UPDATED 18:00 EDT / JUNE 24 2020

CLOUD

Q&A: Trust nothing and forget perimeters: It’s all about intrinsic security

Most chief information security officers are well aware that building extrinsic security is key to protecting high-value assets, services, and workloads, enclosed within a perimeter. But building perimeters and attempting to control external situations is an outdated security strategy, according to Dave Husak (pictured, left), fellow and general manager of the Cloudless initiative at Hewlett Packard Enterprise Co.

In the modern software world, it is not possible to protect ephemeral endpoints, containers, or even serverless code that die quickly. A better approach is to design security from the inside — intrinsically, Husak added. Intrinsic security strategies do not automatically trust anything outside perimeters or even communication from the inside. In other words: zero-trust security.

“Cryptographic identity is fundamental to zero-trust security because we’re no longer relying on intermediary devices, firewalls, or other kinds of functions to authorize those communications,” Husak said. “So the idea of building cryptographic identity into all workload endpoints, devices and data is sort of a cornerstone of any zero-trust security strategy.”

Husak and Dave Larson (pictured, right), vice president and chief technology officer of the cloudless initiative at HPE, spoke with Stu Miniman, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during the HPE Discover Virtual Experience event. They discussed HPE’s Cloudless Computing and zero-trust principles. (* Disclosure below.)

[Editor’s note: The following has been condensed for clarity.]

Where does security fit into HPE overall … and [tell us about] interest around cloudless. 

Husak: The most important aspect [of the initiative] was the Cloudless Trust Fabric, which was built on the idea of intrinsic security for all workload endpoints. The way I like to say it is that we have entered an era of security-first in IT infrastructure. It’s no longer going to be practical to build IT infrastructure and then have products that secure it. You know, build perimeters, do micro-segment, or anything like that. Workload endpoints need to be intrinsically secure. 

And, so, a lot of the principles applied in the Cloudless Trust Fabric are those zero-trust principles, are based on cryptographic workload identity, and leverage unique aspects of HPE’s products and infrastructure that we’ve already been delivering. 

Applications are at the core of what we’ve looked at in cloud-native — it’s new architecture, it’s new design principles. So, what are HPE’s thoughts as to how security fits into that? 

Larson: The way we see it is that the transition is moving to a modality where all services, all workloads, all endpoints can be mutually attested, cryptographically identified in a way that allows a zero-trust model to emerge. 

So from an HPE perspective, the area where we build is from the bottom up, we have a silicon root of trust in our server platform. It’s part of our ILO five, integrated lights out baseboard management controller. We can actually deliver a discreet and measurable identity for the hardware and projected it up into the workload, into the software realm.

I heard you mention identity; it makes me think of the Cytel acquisition that HPE made early this year. And SPIFFE, of course, is the project that had gotten quite a bit of attention. Can you give us a little bit as to how that acquisition fits into this overall discussion we were just having? 

Husak: We acquired Cytel into the initiative. We were delighted to bring the team on board. Not only from the standpoint that they are the world’s experts, original contributors, and moderators and committers in the stewardship of SPIFFE and SPIRE — the two projects in the CNCF, but … the impact they’re going to have on the HPE’s product development, hardware and software are going to be outsized. 

So like you pointed out, SPIFFE and SPIRE are, right now, the world’s leading candidate as sort of the certificate standard for cryptographic workload endpoint identity. And we’re looking at that as a very fundamental enabling technology for this transformation that the industry is going through.

How do we make sure a policy is enforced? Who’s actually making sure that things happen? 

Larson: The more we try to centralize security with discreet appliances, that’s some kind of a chokepoint. The common editorial explosion of policy declarations that are necessary in order to achieve the solution becomes untenable. There is no way to achieve the right kind of policy enforcement unless we get as close to the actual workloads themselves [and] unless we implement a zero-trust model where only known and authorized endpoints are allowed to communicate with each other.

How does HPE differentiate from everything else out there? And how are you taking the leadership position?

Larson: The real differentiation for us is that HPE was the market leader for industry-standard servers, from a security perspective. Three years ago in our ProLiant gen 10 servers, they had the silicon root of trust, and we’ve shipped more than a million-and-a-half servers into the market with this capability that is unique in the market. And we’ve been actively extending that capability so that we can project the identity, not just to the actual hardware itself, but that we can bind it in a multi-factor sense the individual software components that are hosted on that server. 

Husak: The depth and the breadth of our installed bases platforms that are already zero trust-ready, coupled with the identity technology that we’re developing in the context of the Cytel acquisition and my work in building the Cloudless Trust Fabric are the cornerstones of these architectures.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the HPE Discover Virtual Experience event. (* Disclosure: TheCUBE is a paid media partner for the HPE Discover Virtual Experience. Neither Hewlett Packard Enterprise Co., the sponsor for theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU