Server security starts with corruption-free server manufacturing and auditing the integrity of every component, including hardware and firmware—ensuring that the server begins its lifecycle uncompromised. HPE ProLiant Gen10 Plus v2 servers with AMD EPYC™ processors are now available with the HPE Trusted Supply Chain initiative option, helping secure product lifecycles through the supply chain and beyond.
The security journey
I find that many organizations these days believe that the security health of their IT environment begins once they receive, turn on, and operate their equipment. But what many fail to realize is that the security journey of their IT products really begins with a secure supply chain, in transit during shipping, or even on the factory floor where they are being built. Server security starts with corruption-free server manufacturing and auditing the integrity of every component, including hardware and firmware—ensuring that the server begins its lifecycle uncompromised.
There have been growing concerns that products delivered to a customer’s data center from supply bases that are not properly vetted can contain rogue tiny chips, malware, or compromised code. Without having an assurance of where their new IT products came from, or who had access to them, customers are now focusing on critical processes—including the manufacturing, distribution, and delivery aspects of a product’s lifecycle for assurance that products delivered to their data centers are free from unauthorized activity.
Securing product lifecycles through the supply chain and beyond
As part of this broad supply chain security initiative, HPE is offering the world’s most secure, industry-standard servers that are built in secure HPE facilities to the most stringent codes and conformance requirements of Country of Origin USA. We are further expanding and securing our supply chain with the launch of the HPE Trusted Supply Chain initiative option which is now available with HPE ProLiant Gen10 Plus v2 servers with AMD EPYC processors.
Putting security at the heart of our products is our priority at HPE. To expand on that commitment, we have extended secure capabilities from within the several HPE ProLiant servers, to the physical hardening of the silicon level. This helps protect the server from tampering and any unauthorized activity from the time it is manufactured, during distribution and shipping, and throughout its lifecycle – even after it’s made it into a customer’s hands. This helps our current supply chain processes and procedures address regulatory standards for cybersecurity, such as the National Defense Authorization Act. The HPE ProLiant DL385 Gen10 Plus v2 can now be manufactured in secure HPE facilities for customers and industries that may require servers that have the United States as the country of origin.
AMD EPYC processors provide leadership performance for computing challenges but also help keep data secure. With the modern “ZEN” architecture, AMD takes a unique approach to help to keep your data safe. AMD Infinity Guard provides a unique and robust set of security features, including Secure Encrypted Virtualization (SEV) and Secure Memory Encryption (SME), that help complement industry ecosystem partners at the software and system levels. These processors are designed to be resistant to today’s sophisticated attacks, and help protect your sensitive data, avoid downtime, and reduce resource drain.
Increasing supply chain resiliency and server security
The HPE Trusted Supply Chain initiative responds to customers’ increasing concerns about supply chain security by assigning vetted U.S. HPE employees to the manufacturing process, lowering the risk for any unauthorized or rogue firmware or components to be inserted into our compute products.
And we even take it further than that by hardening our products, produced through the HPE Trusted Supply Chain, with a series of HPE-exclusive security features. These security features are an extension to our built-in and award-winning feature, the HPE-exclusive Silicon Root of Trust technology, which protects over 4 million lines of firmware from malware or ransomware and provides protection to millions of HPE computing products around the world.
Each of our security capabilities and processes further lock down the server and ensures the product is secure, not only during the supply chain process but also during run-time operations.
The HPE ProLiant DL385 Gen10 Plus v2 will ship with these five security features activated at the U.S. factory:
Placing servers in high-security mode. Our servers always ship to customers in production mode, but the HPE ProLiant DL385 Gen10 Plus v2 will also be placed into a high-security mode at the HPE factory in the U.S. This feature, invoked through iLO commands, reduces the attack surface for cyber attackers, making it more difficult to insert compromised code or malware into the server firmware. This mode locks down the host and requires specific authentication through encryption before any user can log into the server. Naturally, this makes it much more difficult for cyber criminals to gain access to our HPE ProLiant DL385 Gen10 Plus v2.
Enabling the UEFI Secure Boot feature. For customers who ask HPE to load their operating system at the factory, we enable the UEFI Secure Boot, which connects the HPE Silicon Root of Trust to the OS. An industry-recognized feature, affixing the UEFI firmware to the boot loader ensures the genuine and authenticated OS is initialized. If the customer chooses to load the OS on their own, this feature may be engaged once the HPE ProLiant DL385 Gen10 Plus v2 is delivered to the end-user location. Anti-virus software cannot detect hackers or an intrusion until the OS is fully running. Some astute bad actors try to compromise the OS before its anti-virus tools have a chance to start. The HPE UEFI Secure Boot ensures that doesn’t happen.
Ensuring the HPE Server Configuration Lock. This takes cryptographic measurements, or images, of all the HPE ProLiant DL385 Gen10 Plus v2 firmware, hardware components, and options and creates a log inside the server. If any firmware, hardware, or options are altered, an immediate alert at boot-up is registered. Enabling this feature at the HPE factory essentially prevents all tampering or compromise to the server composition, no matter how slight. This feature uses a password, created by HPE, to lock down the server configuration at the factory. That password is then transmitted securely to the customer, who will unlock the server once it arrives. For customers who need to create some additional configuration to the server, perhaps through a reseller or partner, that password can unlock and then relock the server before it ships to the final destination. Thus, HPE is providing the ultimate security – along with flexibility for customers – simultaneously.
Commissioning the HPE Chassis Intrusion Detection device. This mechanism protects the HPE ProLiant DL385 Gen10 Plus v2 from physical intrusion. Complementing and reinforcing the protection from the Server Configuration Lock, the Chassis Intrusion Detection Device registers an alert if the top of the server chassis is removed. Like an electronic deadbolt on your door, it logs an audit alert in the iLO firmware, even if the server does not have power. If any cyber attacker or unauthorized personnel ever open the server chassis, our customers will know someone has potentially been tampering with the server.
Authorizing specialized delivery services: These services include a dedicated truck and driver, if requested, to safely transport and deliver the HPE ProLiant DL385 Gen10 Plus v2 – right from the HPE factory to the end-user location. As an additional service, delivery options available to customers are the express service and the premier service. Through these options, customers may also request that HPE deliver, set up, and operationalize our HPE products in their data center. Once again, HPE offers high levels of security without sacrificing the flexibility customers need in their diverse and sometimes remote IT locations.
Federal government, state and local agencies, healthcare, and financial services industries
Cybersecurity concerns generally transcend all market segments. No one wants to be the next government agency or company to have a breach as we’ve seen all too often in the past. We believe our new HPE Trusted Supply Chain initiative will be particularly for agencies or customers who are on the leading edge of cybersecurity protective requirements in federal, financial, and healthcare markets.
The HPE ProLiant DL385 Gen10 Plus v2 with the Trusted Supply Chain initiative option is perfect for our highest security-conscious customers. Many of those users are in the government sector and currently must comply with numerous regulations like the Defense Federal Acquisition Regulation Supplement (DFARS) and the Federal Acquisition Regulation (FAR), along with National Defense Authorization Act (NDAA). The financial services industry is also under numerous requirements for safeguarding the privacy of personal and monetary information of their clients. Finally, the healthcare industry has strict certification requirements, like HIPAA, requiring absolute patient information protection.
The HPE Trusted Supply Chain initiative not only builds security from the ground up, it also enables HPE to manufacture and deliver products securely through our supply chain, directly to our customer locations.
As always, HPE is extending its leadership
HPE is, once again, out in front when it comes to protecting our customers. Watching the prevailing trends of supply chain issues, we’ve taken security of production and supply chain to a new level.
There is also always the concern about keeping products secure and importing from off-shore locations. HPE is taking a leadership position in addressing all these issues, with additional high-security features installed right at the factory. Of course, all the current HPE products undergo the strictest standards for cybersecurity protection throughout our supply chain process. As cyberattacks escalate in today’s uncertain environment, HPE is extending our product offering by adding the ProLiant DL385 Gen10 Plus v2 servers with AMD EPYC processors to our Trusted Supply Chain initiative.
Protecting and keeping our customers safe from cyber attackers has always been one of our highest priorities at HPE. For more information on our secure products, please check out:
- Hewlett Packard Enterprise becomes the only major server manufacturer to ship the world’s most secure industry-standard servers with U.S. Country of Origin
- HPE ProLiant Gen 10 Servers- Choose the Most Secure Server on the Planet
- AMD Infinity Guard features vary by EPYC™ Processor generations. Infinity Guard security features must be enabled by server OEMs and/or Cloud Service Providers to operate. Check with your OEM or provider to confirm support of these features. Learn more about Infinity Guard.
- Trust never sleeps: Why hardware roots of trust are essential for security
- HPE Compute Security
Christina Austin Tiner is a veteran marketing leader in the Information Technology industry, having contributed to the server business for over 20 years. She has served in a variety of roles that include worldwide product management for Compaq and HP, director of product management for the Apollo line of HPC platforms, director of product management for Dell PowerEdge C servers, and group manager for the worldwide product marketing team responsible for the ProLiant enterprise rack server portfolio.
She is currently the AMD Alliance Marketing Manager for HPE.
Compute Experts
Hewlett Packard Enterprise
twitter.com/hpe_compute
linkedin.com/showcase/hpe-servers-and-systems/
hpe.com/servers