When it comes to software supply chain security, IT organizations have reason to worry.

Cybersecurity Ventures predicted that the global annual cost of cybercrime will reach $8 trillion in 2023. One security trend survey conducted last year found that supply chain attacks were impacting 62% of organizations. Another survey of 1,000 CIOs confirmed that 82% considered their organizations vulnerable to a software supply chain attack.

The SolarWinds supply chain attack in 2020, which affected approximately 100 private sector organizations, was a costly wakeup call for the industry. One security researcher recently identified 10 active software supply chain exploits that revealed how malicious actors have targeted organizations.

“The SolarWinds software supply chain was attacked two years ago, which unfortunately went unnoticed for several months,” said Anne Potten, trusted supply chain program lead at Hewlett Packard Enterprise Co., in an interview with theCUBE, SiliconANGLE Media’s livestreaming studio. “These things together and coming from multiple directions presents a cybersecurity challenge for an organization and, in particular, its supply chain.”

Protection at silicon level

HPE’s solution to the cybersecurity challenges confronting organizations is to take proactive steps toward mitigating supply chain risk. These steps rely on several key principles, including deployment of a silicon root of trust and zero-trust provisioning. The Silicon Root of Trust is firmware technology with security integrated directly into the hardware of HPE servers. The goal is to detect changes introduced by malicious actors and prevent exploitable code from hardware level penetration.

When HPE introduced its ProLiant Gen 11 servers in November, the company extended its Silicon Root of Trust capabilities through a Security Protocol and Data Model. This employs an open standards-based approach to monitor devices and authenticate them securely.

“We built on top of capabilities like our Silicon Root of Trust, which ensures that the firmware stack on these platforms is not compromised,” said Kevin Depew, senior director of future server architecture at HPE, in a recent interview with theCUBE. “Those continue in this platform and have been expanded.”

In addition to a Silicon Root of Trust, HPE has leveraged Project Aurora, launched in June 2021, to protect its systems. This initiative extends a root of trust to embedded platforms to automatically protect software deployments, operating systems and infrastructure. The company has integrated Project Aurora’s Trusted Platform Module into its ProLiant server portfolio to enable zero-trust security from edge to cloud.

“We’ve got a long way to go before we’re able to cover everything that HP sells,” said Sunil James, senior director for security engineering at HPE, in an interview with theCUBE. “But for us, these capabilities are the root of zero-trust architectures. You need to be able to, at any given moment, notice, verify, measure and attest, and this is what we’re doing with Project Aurora.”

Factory integrity

HPE has been focused on a trusted supply chain initiative that monitors the assembly of its servers in secure facilities. This led to the firm’s announcement in 2020 that it had become the only major server manufacturer to ship industry standard servers with U.S. country of origin, a designation deigned to assure supply chain verification.

In August, HPE announced an expansion of this program globally for its ProLiant server line. The Server Security Optimized Service for ProLiant audits the integrity of every hardware and firmware component and is designed to meet the needs of organizations with enhanced security and compliance needs.

“We can deliver this service in the European markets and now in the Asia-Pacific markets,” said Cole Humphreys, global server security product manager at HPE, in an interview with theCUBE. “It is a big deal for us, because now we have activated a meaningful supply chain security benefit for our entire global network of partners and customers.”

One of the key features in HPE’s delivery of a trusted supply chain involves its use of platform certificates and cryptographic signatures. After a server has been racked in a customer’s data center, these certificates and signatures validate that the components inside were present during assembly at HPE.

HPE’s use of cryptographic certificates has been built into the ProLiant process through implementation of features such as an HPE-exclusive immutable digital fingerprint and zero-touch onboarding. This latter safeguard is accomplished using iDevID, a cryptographic identity that prevents alterations to server access.

“IDevID, provisioned by the HPE factory, enables the organization to authenticate and authorize HPE systems via the local router before connecting to the network,” said Humphreys, in an HPE blog post. “With iDevID and Platform certificates, you can create your Zero Trust Edge from the ground up, knowing that the hardware your system depends on is in a secure, good state. For HPE servers, these technologies are built in.”

Collaboration with AMD

An extensive partnership with Advanced Micro Devices Inc. has played a significant role in HPE’s security initiatives. When the HPE ProLiant Gen10 server line was released in 2017, it included a secure processor embedded in the AMD EPYC system which tied into a Silicon Root of Trust at the firmware level.

With the release of the ProLiant Gen11 server line in November, HPE has continued to rely on AMD for processor support. The latest generation is powered by AMD’s 4th Generation EPYC 9004 Series processors that includes built-in silicon authentication. AMD’s Infinity Guard technology and Secure Boot capabilities extend a root of trust to protect system BIOS. “AMD has a lot of security capabilities, like their memory encryption technologies, their AMD secure processor, their secure encrypted virtualization, which is an absolutely unique and breakthrough technology to protect virtual machines and hypervisor environments,” said HPE’s Depew in an interview with theCUBE. “We know we can’t solve the problem alone, and we know the issue is huge.”

AMD’s partnership with HPE has extended beyond silicon-level security. The two companies are actively pursuing several initiatives to advance environmental sustainability. Central to this work has been the concept of a carbon negative computer. In 2020, HPE won a $160 million contract from the European High Performance Computing Joint Undertaking project to build a supercomputer that would be based in Finland. The result was LUMI, the third-fastest supercomputer in the world.

As supercomputers have become increasingly more powerful and faster, they also consume more energy. The average high-performance machine can consume between 1 to 10 megawatts of power, the equivalent of what it takes to power 10,000 homes.

AMD and HPE addressed this issue by designing LUMI to run on 100% renewable resources. Up to 200 megawatts of energy can feed LUMI through hydropower, and its waste heat is repurposed to warm homes in Finland’s city of Kajaani. The collaboration is aimed at creating sustainable initiatives that benefit the global community, an expectation from shareholders that HPE is striving to meet.

“Shareholders now want to invest in companies that take care of how we make the world not just more inclusive and equitable, but also how we make it more sustainable,” said Antonio Neri, HPE’s president and chief executive, in an interview with theCUBE. “With our technologies we can make the world way more sustainable. I’m encouraged by the progress, but we need to do way more.”

By: DocMemory
Copyright © 2023 CST, Inc. All Rights Reserved