HPE Trusted Supply Chain Initiative Hardens Security

HPE says its Trusted Supply Chain initiative, launched Thursday, will deliver the highest level of security in its products. These offers target U.S. federal, public sector, banking, financial services and health care customers who demand it. The U.S.-sourced products will offer verifiable cyber assurance.

The first HPE server produced in compliance with the Trusted Supply Chain process is the HPE ProLiant DL380T. It’s shipping in the U.S. Expect to see other products in the portfolio in 2021.

HPE’s Bob Moore

“As with our other servers, products produced through the HPE Trusted Supply Chain will be available through the channel,” Bob Moore, director of product security at HPE, told Channel Futures. By having an additional facility to manufacture products, we are increasing resiliency for supply chains building and shipping our products. Overall, this improves distribution, including for our channel partners.”

HPE Responds

HPE’s Trusted Supply Chain is a response to customer needs.

• It provides a U.S. supply base with additional security measures for U.S. customers that prefer U.S.-sourced products.
• There’s compliance with the National Defense Authorization Act. This includes the latest addition which prohibits components and IT products sourced from Chinese companies.
• It provides supply chain resiliency to address the impact that the COVID-19 pandemic has had on global supply chains.
• It strengthens security capabilities to ensure customers are getting the configuration they ordered, and that it is not tampered with or has unauthorized modifications to it.

“Overall, there is need from customers to reduce supply chain risk. By having a U.S. supply base with HPE employees personally involved in managing the process, we are monitoring for – and reacting to – any potential risk,” said Moore.

HPE products with the advanced security features use embedded silicon-based security in industry-standard devices. Vetted HPE employees build these products in highly secure U.S.-based facilities.

Unique Security Designation

In September 2019, HPE-exclusive silicon root of trust and Aruba Policy Enforcement Firewall were among the first group of cybersecurity solutions to receive a Cyber Catalyst designation from Marsh. Marsh is an insurance broker and risk adviser. The designation is part of a unique evaluation program to help businesses with their buying decisions.

Seventeen solutions were recognized with the designation. In addition to HPE and Aruba are BigID Data Privacy Protection and Automated Compliance, CrowdStrike Adversary Emulation Penetration Testing, Crowdstrike Falcon Complete, Digital Guardian Data Protection Platform, FireEye Email Security, FireEye Endpoint Security, Forescout Device Visibility and Control Platform, HackerOne Bounty, KnowBe4 Security Awareness Training and Simulated Phishing Platform, Mimecast Secure Email Gateway with Targeted Threat Protection, Perspecta Labs SecureSmart critical infrastructure monitoring solution, RSA SecurID Suite, Trustwave DbProtect, Virsec Security Platform, and Zingbox IoT Guardian.

Why do it?

There are beneifts for organizations that adopt the Cyber Catalyst designated solution. They may be considered for enhanced terms and conditions on individually negotiated cyber insurance policies with participating insurers.

HPE’s Mission

HPE is dedicated to providing customers with the highest level of cyber assurance. The new HPE servers that are part of the Trusted Supply Chain will offer comprehensive end-to-end data protection. There is a pre-installed layer of hardened security before the server ships to customers.

On top of that, hardened security features offer additional benefits.

• Prevents booting of any compromised operating system. It does this by using new hardening to connect the server firmware security to the operating system by activating the UEFI secure boot.
• Reduces attack surface by placing servers in high security mode to verify user authenticity.
• Prevents tampering of server firmware and hardware using server configuration loc. This verifies unauthorized addition of options (NICS, drives) or malicious activity by capturing the inventory or a “picture” of the server, its hardware and firmware at the factory to provide protection throughout the supply chain process.
• Alerts customers with embedded alarm and physical lock. As a result, users are notified if the server has been opened during the supply chain process when an intrusion detection latch, inserted on the server chassis, registers unauthorized opening even if the power is off.

In 2021, HPE plans to expand production through the HPE Trusted Supply Chain to include its other servers and systems. HPE will make additional made-in-Europe choices available for European customers in 2021.

All new HPE servers produced through the HPE Trusted Supply Chain will be offered as a service through HPE GreenLake for a highly secure cloud experience.