Servers: The Right Compute
cancel
Showing results for 
Search instead for 
Did you mean: 

Building Security into Every Aspect of HPE Industry-Standard Servers

Bob_Moore

At HPE Discover 2017, we're talking about how we're building the world’s most secure industry-standard servers, positioning HPE head and shoulders above our competitors. Learn more now.

Gen10_security built in_blog.jpgAt HPE, security is engineered into our servers from start to finish. We understand our customers' security concerns and are dedicated to building the world’s most secure industry-standard servers. From product creation to supply chain management, HPE will protect you to ensure your data center server infrastructure is secure.

Regulatory & Standards Compliance

Supply chain risk management and product protection based on recognized international standards, and bestpractices, TAA and regulatory compliance. 

HPE’s Supply Chain Risk Management Framework is based on recognized international standards and best practices:

  • The HPE EG Supply Chain is fully compliant with DFARS 252.246-7007 Contractor Counterfeit Electronic Part Detection and Avoidance System—adhering to requirements including:

- Multi-year active membership in the Government Industry Data Exchange Program (GIDEP) for suspect counterfeit monitoring, investigation and reporting.

- Membership in ERAI in the US and the Anti-Counterfeiting Forum (formerly ESCO) in the UK.  HPE monitors and investigates other credible sources for reports of suspect and confirmed counterfeit parts as recommended is SAE International Aerospace Standard AS5553 Rev B.

- Incidents are tracked to completion in a closed-looped corrective action process (HPE CFIT tracking system).

- Adhere to all required program and processes, training, testing, traceability and flow down requirements

  • HPE’s supply chain is currently being assessed against Safeguarding Covered Defense Information and Cyber Incident Reporting requirements, and is anticipating full compliance by December of 2017 in accordance with the regulations for protecting sensitive data including Controlled Unclassified Information (CUI).
  • The HPE supply chain is currently performing a risk assessment against the NIST Cybersecurity Framework (CSF) leveraging controls to identify, assess and respond to cyber risks. 
  • HPE is developing documentation and best practices to a moderate level Target Profile to assist in conformance to NIST 800-53 Rev. 4 (Security and Privacy Controls for Federal Information Systems and Organizations). HPE is anticipating completion by Dec 2017. HPE also employs additional controls from:

ISO IEC 27001:2013 / 27002:2013 

- ISACA Cobit 5

- International Society of Automation (ISA) ISA 62443-2-1:2009 / ISA 62443-3-3:2013

- Centers for Internet Security:   Critical Security Controls 

Component Provenance, Sourcing, Origin & Traceability

HPE_technican.pngTraceability for programmable logic bearing components to include provenance documentation, Certificates of Conformance and Country of Origin. 

  • HPE can provide evidence of product and part traceability for federal and Commercial Customers (including supplier name and address) for Logic Bearing Components (LBCs) and other components to include provenance documentation, Certificates of Conformance (CoC) and Country of Origin information (CoO).
  • HPE Partners must flow down comparable traceability controls to their Suppliers in their respective supply chains.
  • HPE does not accept material that is not on the product’s Bill of Material (BOM) and Approved Vendor List (AVL). If the need should arise for an alternate source, that material would be qualified and approved in a controlled process — HPE still maintains the BOM and the AVL material control.
  • HPE requires its Trusted Suppliers to establish and uphold processes for maintaining electronic part traceability (e.g., item unique identification (IUID), or other proprietary techniques) that enables tracking of the part back to the original manufacturer, whether the electronic part is supplied as a discrete electronic part or is contained in assemblies.

TAA Compliance

Data_Center_Warehouse.pngAll products listed on the GSA Schedule Contract must be manufactured or “substantially transformed” in a “designated country” adhering to restrictions and limitations by which the United States Government can purchase products and services.  These restrictions and limitations are determined by Country of Origin (CoO).  Any HPE product sold to U.S. government agencies must be substantially transformed in a TAA country. TAA is a meet-comp requirement.  TAA is not considered a security feature.

  • HPE can ensure delivery of compliant products in accordance with its certification(s) made under the Trade Agreement Act or Buy American Act.
  • HPE has implemented a dual SKU mechanism that defines which SKUs are commercial SKUs vs. which are TAA Compliant SKUs.
  • HPE Provides TAA compliant product assurances to customers who are required to purchase only TAA compliant products.

Secure Product Measures, Controls, Features

Airplane_sitting_at_terminal.pngBIOS adheres to firmware protection standards. Taint, corruption, malware, substitution, and counterfeit risks are mitigated proactively.

  • HPE Server BIOS are designed to meet NIST SP800-147B (BIOS Protection Guidelines for Servers) to mitigate the risks of attacks on the firmware.
  • HPE has an ongoing program dedicated to ensure encryption algorithms are Federal Information Processing Standard (FIPS) 140-2 validated and where applicable, select HPE products are Common Criteria (CC) certified.
  • HPE has select solutions from multiple business units that are already Common Criteria (CC) certified. 
    • HPE will continue to pursue these certifications for additional products to give our customers confidence in HPE’s ability to deliver the most secure servers on the market.

 - ISO 28000:2007 Specification for security management systems for the supply chain

 - ISO/IEC 15026-4:2012 Systems and software engineering Systems and software assurance — Part 4:    Assurance in the life cycle, together with other standards.

 - Risk based security audits are performed at internal HPE factories and at Partner/Supplier facilities

Customer/Supplier Authentication

Cityscape_night_-_transformation.pngAdvanced cloud-based counterfeit detection capability enabling the authentication of parts at time of purchase and throughout the product lifecycle.  Protect your infrastructure from threats and ensure top performance by using only Genuine Hewlett Packard Enterprise software, spares and options.

Security Labeling, Packaging & Anti-Counterfeiting

Motion_Blur_-_Umbrellas.pngWorld-class anti-counterfeiting investigations and intelligence capability aggressively pursuing counterfeit parts & products to protect HPE and its customers. Select high risk parts are protected by high tech security features.

HPE takes additional precautions on high risk parts prone to counterfeiting in the marketplace such as disk drives and memory by placing a security label on each of these parts.  These labels carry a number of high tech security features making it difficult, if not impossible, for counterfeiters to duplicate. HPE and its Suppliers perform screening and authentication of security labels.  HPE periodically revises and enhances the label to improve the security features and inhibit counterfeit copies of the label.

HPE deployed a new screening system that provides an automated and unified platform for both warehouse receivers and HPE employees performing field investigations and audits.

Learn more about HPE security innovations.

 

0 Kudos
About the Author

Bob_Moore

Bob leads the partner software organization for the server division. His team is also responsible for productizing the new HPE security technologies and delivering a comprehensive approach to security across all solutions.