Around the Storage Block
StorageExperts

Data Services Cloud Console from HPE – Secure by design

HPE recently announced cloud native unified data operations that let you leverage data wherever it resides in your hybrid cloud environment. This blog and 5-minute demo show how Data Services Cloud Console was planned, architected, and designed with features that keep your data secure.

Data-Services-Cloud-Console_security_blog.pngWe live in a world where every week we hear about a new security breach or a new hack. This type of news can be concerning as the digital world transitions to a hybrid-cloud model. More information is processed between the cloud and the core every day, making more data vulnerable to these attacks.

HPE’s recent announcement of cloud native unified data operations could lead to questions about security and privacy, but should it? In this blog I will discuss how security for our customers and their data has been of utmost importance from day one.

Security starts with the design

When you start to build a house, an architect sets out on a plan that includes entry points such as doorways. As construction starts, a point arises when these entry points need to be secured with doors and locks. From day one the architect knew that those entry points would require security and designed the building to support them.

In the same vein, Data Services Cloud Console was planned, architected, and designed to have secure entry points. Where users log in, security such as multi-factor authentication (MFA) and single sign on (SSO) were planned for and developed. Where devices need to communicate, bi-directional encrypted communication was planned and designed using mutual Transport Layer Security (mTLS) and trusted certificates for authentication.

Internal communication between services is also encrypted and authenticated. Load balancers in conjunction with intelligent web application firewall (iWAF) are put in place to direct and deflect traffic. The diagram below shows what the flow of traffic will look like whether that traffic is initiated by a user via cloud.hpe.com or by a device communicating with Data Services Cloud Console.

Figure 1: Traffic flow: user-or device-initiatedFigure 1: Traffic flow: user-or device-initiated

First, let’s walk through this flow of traffic. From the web or API perspective, the login would happen via a web browser or console login shown in the top left. These logins can be protected via authentication services such as a combination of user and password in single-factor authentication, external challenged input by multi-factor authentication, or integrated with LDAP/Active Directory via SAML 2.0. MFA is not enforced but highly recommended. From here you will connect to the cloud.hpe.com portal. This portal is where you can set up role-based access control (RBAC) and add the specific devices that are allowed to communicate with your Data Services Cloud Console.

From a device perspective, devices are added by serial number to the HPE GreenLake portal. Once added, the HPE Alletra array will be activated with a specific instance of the Data Services Cloud Console. At this point a bi-directional tunnel will be opened and communication between the HPE Alletra array and Data Services Cloud Console will be allowed. Please note that only outbound rules on the firewall are needed. Inbound communication does not need to be configured.

The tunnel, once established, will support the 2-way communication, as shown in the bottom of the diagram. This communication is secured with a certificate installed on the array by the factory. This certificate is trusted by a recognized 3rd party authority and maintains an encrypted mTLS tunnel to the cloud instance of Data Services Cloud Console over port 443, meaning no additional ports need to be opened on your firewall. Think of it like a phone call; someone cannot talk to you unless they dial your number and you pick up the phone. Once you answer the phone, that person can converse with you in a 2-way conversation. It’s the same in this instance, except the device is the only one with the phone number. It will “call” Data Services Cloud Console and when the call is answered, nothing can get in the middle of the conversation. If the connection drops, the array will keep trying until it is able to reconnect.

In these ways, we ensure that communication – either user-initiated or device-initiated – is secure and your information is protected.

Data Services Cloud Console in action

I am one of those people who likes to see what something looks like rather than just hearing it described. If you’re like me, you will be happy to know that we have created a video to show you Data Services Cloud Console and HPE Data Ops Manager in action. This 5-minute video demonstrates some of the security features such as RBAC and SSO. It also takes you through Data Ops Manager. This cloud-based console is part of the Unified DataOps vision and the first service to be introduced in Data Services Cloud Console.

You will also see a demonstration of intent-based provisioning. Intent-based provisioning allows you to answer 4 simple questions and provision the right workload. It uses intelligence to select the best array for your workload, allows you to customize the volume, and then provisions the volumes and attaches them to your host.

Please enjoy this new demo.

Look for more blogs from me in the near future on Data Services Cloud Console from HPE – and the fundamentals that make it a secure platform.

Regards,

Matt

Matt Haron.jpg

 

 

 

I have been in IT/Consulting/Technology for over 17 years, and enjoy helping everyone transition to the as-a-Service world. It's fun to see how technology reinvents itself in new and exciting ways – and I like being on the front lines.

 

Storage Experts
Hewlett Packard Enterprise

twitter.com/HPE_Storage
linkedin.com/showcase/hpestorage/
hpe.com/storage

 

0 Kudos
About the Author

StorageExperts

Our team of Hewlett Packard Enterprise storage experts helps you to dive deep into relevant infrastructure topics.