Upload
lamkiet
View
233
Download
1
Embed Size (px)
Citation preview
Your World is Hybrid: HPE Secure Compute LifecycleHPE ProLiant Gen10
Jay Hendrickson - Global Product Manager, HPE Servers
Agenda
Cyber AttacksHPE Security OverviewHPE Gen10 Server Security
Secure Compute Technology and Silicon Root of TrustSecurity as a chainServer Security delivery & licensingSecurity Modes & NIST ControlsNIST Controls
Supply ChainPointNext
2HPE Confidential. NDA required..
More vulnerabilities, smarter criminals
> 500K 99 daysbreach attempts every minute1 median time to detect breach2
Denial of service
Malware-infected firmware
1, 2 Substantiation for quantifiable benefits in speaker notes
Security
HPE Security Focus
4
Machine LearningNetwork Protection
Secure Sourcing Partners/Suppliers
Built In ProtectionDetection, Recovery
HPE Secure Compute
Server
Supply ChainSecurity
Network Supply
Security Assurance
1 42
HPE Confidential
Self EncryptingData Storage
Storage3
Secure Access to the Network
Secure Data Storage
Security and Protection Services
HPE PointnextServices
Service5
HPE Industry Standard Servers
The worlds most secure industry standard servers
5
HPE Secure Compute TechnologyThe Worlds Most Secure Industry Standard Servers
Silicon Root of Trust Only HPE offers industry
standard servers with major firmware anchored directly into the silicon
HPE can do this because we build custom iLO silicon and write our firmware code.
HPE has unique FW integration, competitors buy general purpose BMCs off the shelf without ability to tie the firmware to hardware
HPE Secure Compute Technology protects millions of lines of FW code that run before the OS even boots.
Runtime Verification
Periodic checking of firmware verifying integrity of essential key firmware.
Verified good & malware free redundant firmware repository
Detection of compromised code or tampering with essential key firmware
Customer notification of detected compromised essential firmware code
Secure Recovery
Recovering essential firmware to known good state after detection of compromised code
Customer Options: to factory settings to last known good FW halt and wait
Ability to recover other server settings like smart array raid levels
6
CNSA Suite
Commercial National Security Algorithms
Typically used for handling the most confidential and secret information
Uses the highest level of cryptography in the industry
BMC- Baseboard management controller
HPE Silicon Root of Trust vs SW Root of Trust
7HPE Confidential
FW UEFI OSVerification
Attack
Signature SignaturePubKey PubKey
Root of Trust
Verification
iLO5 FWiLO5 HWIn Silicon
UEFI OS
Signature Signature SignaturePubKey PubKey PubKey
HPE Gen10 Anchors First Crypto HASH in Silicon at FAB
VerificationVerificationVerification
Attack Attack Attack
compromised
8
9
10
11
Security Built into Every LevelNew iLO License Structure and supported features
iLO Advanced
iLO Standard
iLO AdvancedPremium Security Edition
Chassis Intrusion Detection3-Factor Rack Security
NICs TPM
Cyber Safe TAA SKUsSmart Array w/Secure Encryption
HW Options
Silicon Root of TrustFW Supply Chain Attack Detection
FIPS 140-2 Level 1 ValidationSecure made BIOS (TAA)Manual Secure Recovery
Authenticated UpdatesCommon Criteria
Single Sign-OnSecure Start
Measured BootUEFI Secure Boot
Agentless ManagementRemote Firmware Update
Trusted eXecution TechnologyNIST 800-147b BIOS/UEFI Protection
CAC 2-Factor AuthenticationRemote System Logs
Remote ConsoleVirtual Media
Directory ServicesArcSight Unique Connector
Kerberos 2-Factor Authentication
Automatic Secure RecoveryRuntime FW Verification
Secure Erase of NAND/NOR DataCommercial National Security Algorithms
Silicon Root of TrustFW Supply Chain Attack Detection
FIPS 140-2 Level 1 ValidationSecure made BIOS (TAA)Manual Secure Recovery
Authenticated UpdatesCommon Criteria
Single Sign-OnSecure Start
Measured BootUEFI Secure Boot
Agentless ManagementRemote Firmware Update
Trusted eXecution TechnologyNIST 800-147b BIOS/UEFI Protection
Silicon Root of TrustFW Supply Chain Attack Detection
FIPS 140-2 Level 1 ValidationSecure made BIOS (TAA)Manual Secure Recovery
Authenticated UpdatesCommon Criteria
Single Sign-OnSecure Start
Measured BootUEFI Secure Boot
Agentless ManagementRemote Firmware Update
Trusted eXecution TechnologyNIST 800-147b BIOS/UEFI Protection
CAC 2-Factor AuthenticationRemote System Logs
Remote ConsoleVirtual Media
Directory ServicesArcSight Unique Connector
Kerberos 2-Factor Authentication
Worlds Most Secure Industry Standard Servers
13
Build it In
Protect Silicon Root of Trust CNSA Suite Two Factor Authentication CAC Prevent Firmware Attacks from OS Secure Erase of NAND/User Data Common Criteria & FIPS 140-2 Level1 UEFI Secure Boot TPM 1.2 and 2.0 NIST 800-147b BIOS PCI-DSS Compliance Secure Supply Chain
Stop it Now
Detect Firmware Runtime Verification Chassis Intrusion Detection on
Most Servers HPE Rack Cabinet Door Detector Verified Boot Trusted eXecution Technology SIEM Tool Support Audit Logs Measured Boot
Recover it Fast
Recover Secure Recovery of Essential FW HPE Pointnext recovery services
HPE Secure Compute Technology
Secure: Locks down host interface to traffic
Mandates FIPS-level cryptography on network interface
Requires authentication & encryption on SW running on host
More Secure: Attack surfaces reduced: Disables non-FIPS interfaces (i.e., IPMI & SNMP v1)
Increased Cryptography
Federal Information Processing Standards
140-2 Level One
FIPS Validated
Most Secure: Requires iLO Advanced Premium Security Edition
Commercial National Security Algorithms: Highest level of security in the Industry
Unmatched by any competitors
Highest levels of cryptography (elliptic curve) on network interface
Requires installation of CNSA grade certifications
Includes all FIPS mode security protocols
Production Mode
CNSA Suite Mode
FIPS 140-2 Mode
High Security Mode
Security Mode Life Cycle
Secure Network
Maximum interoperability with existing software
Trusts OS authentication
Authentication & Authorization- Active Directory- LDAP- Open LDAP (new)- Kerberos 2-Factor Authentication- CAC 2-Factor Authentication (new)
HPE NIST Infrastructure (HNI)
15
FedRAMP
ISO 27001
DFARS
PCI-DSS
HIPAA
NERCHNI
The HNI pre-built NIST SP 800-53 security controls
PEN testing Vulnerability scan Security baseline
HPE Supply ChainOverview for Security
16
Supply Chain ProtectionSilicon Root of Trust Protects Against Inserting Malware Into Server Firmware
Analyzing & mitigating risks
Materials Suppliers
Logistics/Transportation Services
Manufacturers(Production/Assembly)
Warehouse/Distribution Centers
TS & Outsourced Service Support
Analyze Risks
Analyze Risks
Analyze Risks
Analyze Risks
PRODUCT
HPE Confidential
Close Gaps &Improve
Processes
Close Gaps &Improve
Processes
Close Gaps &Improve
Processes
Close Gaps &Improve
Processes
Secure SourcingBuilding security into every aspect of the product
Regulatory & Standards Compliance
Component Provenance and Sourcing Origin &
Traceability
Secure Product Measures, Controls, Features
Customer/Supplier Authentication
Security Labeling & Packaging & Anti-
Counterfeiting
HPE PointNextOverview on Security
20
Professional OperationalAdvisory and Transformation
Consume and optimizeDesign and implementEnvision and define
We help protect your digital enterpriseHPE Security and Protection Services
Adaptive Security and Protection Transformation Workshop
Security assessments: controls, compliance, architecture, vulnerability
Hybrid cloud protection advisory services Risk and business impact assessments Continuity and DR planning services Backup and recovery advisory services Operational security advisory services Data protection & privacy services
Hybrid IT security architecture & design Operational security architecture & design Security monitoring & incident management Security network log management Platform protection and compliance Aruba ClearPass lifecycle services Hybrid IT Network Security lifecycle services Backup & recovery design, implement, test StoreOnce integration services High availability and disaster tolerance
Foundation Care Services for Gen10 security features
Defective media retention services Data sanitation services Patch management services Cyber resiliency training Risk management & BC planning training Workforce security programs InfoSec skills & industry certifications
Thank you
22
ClearPass Real-time Policy-based Actions
Quarantiner Re-authentication Bandwidth Control Blacklist Role-change
DevicesPr