HPE Tech Talk Podcast - The Security Imperative from Edge-to-Cloud, meet Project Aurora, Ep. 19

Robert Christiansen:

Welcome to HPE Tech Talk, I'm your host, Robert Christiansen. If you joined us at HPE Discover, you likely caught a glimpse of what we're talking about today and that's project Aurora. The fact is, the right software has to be running on the right hardware. And the only way you can do that securely at scale is through automation. That's where project Aurora comes in. I want to welcome my first return guest to the podcast, Sunil James. He is the senior director of security engineering at HPE, and one of the key leaders behind this exciting new project. Sunil, thank you for joining me.

Sunil James:

Robert, it's great to be back. Thank you for having me on the show again.

Robert:

That was wonderful, man. So we just announced project Aurora at HPE Discover, what's the backstory around project Aurora, and what's the problem it's trying to solve?

Sunil:

So over, you know the, the history of our company we have been selling and helping our enterprises, enterprise customers deploy infrastructure in their data centers, in their retail locations and everywhere in between. We sell compute, we sell storage, we sell networking capabilities, and I think that over the last few years we've seen more customers recognize that this idea of edge-to-cloud, as we've long spoken about at HPE, is becoming a reality. We want to be able to deliver assets and infrastructure in value closer to where the action is happening. And so what ends up happening as a result of that is that these historical and prototypical models of providing security for enterprise assets, these network-centric capabilities that you've seen talked about over and over and over again, they've evolved. They've evolved and sometimes they've been broken, especially as you get out of the data center.

We saw this coming and we realized that from our vantage point there's quite a bit that we could do to provide our customers with very, very deep assurances of the fidelity of both the hardware and software that they're buying from HPE. And what we've done is take a lot of that thinking, a lot of that designing, a lot of that architecting and a lot of that engineering, and brought it together under one new capability that we have called project Aurora, which we just announced at the conference. Now, project Aurora is brand new and it's going to be widely deployed across HPE's offerings. But to start, we're deploying it inside of a new offering from HPE called the HPE GreenLake Lighthouse.

Robert:

You know, uh, You and I have been talking about this for quite some time about how this manifests in the reality of the HPE product lines and why it's so important that the... Let's take an example, if you're going to put a computer inside an autonomous vehicle, you want to make sure that no one's messed with, one, that hardware, and two, that that software is exactly the right software that's supposed to be on that. So as you think about that kind of world as we continue to expand on that, what keeps you up at night thinking about our customers in that space, and how do we really try to rotate into the solving some of these problems?

Sunil:

Oh gosh, it’s uh, it's terrifying. It's truly terrifying. And the reason it's terrifying is, as I look back on my career, and you think about the types of attack techniques and sophistication going back 25 years, 30 years, to where it is now, it's full-blown software development, you know, for hacking purposes now. You've got supply chain of people that are writing malicious code and building out the infrastructure for command and control infrastructure, for communications between malicious code, you've got these things running as services where anybody can show up with a credit card and some Bitcoin and pay for access to these services to attack somebody else. I mean, the level of sophistication of this infrastructure to attack and steal information from our customers has gone through the roof. And we talked a little bit about this at the Discover conference in the spotlight session to give our listeners and viewers a bit of an example of that.

The thing that really, supply uh uh, scares me is that this idea of supply chain is even more so a reality than ever beforehand, right? Supply chain is not a new concept, it's been around forever, but the idea of a digital supply chain being as vast and fluid as what we're seeing and what we're going to continue to see both on the software side of how third-party applications, operating systems are being built versus hardware, whether it be HPE or its contemporaries, there is such tremendous opportunity for any one of us in that chain to get things wrong, to take a misstep, and to therefore leave our customers exposed with some risk, as to some attack, or only having to find that one problem to be able to exploit that and gain a toehold into their enterprise network.

That is one of the things that scares the heck out of me in terms of being able to provide our customers with the kinds of assurances that they're going to need to continue to build their businesses in the dynamic ways in which they're going to have to remain viable in the future.

Robert:

So let's keep pulling this apart here, Sunil. I think this is great. As you think about attestation of a building, of a set of hardware components where you and I both know that, there um, it's not just limited to software, right? You can put something on a board that will accomplish what you want if no one's watching or assuring that attestation. You can get down to various layers of code, whether it be at the very kernel/firmware code all the way up through the application levels. And so attestation of, is this the right hardware? Is this built the way it was spec'd? And, is this the right software to run on that specific piece of hardware? Can you break that down a little bit about why that's so important in what you're talking about?

Sunil:

Yeah. I mean, it's the foundation of everything, right? I mean, I think last time you and I spoke, I might of, I think I gave an analogy about the idea of identity and this ability to kind of hang all of these entitlements and rights off of an assertion that you, Robert, are who you say you are. You can drive a car, you can go vote, you can go... Back in the day go get a movie, at blockbuster video, for those of you who are old enough to remember blockbuster video, which by the way I used to work at, so I have an affinity for it. But it gives you all of these opportunities to go do things.

And I think that when you think about attestation, I think we have, we need the same levels of verification. Because in order to conduct and transact as an enterprise, for moving money on behalf of a customer of theirs, or sharing healthcare information between a patient and their doctor or whatever it might be, there's a set of components, software components, and hardware components uh servers. And then within the servers there's components that comprise the server. Each of these things are part of that single transaction. They all play a role in facilitating what seems like a very simple thing. Sunil, move money from bank account A to B, okay? Press enter and you're done. But underneath the covers, there's so many systems that are interacting with each other to facilitate that and basically give you the assurance that nothing in that chain has been compromised and therefore corrupted the ability for you to move money from A to B.

Attestation is the foundation for which every single piece of technology can be able to assert trust and validity of any transaction leveraging this infrastructure. And I would argue that for most of the world in the world of enterprise IT, attestation as a framework is not something that is widely adopted and widely leveraged because it has not been easy to do so. We as practitioners have not given our users the tooling, the automation, the sophistication necessary to be able to take advantage of the control points that we as hardware manufacturers, software manufacturers have in terms of the products that we bring to our customers. With project Aurora, we change all of that, fundamentally.

Robert:

I love it. And it's groundbreaking in its addressing of what we call a very old problem. What's that early reaction been to the stuff that you're bringing to the market now, you're really trying to bring these technologies in play?

Sunil:

You know, it's funny, Robert. When I, As you will remember, and maybe from our last conversation, I joined last year through the acquisition of my last company, Cytel. And when we first started Cytel, even to this day inside of HPE, we're continuing to drive efforts around something called SPIFFE, which stands for Secure Production Identity Framework for Everyone. And it's an open source standard and code that now sits within the Cloud Native Computing Foundation. When we first launched SPIFFE and we started talking to people about it, these ideas around platform-agnostic service identity to allow for authenticated communications from one service to another, and we talked about the verification framework underneath that and why that was important, when we talked to analysts and customers and everybody in between, it was almost like a, "Well, yeah, that's obvious. Why haven't we been doing that?"

Robert:

Doing that?

Sunil:

And when I started talking about Aurora to the same set of analysts, it was almost like a, "Hey, weren't we doing that? That seems obvious. How come that's not happening? And I think it comes, it brings back to me the same considerations we had when we started SPIFFE, right? It has to be platform agnostic, it has to be something that can scale with the customer's needs, it has to be automated. It has to be automated because the second you introduce workflows, trouble ticketing systems and things of that sort, it breaks the process itself. And so these were all fundamental parts of design that went into creating project Aurora, and I think that's why we're darn excited about this.

Robert:

So considering the massive demand that exists for the solution like project Aurora, what's next, Sunil? I really want to know what you're excited about, what we got coming up for Aurora.

Sunil:

Yeah. There's a lot. There's a lot of good stuff.

Robert:

A lot, man. There's a lot. Yes.

Sunil:

Yeah. There's a lot of good stuff here, and some of which I can't talk about, but I'll leave your audience with a little bit of a taste of it. So, as I said beforehand, one of the things that we really want to focus on is making sure that Aurora is enabled in everything. Everything that HPE sells, right? Our customers aren't just buying Aruba products, separate from ProLiant, separate from Synergy, separate from Apollo, separate from Cray, they buy HPE products. And so our responsibility as an organization driving project Aurora is to plumb and develop and deploy project Aurora into everything that our customers buy. That becomes one of the core horizontal capabilities that are going to straddle everything we do so that our customers will have the assurances that the verification framework, the attestation framework that we're building with Aurora is going to be the same thing, whether it's a workload running on Aruba device somewhere in a retail location, or some sort of high performance computing node running in a super secret data center that nobody knows about.

And I think that's an amazing narrative to be able to showcase to our customers, that we can provide you with a consistent application of verification for all of your infrastructure running behind your firewall, right? It's very similar to the types of primitives and models that you will see in public cloud providers except for bringing you behind the firewall. So that's one area, right? We're going to deploy this across everything inside of HPE that we can get our hands on.

Second thing that we're looking at is, for each aspect of project Aurora, from the presentation, we could provide verification at the hardware layer, at the operating system layer, at the abstraction layer, and even at the workload layer. Each of those has an evolution in and of itself. How do we get better, for example, at the infrastructure layer to say, "Well, right now we could provide verification for 90% of the components on a board. Well, how do we get it to 100?” So we've got evolutions of making each existing layer of Aurora evolved forward so that there are no gaps. To be frank, there are gaps, right? There's always going to be gaps because this technology is constantly moving. So we're going to be moving towards making that better.

The last thing we're going to be working on... Well, not the last thing, the last thing that I'll share here, is we want to showcase how we're going to connect Aurora with SPIRE, right? So as we talked about last time, SPIRE provides that mechanism to verify the validity of an identity for workload, for as long as that workload's going to live. Now, imagine you can take that same capability and tie it down to the underpinning hardware that that workload's going to run on. And then to have those verifications rooted in some bit of Silicon for as long as you want that workload to run without ever having to get into the manual processes of identity, issuance, and provisioning, right? This is a natural, obvious connection. At least to me it's obvious between the work that the community and we are doing with SPIFFE and SPIRE and what we've been doing with project Aurora. And I'm really excited about connecting those two together.

There's a few other things as well that I'm not prepared to talk about that keep going beyond, but maybe make me your three time- 

Robert:

Mini podcast.

Sunil:

Yeah. Three time member and we'll get into it at that point.

Robert:

I love it, man. I want to say thanks, Sunil, for joining us today.

Sunil:

Thank you for having me.

Robert:

It's been great as always. And to our listeners, I really hoped you enjoyed this episode. Take a second and subscribe, leave us a review, and tell us what you think. It's important to us and we appreciate it. Thanks for tuning in and have a great day. Bye-bye.