Securing the edge: trust nothing, verify everything

Tuesday, January 18 2022 05:14

As the edge expands, so does the attack surface of your organization. Do you have the foundational elements of a Zero Trust Edge strategy? Learn more about HPE iLO iDevID and Platform Certificates.

Securing the edge: trust nothing, verify everything - Blog Cover

Octopuses are one of the smartest animals on earth. After all, nine brains are better than one. Out of the cephalopod’s 500 million neurons, nearly two-thirds reside in its limbs. With eight mini brains controlling each arm, octopuses thrive through delegation—each arm can act independently, allowing them to make faster decisions if a predator comes their way.

Oddly enough, that’s the basic theory behind edge computing—decentralize decision-making so that critical workloads at the outer boundaries of your network can operate faster and with greater agility.

And the edge is here, whether you’re ready or not. The world will use 125 million more laptops and tablets and 470 million fewer desktop PCs this year than last as workforces disseminate from the office to the home. What’s more, enterprises are adopting the Internet of Things at unprecedented rates, with more than 200 known IoT applications in enterprise settings—not to mention smart homes, connected cars, and WiFi-guzzling refrigerators.

As your company inevitably ventures beyond the traditional “data center castle,” how are you going to keep your network secure while still achieving the speed and agility promised by the edge?

The cracks appear

The ancient Japanese art of Kintsugi—where broken pottery is mended with gold or silver—is not one you want your IT to start practicing. Expensive patching and workarounds can compromise the integrity of your security. Yet, that’s the method most enterprises are using to adapt to cloud-based applications and distributed workforces.

Cloud distributed SaaS applications sit outside of the corporate LAN “moat,” requiring complex patches and retrofitted protocols to keep secure. Employee devices—especially BYOD laptops and tablets—create additional exposure to hackers and human error. And onsite management software cannot extend to the cloud, leading many organizations to simply add WAN optimizers and firewalls rather than implementing a comprehensive, cloud-native security solution.

These problems can be exacerbated at the edge, where IoT devices and localized services hoard bandwidth and bottleneck WAN traffic. Often, these environments require their own distributed security elements located onsite.

How can enterprises keep all of these devices communicating with each other without opening new cracks for bad actors to infiltrate their systems?

Trust nothing

As the edge expands, so does the attack surface of your organization. Perhaps nowhere is this expansion taking place as rapidly as in the telco industry, where the promises of vast 5G infrastructure is getting closer every day. 5G has driven companies to integrate and merge their networks, cloud, and communications architecture, connecting everything from mobile base stations, points of presence (PoPs), and central offices to deliver a virtualized infrastructure that supports new services and applications.

To secure their ballooning attack surface, telco companies are adopting a zero-trust edge (ZTE) framework. Already common in data centers, zero-trust architecture requires that hardware and software constantly authenticate themselves to prove they haven’t been corrupted since the last time they were considered safe. At the edge, this philosophy requires sophisticated technology to implement without slowing down critical processes and workloads.

A ZTE solution brings together concepts from Zero Trust Networking and Trusted Computing under a single umbrella. At the network level, cloud computing enables systems to synthesize massive sets of data to make security decisions on location. On the compute side of the equation, HPE’s Silicon Root of Trust and certificate-based device IDs establish trust between servers and the programs run on them.

Verify everything

Let’s talk more about identity credentials, since that’s one of the easiest ways for attackers to find entry. First, consider user logins and passwords, a staple of cybersecurity since the days of dial-tones. As computing and the internet expanded, so did the flaws associated with this strategy: it’s too easy for a hacker to steal someone’s credentials, and we use too many applications to possibly remember every username and password we created. Thus, multi-factor authentication and machine learning have been employed to provide easier access to users while preventing access from bad actors.

With zero trust computing, enterprises take a similar approach to granting access to firmware, software, and third-party applications. They can leverage artificial intelligence and machine learning capabilities to monitor for anomalies and, when necessary, request additional verification. Initial Device Identity Certificates allow for the automatic provisioning or revocation of access to integrated applications.

For instance, consider a company that wants to securely onboard iLO into their environment, but they do not have technical staff at remote sites to provision the servers. iDevID provisioned by the HPE factory enables the organization to authenticate and authorize HPE systems via the local router before connecting to the network. Then the 802.1x EAP-TLS protocol onboards the servers automatically, enabling HPE systems to securely establish its identity in the customers network with “zero touch” (unattended autonomous operation).

Platform Certificates takes a similar approach to attesting the trustworthiness of a device. Expanding on HPE’s innovative Secure Configuration Lock, these certificates help identify devices that have been tampered with, have a bad or outdated version of software running on them, or are outright fakes. Using platform certificates, enterprises can verify that a system is unmodified from when it was shipped from the factory, and detect anomalies that may have occurred in the supply chain during shipping.

For instance, a platform certificate would be created and digitally signed at the HPE manufacturing site. The platform certificate is then stored on the server. The customer can use a HPE supplied tool to verify the server using the platform certificate.

With iDevID and Platform certificates, you can create your Zero Trust Edge from the ground up, knowing that the hardware your system depends on is in a secure, good state. For HPE servers, these technologies are built-in. As part of our commitment to continuous innovation, Gen10 Plus servers can be purchased with HPE Server Identity, HPE Server Platform Certificate, and Trusted Platform Module.

Stay tuned

We’re excited to share more of the many innovations that are fulfilling HPE’s commitment to our customers’ data security. Stick around to learn about how you can protect against ransomware, tamper-proof your firmware, and fortify the security of your entire server architecture.


Cole Humphreys
Hewlett Packard Enterprise