Introducing Project Aurora: Enabling zero-trust security architectures from edge to cloud
JUNE 22, 2021 • BLOG POST • GARY CAMPBELL, FELLOW, HPE VICE PRESIDENT, CHIEF TECHNOLOGY OFFICER FOR SECURITY, HPE SECURITY ENGINEERING, HEWLETT PACKARD ENTERPRISE
IN THIS ARTICLE
- HPE introduces Project Aurora to bring zero trust to the HPE GreenLake edge to cloud platform
- HPE has standardized security by measuring, attesting, and verifying everything – from silicon to cloud
- Project Aurora transforms security from a barrier to an innovation accelerator
Project Aurora’s security capabilities will help enterprises reclaim their security and help to address how to secure the vast and fluid digital supply chain from edge-to-cloud
As enterprises strive to unify their operations across their hybrid estates, they seek flexible security that scales at business speed and enables them to digitally transform while protecting their infrastructure, software, and data, and that of their customers, too.
Today, regardless of where a device is physically located, it is susceptible to cyberattacks. The stakes are high, and the risks are many –this is especially true at the edge of networks where enterprises don’t necessarily have the same level of physical protection the customer may likely have in their datacenter.
As organizations increasingly deploy edge-to-cloud architectures to derive greater business insights and intelligence from in-situ data, they also seek to deploy a scalable zero-trust security architecture, too. In distributed architectures like this - where data security is derived from underlying system security, among other things, integrity verification is critical.
This is all easier said than done. Rising to meet the bountiful opportunity, attackers are increasingly employing advanced exploitation techniques that give them long-term persistence in an enterprise network to inflict damage at will.
These are the challenges we set out to address. To transform security from an innovation barrier to an innovation accelerator for a future where secure data access delivers greater insights and faster time to market.
Introducing Project Aurora: Enabling HPE’s edge-to-cloud zero-trust security architecture
I’m excited to announce Project Aurora, an effort within HPE that I believe will form the basis for how we underpin our edge-to-cloud strategy with a zero-trust security architecture. Fundamentally, Project Aurora leverages HPE’s Silicon Root of Trust to continually verify and assert a chain of trust from a workload to the HPE hardware it runs upon.
Project Aurora will initially be embedded within HPE GreenLake Lighthouse to automatically and continuously verify the integrity of the hardware, firmware, operating systems, platforms, and workloads, including workloads from security vendors, too. This continuous attestation will enable HPE to quickly detect advanced threats in seconds1 compared to a reported average of 24 days2. This can help minimize loss and unauthorized encryption (and corruption) of valuable data and intellectual property.
As I previously mentioned, Project Aurora builds upon HPE’s silicon root of trust technology that is recognized by cyber insurers for reducing risk. Together, these capabilities hold immutable measurements starting from the factory floor. Project Aurora uses these measurements to initiate the continuous chain of trust.
In the future, we will embed open-source technologies like SPIFFE and SPIRE into Project Aurora to enable our DevOps and security engineers to deliver workload identities rooted in continuously verified HPE hardware. This entire capability will eventually be embedded across HPE GreenLake cloud services and HPE Ezmeral software platforms.
Is zero trust actually within reach?
Today, security threats are so constant, complex, and widespread that victims and potential victims find themselves paralyzed. “To move beyond this paralysis, organizations have to deploy platforms with a zero-trust mindset built in.”3
Project Aurora is the underpinning for just such a platform. I believe it will allow us to become much more effective at resisting attacks because by building trust into our hardware, we can scalably monitor everything up to and including customer workloads without signatures.
Project Aurora will also identify against by malware as sophisticated as Drovorub and attackers as sophisticated as the state-sponsored hackers at the Russian GRU by employing three interlinked processes. It increases data value through attestation and verification, uses a zero-trust model built into the hardware, and continuously identifies zero-day attacks and advanced persistent threats.
Triad of effectiveness
Here is how Project Aurora builds value by building security.
- Increase data value through attestation and verification
Rooted in silicon, Project Aurora security capabilities help ensure the fidelity of data by continuously attesting supply chain, infrastructure, operating systems, platforms, and workloads to identify malicious code in the operating environment.
- Accelerate innovation by laying a zero trust foundation
Project Aurora delivers a zero-trust model rooted in hardware, which increases engineering velocity by standardizing and automating authentication flows from silicon to the cloud.
- Identify attacks and protect investments
Project Aurora continuously identifies zero-day attacks and advanced persistent threats to thwart loss and corruption of mission-critical business intelligence, fortifying the user’s existing security strategy, minimizing risk, and maximizing the effectiveness of existing investments.
The technology of trust
Project Aurora builds upon the Silicon Root of Trust which is HPE’s hardware-validated boot process that ensures a computer system can only be started using code from an immutable source. This involves an anchor for the boot process rooted in hardware that cannot be updated or modified in any way. We combine this foundation with a cryptographically secured signature, there are no easily accessible gaps for hackers to exploit. If a hacker inserts a virus or compromised code into the server firmware, the configuration of the firmware is changed, creating a mismatch to the digital fingerprint embedded in the silicon. As it initiates, HPE Integrated Lights-Out 5 (iLO 5) firmware validates the basic input/output system and looks for the “digital fingerprint” of iLO firmware burned into the silicon chip. That immutable fingerprint verifies all the firmware code is valid.
Project Aurora also tightly couples HPE Integrated Lights-Out (iLO) and the Trusted Platform Module4 (TPM) together with the software that runs within the operating system (OS) of a supported device. This allows the measurement of the operating system and the load of the OS kernel. We then measure the critical executables in the platform, the operating system executables, and the configuration files. This involves the measurement of the platforms running upon the OS as well as workloads. This whole construction is designed to support secure tamper-proof measurement as a chain of trust.
With Project Aurora, we are delivering the designed-in security technologies with automated verification and attestation that will establish a new deepest-point in defensibility and sophistication.
As shared at HPE Discover today by CEO Antonio Neri, Project Aurora will expand to HPE GreenLake Lighthouse, HPE GreenLake cloud services and HPE Ezmeral software by the end of the year to provide a platform-agnostic way to define zero-trust security policies from edge to cloud.
Discover Sessions on Project Aurora
To learn more about Project Aurora, HPE’s forthcoming embedded zero-trust security platform, please join us at HPE Discover 2021 to hear how Project Aurora protects HPE products by identifying sophisticated cyber-threats via an immutable trust chain from the silicon to the workload. Join our HPE Security experts as we demonstrate how Project Aurora protects HPE GreenLake Lighthouse and thwarts some of the world’s most dynamic and persistent cyber-threats facing enterprises.
Following the Project Aurora spotlight session, join us live to meet our panel of security experts and technologists, ask your questions, and share your ideas in an interactive session, or watch via replay.
- HPE Project Aurora: Stop Playing Whack-a-Mole with Security
- Project Aurora: Embedding Zero-Trust Building Blocks from Silicon to Cloud
- Project Aurora: Continuous Security to Verify, Detect, and Prevent Attacks from Silicon to Cloud
- Talk With Us About HPE Security From Edge to Cloud for a Distributed World
3 “Why is Zero trust Broken?”, Market Intelligence Business Impact Brief, 451 Research, S&P Global
4 The Trusted Platform Module is a secure microcontroller, which is standard now on the HPE ProLiant Gen10 plus servers.