3-Factor Rack Security
NICs TPM
Cyber Safe TAA SKUsSmart Array w/Secure Encryption
HW Options
Silicon Root of TrustFW Supply Chain Attack Detection
FIPS 140-2 Level 1 ValidationSecure made BIOS (TAA)Manual Secure Recovery
Authenticated UpdatesCommon Criteria
Single Sign-OnSecure Start
Measured BootUEFI Secure Boot
Agentless ManagementRemote Firmware Update
Trusted eXecution TechnologyNIST 800-147b BIOS/UEFI Protection
CAC 2-Factor AuthenticationRemote System Logs
Remote ConsoleVirtual Media
Directory ServicesArcSight Unique Connector
Kerberos 2-Factor Authentication
Automatic Secure RecoveryRuntime FW Verification
Secure Erase of NAND/NOR DataCommercial National Security Algorithms
Silicon Root of TrustFW Supply Chain Attack Detection
FIPS 140-2 Level 1 ValidationSecure made BIOS (TAA)Manual Secure Recovery
Authenticated UpdatesCommon Criteria
Single Sign-OnSecure Start
Measured BootUEFI Secure Boot
Agentless ManagementRemote Firmware Update
Trusted eXecution TechnologyNIST 800-147b BIOS/UEFI Protection
Silicon Root of TrustFW Supply Chain Attack Detection
FIPS 140-2 Level 1 ValidationSecure made BIOS (TAA)Manual Secure Recovery
Authenticated UpdatesCommon Criteria
Single Sign-OnSecure Start
Measured BootUEFI Secure Boot
Agentless ManagementRemote Firmware Update
Trusted eXecution TechnologyNIST 800-147b BIOS/UEFI Protection
CAC 2-Factor AuthenticationRemote System Logs
Remote ConsoleVirtual Media
Directory ServicesArcSight Unique Connector
Kerberos 2-Factor Authentication
-
World’s Most Secure Industry Standard Servers
13
Build it In
Protect• Silicon Root of Trust• CNSA Suite• Two Factor Authentication CAC• Prevent Firmware Attacks from OS• Secure Erase of NAND/User Data• Common Criteria & FIPS 140-2 Level1• UEFI Secure Boot • TPM 1.2 and 2.0• NIST 800-147b BIOS• PCI-DSS Compliance• Secure Supply Chain
Stop it Now
Detect• Firmware Runtime Verification• Chassis Intrusion Detection on
Most Servers• HPE Rack Cabinet Door Detector• Verified Boot• Trusted eXecution Technology• SIEM Tool Support• Audit Logs• Measured Boot
Recover it Fast
Recover• Secure Recovery of Essential FW• HPE Pointnext recovery services
-
HPE Secure Compute Technology
– Secure: Locks down host interface to traffic
– Mandates FIPS-level cryptography on network interface
– Requires authentication & encryption on SW running on host
– More Secure: Attack surfaces reduced: Disables non-FIPS interfaces (i.e., IPMI & SNMP v1)
– Increased Cryptography
– Federal Information Processing Standards
– 140-2 Level One
– FIPS Validated
– Most Secure: Requires iLO Advanced Premium Security Edition
– Commercial National Security Algorithms: Highest level of security in the Industry
– Unmatched by any competitors
– Highest levels of cryptography (elliptic curve) on network interface
– Requires installation of CNSA grade certifications
– Includes all FIPS mode security protocols
Production Mode
CNSA Suite Mode
FIPS 140-2 Mode
High Security Mode
Security Mode Life Cycle
– Secure Network
– Maximum interoperability with existing software
– Trusts OS authentication
Authentication & Authorization- Active Directory- LDAP- Open LDAP (new)- Kerberos 2-Factor Authentication- CAC 2-Factor Authentication (new)
-
HPE NIST Infrastructure (HNI)
15
FedRAMP
ISO 27001
DFARS
PCI-DSS
HIPAA
NERCHNI
• The HNI pre-built NIST SP 800-53 security controls
• PEN testing • Vulnerability scan• Security baseline
-
HPE Supply ChainOverview for Security
16
-
Supply Chain ProtectionSilicon Root of Trust Protects Against Inserting Malware Into Server Firmware
-
Analyzing & mitigating risks
Materials Suppliers
Logistics/Transportation Services
Manufacturers(Production/Assembly)
Warehouse/Distribution Centers
TS & Outsourced Service Support
Analyze Risks
Analyze Risks
Analyze Risks
Analyze Risks
PRODUCT
HPE Confidential
Close Gaps &Improve
Processes
Close Gaps &Improve
Processes
Close Gaps &Improve
Processes
Close Gaps &Improve
Processes
-
Secure SourcingBuilding security into every aspect of the product
Regulatory & Standards Compliance
Component Provenance and Sourcing Origin &
Traceability
Secure Product Measures, Controls, Features
Customer/Supplier Authentication
Security Labeling & Packaging & Anti-
Counterfeiting
-
HPE PointNextOverview on Security
20
-
Professional OperationalAdvisory and Transformation
Consume and optimizeDesign and implementEnvision and define
We help protect your digital enterpriseHPE Security and Protection Services
‒ Adaptive Security and Protection Transformation Workshop
‒ Security assessments: controls, compliance, architecture, vulnerability
‒ Hybrid cloud protection advisory services‒ Risk and business impact assessments‒ Continuity and DR planning services‒ Backup and recovery advisory services‒ Operational security advisory services‒ Data protection & privacy services
– Hybrid IT security architecture & design – Operational security architecture & design – Security monitoring & incident management – Security network log management – Platform protection and compliance– Aruba ClearPass lifecycle services– Hybrid IT Network Security lifecycle services– Backup & recovery design, implement, test– StoreOnce integration services– High availability and disaster tolerance
– Foundation Care Services for Gen10 security features
– Defective media retention services– Data sanitation services– Patch management services‒ Cyber resiliency training‒ Risk management & BC planning training‒ Workforce security programs‒ InfoSec skills & industry certifications
-
Thank you
22
-
ClearPass Real-time Policy-based Actions
• Quarantiner• Re-authentication• Bandwidth Control• Blacklist• Role-change
DevicesProfiled
User/DeviceContext
Wired/WirelessDevice Authentication
ActionableAlerts
ClearPassPolicy Manager
Niara UEBA
Machine Learning-basedRisk Scoring for Users & Systems
CLEARPASS + UEBA = 3600 Protection
1. Discover and Validate
2. Monitor and Alert
3. Decide and Act
-
HPE sends firmware and security requirements to the adapter manufacturer
Adapter manufacturer creates public and private key pair through a secure code signing process
Adapter manufacturer creates a digitally signed firmware image with key
The HPE digitally signed firmware image is loaded onto HPE branded NICs - if crypto keys match
How Firmware is Digitally Signed and Authenticated for NICs
Chain of Trust
Enables security features based on the Root of Trust with current firmware
Silicon Root of Trust
Creates a silicon anchored chain of trust for authenticating updates to firmware
Authenticated Updates
Ensures that only valid signed firmware is installed
24
HPE
Pro
cess
Vend
or P
roce
ss
-
Dell Security Announcement and HPE ResponseDell Feature Analysis HPE ResponseCyber-resilient architecture Top line marketing term for Dell’s security that includes SecureBoot, BIOS
Recovery, signed firmware, and iDRAC RESTful APIHPE has branded HPE Secure Compute Lifecycle that goes above and beyond what Dell has by including supply chain assurance, silicon root of trust, services, networking, security options, and security compliance/modes.
Silicon Root of Trust Dell makes NO mention of this because they don’t own their own custom made silicon like HPE does.
This is key differentiator and the attribute that enables HPE to deploy HPE Secure Compute Lifecycle. Hammer this with customers—Dell’s firmware chain is still exposed at the base level because they cannot verify the authenticity by anchoring into the immutable silicon.
Secure Boot Securely boots the OS from BIOS firmware. HPE has supported this for long time, we already have it in Gen9. We have a better implementation since we can enable/disable this feature and have secure storage of boot keys. Welcome to secure boot Dell.
BIOS Recovery Recovers the BIOS from ROM generally. HPE already has that in Gen9 through our redundant ROM and we’re stepping it up in Gen10 to recover BIOS even if both half's of the ROM might be corrupt. Dell is following our lead here.
Signed Firmware This essentially verifies from the server manufacturer that the firmware is authentic.
HPE has had this for years. It’s more of an industry standard now and Dell is finally catching-up.
iDRAC Restful APIs Compliant with Redfish restful open APIs on the Dell iDRAC; equivelant to our iLO
HPE co-chaired (along with Dell) the DTMF forum that created Redfish so naturally they will leverage this. HPE also has RESTful APIs iLO, BIOS, and even on our SmartArray controllers.
Server ecosystem and lifecycle security Additional layer of security with supply chain integrity and assurance Dell has started to include their supply chain in security which HPE has done for years. We call it supply chain security assurance which includes anti-counterfeiting procedures and enforcement of security processes with HPE sub suppliers, in addition to several other benefits.
Detect quickly and recover rapidly to baseline
Part of Dell’s higher level statement of Protect the infrastructure, Detect anomalies, and Recover quickly (Protect/Detect/Recover)
Dell may be able to detect some compromised code and even have a basic level of recovery to some FW copy stored in the server, but without an anchor to silicon, they cannot guarantee the golden baseline has not been compromised. Only HPE has that ability.
Drift Detection on FW Similar to capability above: this monitors and reports any unplanned drift in the Dell FW or configuration when compared to a baseline. Basically notices any unauthorized changes in FW
Dell can monitor their FW through software root of trust, but they still lack the capability to verify authenticity down to the silicon. Dell can get compromised FW, which looks authentic, without an anchor to the silicon.
Industry First System Lock-Down Prevents configuration changes that create security vulnerabilities and expose sensitive data. Announcement is very vague.
More research in progress to determine what this feature is. This is the only feature Dell claims to have as an industry first.HPE does have role based access to iLO all the way to Security Officer…whose job is to prevent configuration negative impacting configuration changes
System Erase quickly and securely erases user data from drives or wipes all non-volatile media when a server is retired
HPE has 2 ways to do this: Intelligent Provisioning can erase data and HPE PointNext services can erase data when disposing of servers. HPE PointNext also checks and verifies the customer data has been completely expunged, rather than hoping technology has done it thoroughly 25
Slide Number 1AgendaMore vulnerabilities, smarter criminals�HPE Security FocusHPE Industry Standard ServersHPE Secure Compute Technology�HPE Silicon Root of Trust vs SW Root of TrustSlide Number 8Slide Number 9Slide Number 10Slide Number 11Security Built into Every LevelWorld’s Most Secure Industry Standard ServersHPE Secure Compute TechnologyHPE NIST Infrastructure (HNI)HPE Supply Chain�Supply Chain Protection�Silicon Root of Trust Protects Against Inserting Malware Into Server FirmwareAnalyzing & mitigating risks Secure SourcingHPE PointNextWe help protect your digital enterprise�HPE Security and Protection Services Slide Number 22Slide Number 23Slide Number 24Dell Security Announcement and HPE Response
top related