Firmware security is the Achilles’ heel of IT infrastructure. An organization can spend huge amounts of money on sophisticated security solutions, but if firmware is breached, threat actors can take control of a machine and bypass even the most stringent protections.

This issue led the U.S. government to assess IT supply chain vulnerabilities and release a set of solutions last year for securing critical infrastructure. The government also urged the private sector to take steps in prioritizing supply chain protection.

One of the companies that has been active in this area is Hewlett Packard Enterprise Co., which has made a series of announcements over the past year designed to extend a Trusted Supply Chain initiative launched in October 2020. An executive closely involved in this initiative is Cole Humphreys (pictured), global server security product manager at HPE. Humphreys recently sat down for an exclusive interview with SiliconANGLE to discuss HPE’s approach to server supply chain security and how the company is striving to create a meaningful solution based on trust in the customer relationship.

“It’s not just ‘you give us money and we give you product,’” Humphreys said. “If we can take a best practice and apply it in a way that is a supply chain security service, that’s meaningful. We know it’s important for our customers to trust us.”

This feature is part of SiliconANGLE Media’s ongoing series exploring the latest hardware developments from Hewlett Packard Enterprise Co. as it responds to shifting enterprise cloud models.

Cryptographic verification

The concept of meaningful supply chain security is one that HPE has been developing with the introduction of new server generations. When the company launched its new ProLiant RL300 Gen 11 server last June, it followed up with an expansion of its supply chain security program.

The HPE Server Security Optimization Service for ProLiant includes platform certificates that provide users with cryptographic verification that a server has not been tampered with, from the time it leaves HPE’s manufacturing facility to when it arrives at the customer’s doorstep.

“When it leaves HPE’s trusted factory and shows up later at some site, what has happed to this box on its journey?” Humphreys asked. “We’ve loaded up credentials on the server. You can attest these servers out of your supply chain.”

HPE’s goal is to engineer its server platform with security that will protect infrastructure, workloads and data from hardware and third-party software threats. A key component of this approach involves a “Silicon Root of Trust,” firmware technology integrated directly into the hardware level of HPE servers. By baking security into firmware, HPE believes that an immutable fingerprint in the silicon can provide advanced levels of protection against attacks.

“Our tagline is ‘Security By Design,’” Humphreys said. “It’s a security architecture. We are going to be more future-proofed with Gen 11.”

Operational attacks

HPE’s focus on a silicon root of trust points toward an important trend in today’s cybersecurity landscape. Threat actors are increasingly targeting industrial control and operational technology systems, as documented in a recent report from Dragos Security, which noted a 35% increase in 2022 in the number of ransomware groups attacking those two sectors.

“The real attacks are happening in the operating environment,” Humphreys said. “That is tough to control at the infrastructure layer.”

To address this concern, HPE has deployed GreenLake for Compute Ops Management, a cloud-native management console for accessing, monitoring and managing servers. GreenLake is a key element in HPE’s overall enterprise strategy, and this solution includes an ability to easily establish governance and compliance controls across the server environment while more efficiently monitoring performance and deploying updates.

“It’s now monitoring that server that has been trusted using credentials,” Humphreys said. “One of the easiest things you can do is just update the firmware, but some customers don’t have the people. You make it easier for people who don’t have armies of engineers.”

Industry partnerships

To help secure operational IT and server environments, HPE has cultivated partnerships to deliver its solutions. Two of these alliances highlighted by Humphreys involve VMware Inc. and Microsoft Corp. VMware and HPE have a collaboration that spans more than two decades, and it has included the delivery of GreenLake to VMware’s global cloud suppliers while enabling customer control over workload deployment. Supply chain security and data privacy have been a major joint focus as well.

With Microsoft, HPE has developed a secured-core server program that combines hardware, firmware and driver capabilities for in-depth protection against advanced threats in conjunction with the Windows Server operating system.

“We can partner with just about anyone at scale,” Humphreys said. “We do it because it’s better for customers, and that’s what they need.”

HPE’s involvement in supply chain security has meshed conveniently with Humphreys’ career. As a captain in the United States Air Force, Humphreys gained experience in procurement and tackling the logistical complications involved in supplying a major branch of the U.S. military.

“As an officer I was in a logistics role, procurement,” Humphreys recalled. “I was exposed to the whole logistics of the supply chain.”

He ended up working closely with the Department of State on logistics and gained knowledge in technology through the agency’s acquisition of servers, cameras and other equipment needed to run a global network of embassies. Experience in product category management for Hewlett Packard in the 2000s led to a marketing position with Rackspace and responsibility for building the hybrid cloud. He has been in product management positions with HPE since 2014.

“Technology is always moving and shaking,” Humphreys said. “I really wanted to be on the product side.”

Being on the product side has given Humphreys an appreciation for the important role that security plays not just in data protection but in reputation protection as well. The enterprise world is replete with businesses that failed to protect systems and data, resulting in breaches which caused enormous harm to the company brand.

“Security and data privacy only needs to be messed up once,” Humphreys noted. “I think I have credit monitoring forever because of the breach of trusted controls from some of the financial services companies I’ve used.”

Trust is the key word here. HPE’s approach to security is based on an understanding that customers expect protection solutions to work and prevent the catastrophic loss of data. Humphreys is mindful of why supply chain security matters to the major multinational firms that use HPE products.

“Some of the most critical workloads in the world are running on our servers,” Humphreys said. “These are really important jobs.”

Photo: Cole Humphreys