your world is hybrid - hewlett packard enterprise...your world is hybrid: hpe secure compute...

Your World is Hybrid: HPE Secure Compute LifecycleHPE ProLiant Gen10

Jay Hendrickson - Global Product Manager, HPE Servers

Agenda

–Cyber Attacks–HPE Security Overview–HPE Gen10 Server Security

–Secure Compute Technology and Silicon Root of Trust–Security as a chain–Server Security delivery & licensing–Security Modes & NIST Controls–NIST Controls

–Supply Chain–PointNext

2HPE Confidential. NDA required..

More vulnerabilities, smarter criminals

> 500K 99 daysbreach attempts every minute1 median time to detect breach2

Denial of service

Malware-infected firmware

1, 2 Substantiation for quantifiable benefits in speaker notes

Security

HPE Security Focus

4

Machine LearningNetwork Protection

Secure Sourcing Partners/Suppliers

Built In ProtectionDetection, Recovery

HPE Secure Compute

Server

Supply ChainSecurity

Network Supply

Security Assurance

1 42

HPE Confidential

Self EncryptingData Storage

Storage3

Secure Access to the Network

Secure Data Storage

Security and Protection Services

HPE PointnextServices

Service5

HPE Industry Standard Servers

The world’s most secure industry standard servers

5

HPE Secure Compute TechnologyThe World’s Most Secure Industry Standard Servers

Silicon Root of Trust– Only HPE offers industry

standard servers with major firmware anchored directly into the silicon

– HPE can do this because we build custom iLO silicon and write our firmware code.

– HPE has unique FW integration, competitors buy general purpose BMCs off the shelf without ability to tie the firmware to hardware

– HPE Secure Compute Technology protects millions of lines of FW code that run before the OS even boots.

Runtime Verification

– Periodic checking of firmware verifying integrity of essential key firmware.

– Verified good & malware free redundant firmware repository

– Detection of compromised code or tampering with essential key firmware

– Customer notification of detected compromised essential firmware code

Secure Recovery

– Recovering essential firmware to known good state after detection of compromised code

– Customer Options:– to factory settings– to last known good FW– halt and wait

– Ability to recover other server settings like smart array raid levels

6

CNSA Suite

– Commercial National Security Algorithms

– Typically used for handling the most confidential and secret information

– Uses the highest level of cryptography in the industry

BMC- Baseboard management controller

HPE Silicon Root of Trust vs SW Root of Trust

7HPE Confidential

FW UEFI OSVerification

Attack

Signature SignaturePubKey PubKey

Root of Trust

Verification

iLO5 FWiLO5 HWIn Silicon

UEFI OS

Signature Signature SignaturePubKey PubKey PubKey

HPE Gen10 Anchors First Crypto HASH in Silicon at FAB

VerificationVerificationVerification

Attack Attack Attack

compromised

Security Built into Every LevelNew iLO License Structure and supported features

iLO Advanced

iLO Standard

iLO AdvancedPremium Security Edition

Chassis Intrusion Detection3-Factor Rack Security

NICs TPM

Cyber Safe TAA SKUsSmart Array w/Secure Encryption

HW Options

Silicon Root of TrustFW Supply Chain Attack Detection

FIPS 140-2 Level 1 ValidationSecure made BIOS (TAA)Manual Secure Recovery

Authenticated UpdatesCommon Criteria

Single Sign-OnSecure Start

Measured BootUEFI Secure Boot

Agentless ManagementRemote Firmware Update

Trusted eXecution TechnologyNIST 800-147b BIOS/UEFI Protection

CAC 2-Factor AuthenticationRemote System Logs

Remote ConsoleVirtual Media

Directory ServicesArcSight Unique Connector

Kerberos 2-Factor Authentication

Automatic Secure RecoveryRuntime FW Verification

Secure Erase of NAND/NOR DataCommercial National Security Algorithms















CAC 2-Factor AuthenticationRemote System Logs

Remote ConsoleVirtual Media

Directory ServicesArcSight Unique Connector

Kerberos 2-Factor Authentication

World’s Most Secure Industry Standard Servers

13

Build it In

Protect• Silicon Root of Trust• CNSA Suite• Two Factor Authentication CAC• Prevent Firmware Attacks from OS• Secure Erase of NAND/User Data• Common Criteria & FIPS 140-2 Level1• UEFI Secure Boot • TPM 1.2 and 2.0• NIST 800-147b BIOS• PCI-DSS Compliance• Secure Supply Chain

Stop it Now

Detect• Firmware Runtime Verification• Chassis Intrusion Detection on

Most Servers• HPE Rack Cabinet Door Detector• Verified Boot• Trusted eXecution Technology• SIEM Tool Support• Audit Logs• Measured Boot

Recover it Fast

Recover• Secure Recovery of Essential FW• HPE Pointnext recovery services

HPE Secure Compute Technology

– Secure: Locks down host interface to traffic

– Mandates FIPS-level cryptography on network interface

– Requires authentication & encryption on SW running on host

– More Secure: Attack surfaces reduced: Disables non-FIPS interfaces (i.e., IPMI & SNMP v1)

– Increased Cryptography

– Federal Information Processing Standards

– 140-2 Level One

– FIPS Validated

– Most Secure: Requires iLO Advanced Premium Security Edition

– Commercial National Security Algorithms: Highest level of security in the Industry

– Unmatched by any competitors

– Highest levels of cryptography (elliptic curve) on network interface

– Requires installation of CNSA grade certifications

– Includes all FIPS mode security protocols

Production Mode

CNSA Suite Mode

FIPS 140-2 Mode

High Security Mode

Security Mode Life Cycle

– Secure Network

– Maximum interoperability with existing software

– Trusts OS authentication

Authentication & Authorization- Active Directory- LDAP- Open LDAP (new)- Kerberos 2-Factor Authentication- CAC 2-Factor Authentication (new)

HPE NIST Infrastructure (HNI)

15

FedRAMP

ISO 27001

DFARS

PCI-DSS

HIPAA

NERCHNI

• The HNI pre-built NIST SP 800-53 security controls

• PEN testing • Vulnerability scan• Security baseline

HPE Supply ChainOverview for Security

16

Supply Chain ProtectionSilicon Root of Trust Protects Against Inserting Malware Into Server Firmware

Analyzing & mitigating risks

Materials Suppliers

Logistics/Transportation Services

Manufacturers(Production/Assembly)

Warehouse/Distribution Centers

TS & Outsourced Service Support

Analyze Risks

Analyze Risks

Analyze Risks

Analyze Risks

PRODUCT

HPE Confidential

Close Gaps &Improve

Processes

Close Gaps &Improve

Processes

Close Gaps &Improve

Processes

Close Gaps &Improve

Processes

Secure SourcingBuilding security into every aspect of the product

Regulatory & Standards Compliance

Component Provenance and Sourcing Origin &

Traceability

Secure Product Measures, Controls, Features

Customer/Supplier Authentication

Security Labeling & Packaging & Anti-

Counterfeiting

HPE PointNextOverview on Security

20

Professional OperationalAdvisory and Transformation

Consume and optimizeDesign and implementEnvision and define

We help protect your digital enterpriseHPE Security and Protection Services

‒ Adaptive Security and Protection Transformation Workshop

‒ Security assessments: controls, compliance, architecture, vulnerability

‒ Hybrid cloud protection advisory services‒ Risk and business impact assessments‒ Continuity and DR planning services‒ Backup and recovery advisory services‒ Operational security advisory services‒ Data protection & privacy services

– Hybrid IT security architecture & design – Operational security architecture & design – Security monitoring & incident management – Security network log management – Platform protection and compliance– Aruba ClearPass lifecycle services– Hybrid IT Network Security lifecycle services– Backup & recovery design, implement, test– StoreOnce integration services– High availability and disaster tolerance

– Foundation Care Services for Gen10 security features

– Defective media retention services– Data sanitation services– Patch management services‒ Cyber resiliency training‒ Risk management & BC planning training‒ Workforce security programs‒ InfoSec skills & industry certifications

Thank you

22

ClearPass Real-time Policy-based Actions

• Quarantiner• Re-authentication• Bandwidth Control• Blacklist• Role-change

DevicesProfiled

User/DeviceContext

Wired/WirelessDevice Authentication

ActionableAlerts

ClearPassPolicy Manager

Niara UEBA

Machine Learning-basedRisk Scoring for Users & Systems

CLEARPASS + UEBA = 3600 Protection

1. Discover and Validate

2. Monitor and Alert

3. Decide and Act

HPE sends firmware and security requirements to the adapter manufacturer

Adapter manufacturer creates public and private key pair through a secure code signing process

Adapter manufacturer creates a digitally signed firmware image with key

The HPE digitally signed firmware image is loaded onto HPE branded NICs - if crypto keys match

How Firmware is Digitally Signed and Authenticated for NICs

Chain of Trust

Enables security features based on the Root of Trust with current firmware

Silicon Root of Trust

Creates a silicon anchored chain of trust for authenticating updates to firmware

Authenticated Updates

Ensures that only valid signed firmware is installed

24

HPE

Pro

cess

Vend

or P

roce

ss

Dell Security Announcement and HPE ResponseDell Feature Analysis HPE ResponseCyber-resilient architecture Top line marketing term for Dell’s security that includes SecureBoot, BIOS

Recovery, signed firmware, and iDRAC RESTful APIHPE has branded HPE Secure Compute Lifecycle that goes above and beyond what Dell has by including supply chain assurance, silicon root of trust, services, networking, security options, and security compliance/modes.

Silicon Root of Trust Dell makes NO mention of this because they don’t own their own custom made silicon like HPE does.

This is key differentiator and the attribute that enables HPE to deploy HPE Secure Compute Lifecycle. Hammer this with customers—Dell’s firmware chain is still exposed at the base level because they cannot verify the authenticity by anchoring into the immutable silicon.

Secure Boot Securely boots the OS from BIOS firmware. HPE has supported this for long time, we already have it in Gen9. We have a better implementation since we can enable/disable this feature and have secure storage of boot keys. Welcome to secure boot Dell.

BIOS Recovery Recovers the BIOS from ROM generally. HPE already has that in Gen9 through our redundant ROM and we’re stepping it up in Gen10 to recover BIOS even if both half's of the ROM might be corrupt. Dell is following our lead here.

Signed Firmware This essentially verifies from the server manufacturer that the firmware is authentic.

HPE has had this for years. It’s more of an industry standard now and Dell is finally catching-up.

iDRAC Restful APIs Compliant with Redfish restful open APIs on the Dell iDRAC; equivelant to our iLO

HPE co-chaired (along with Dell) the DTMF forum that created Redfish so naturally they will leverage this. HPE also has RESTful APIs iLO, BIOS, and even on our SmartArray controllers.

Server ecosystem and lifecycle security Additional layer of security with supply chain integrity and assurance Dell has started to include their supply chain in security which HPE has done for years. We call it supply chain security assurance which includes anti-counterfeiting procedures and enforcement of security processes with HPE sub suppliers, in addition to several other benefits.

Detect quickly and recover rapidly to baseline

Part of Dell’s higher level statement of Protect the infrastructure, Detect anomalies, and Recover quickly (Protect/Detect/Recover)

Dell may be able to detect some compromised code and even have a basic level of recovery to some FW copy stored in the server, but without an anchor to silicon, they cannot guarantee the golden baseline has not been compromised. Only HPE has that ability.

Drift Detection on FW Similar to capability above: this monitors and reports any unplanned drift in the Dell FW or configuration when compared to a baseline. Basically notices any unauthorized changes in FW

Dell can monitor their FW through software root of trust, but they still lack the capability to verify authenticity down to the silicon. Dell can get compromised FW, which looks authentic, without an anchor to the silicon.

Industry First System Lock-Down Prevents configuration changes that create security vulnerabilities and expose sensitive data. Announcement is very vague.

More research in progress to determine what this feature is. This is the only feature Dell claims to have as an industry first.HPE does have role based access to iLO all the way to Security Officer…whose job is to prevent configuration negative impacting configuration changes

System Erase quickly and securely erases user data from drives or wipes all non-volatile media when a server is retired

HPE has 2 ways to do this: Intelligent Provisioning can erase data and HPE PointNext services can erase data when disposing of servers. HPE PointNext also checks and verifies the customer data has been completely expunged, rather than hoping technology has done it thoroughly 25

Slide Number 1AgendaMore vulnerabilities, smarter criminals�HPE Security FocusHPE Industry Standard ServersHPE Secure Compute Technology�HPE Silicon Root of Trust vs SW Root of TrustSlide Number 8Slide Number 9Slide Number 10Slide Number 11Security Built into Every LevelWorld’s Most Secure Industry Standard ServersHPE Secure Compute TechnologyHPE NIST Infrastructure (HNI)HPE Supply Chain�Supply Chain Protection�Silicon Root of Trust Protects Against Inserting Malware Into Server FirmwareAnalyzing & mitigating risks Secure SourcingHPE PointNextWe help protect your digital enterprise�HPE Security and Protection Services Slide Number 22Slide Number 23Slide Number 24Dell Security Announcement and HPE Response

your world is hybrid - hewlett packard enterprise...your world is hybrid: hpe secure compute...

Documents