The News: This week at HPE Discover, HPE’s flagship annual event, the company made a number of key announcements concerning foundational technologies we can expect in the coming months. HPE’s Project Aurora, a new zero trust offering, will debut later in 2021 as part of the GreenLake hybrid cloud platform. Project Aurora’s capabilities are intended to help enterprises rebuild their security posture and help to address how to secure IT platforms from edge-to-cloud. Gary Campbell, Fellow, HPE Vice President and Chief Technology Officer for Security, announced Project Aurora in a blog post this week
HPE’s Project Aurora Launches, a New Zero-Trust Offering to Help Address Security Concerns
Analyst Take: HPE’s Project Aurora will initially roll-out within HPE GreenLake Lighthouse to automatically and continuously verify the integrity of the hardware, firmware, operating systems, platforms, and workloads, and will also include workloads from security vendors. This continuous attestation will enable HPE to quickly detect advanced threats in seconds compared to a reported average of 24 days, helping to minimize loss and unauthorized encryption (and corruption) of valuable data and intellectual property.
HPE’s Project Aurora builds upon the company’s Silicon Root of Trust technology that is recognized by insurers in the Cyber Catalyst program created by Marsh. Cyber Catalyst is a cybersecurity evaluation program that enables customers that adopt designated technologies to be considered for enhanced terms and conditions on cyber insurance policies from participating insurers. Together, these capabilities hold immutable measurements that originate from the factory floor. Project Aurora uses these measurements to initiate the continuous chain of trust.
In the months ahead, HPE plans to embed open-source technologies like SPIFFE and SPIRE into Project Aurora to enable DevSecOps engineers to deliver workload identities rooted in continuously verified HPE hardware. HPE also outlined plans to roll out capability across all HPE GreenLake cloud services and HPE Ezmeral software platforms.
Three-pronged Hardware Engineering Approach
HPE’s Project Aurora is fundamentally based on three levels of added value security engineering, which include the following:
Increase data value through attestation and verification. Rooted at the silicon layer, HPE’s Project Aurora helps ensure the fidelity of data by continuously attesting supply chain, infrastructure, operating systems, platforms, and workloads to identify malicious code in the operating environment.
Accelerate innovation by laying a zero trust foundation. HPE’s Project Aurora delivers a zero-trust model rooted in hardware, which increases engineering velocity by standardizing and automating authentication flows from silicon to the cloud.
Identify attacks and protect investments. HPE’s Project Aurora continuously identifies zero-day attacks and advanced persistent threats to thwart loss and corruption of mission-critical business intelligence.
Why HPE’s Project Aurora Launch Matters
Why does this launch matter? With the increased threat landscape, polarization of global trade and the reality that nation states are using cyberattacks to drive national agendas, merely deploying software-based approaches and then focusing on compliance standards such as ISO27001 is not be enough. Regardless of where a device is located, either in the public cloud or operated on-premises, it is susceptible to cyberattacks. The stakes for organization are high, and the threat vectors and attack surfaces are numerous. With the increased deployment of edge computing, the threat surface and lack of pervasive control only increases.
What HPE is doing at the silicon and firmware level will have to become more pervasive. As I mentioned earlier, HPE’s Project Aurora builds upon HPE’s Silicon Root of Trust approach, which is HPE’s hardware-validated boot process built to ensure a system can only be started using code from an immutable source. This approach involves an anchor for the boot process rooted in hardware that cannot be updated or modified.
We recently covered the rise of Confidential Computing in a report which covered how the large vendors are looking to go beyond compliance driven approaches and software based solutions deeper toward the silicon (The Rise of Confidential Computing. Trust: The New Battlefield in the Age of Digital Transformation). The move from Operational Trust to Technical Trust is a huge shift in approach and if the current trajectory continues, will form the basis for securing compute platforms going forward.
With HPE’s Project Aurora, we see this foundation combined with a cryptographically secured signature, therefore ensuring there are no accessible gaps for hackers to exploit. If a hacker inserts a virus or compromised code into the server firmware, the configuration of the firmware is changed, creating a mismatch to the digital fingerprint embedded in the silicon. We will see this approach increase where code is digitally signed ideally closer to the silicon and firmware. I also envision this approach playing a more prevalent role in how code is attested in a CI/CD pipeline model.
I believe the market is looking for this type of deep engineering. The majority of current security approaches require overhead from a manpower and investment perspective. With security engineering finding its way close to silicon and firmware, the burden of security will move from the organization to the vendor to provide the solution. This approach will be less prone to human error and be less costly to implement.
I look forward to seeing more of these zero-trust offerings as they make it to the market later in 2021 and will then be able to fully digest how HPE plans to deliver on the promises made this week at HPE Discover. That said, this approach of driving security focus further toward the silicon is, I believe, where the industry needs to be heading.
The other misnomer with HPE is that some incorrectly view the organization as an OEM hardware vendor and not a Security vendor. As Confidential Computing accelerates and security gets closer to the silicon and firmware layers, I believe we’ll begin go see vendors such as HPE capturing more of the narratives as it relates to solutions on handling the increasing volume and scale of cyber security threats. My team and I at Futurum Research firmly believe that organizations need to adopt a holistic approach to their security posture to position themselves appropriately. That also means tracking the hardware OEM vendors as part of the solution providers and not just the traditional software vendors in this space.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.