Infrastructure security gets a big boost from FIPS and other security standards. Learn how the FIPS validated iLO 5 technology in HPE Gen10 servers can benefit your organization.
Luckily, HPE has considered these questions for you, and developed solutions like iLO 5 that are fully validated by the Federal Information Processing Standard (FIPS)โa U.S. government computer security standard used to approve cryptographic modules. This particular standard and FIPS-validated solutions can benefit every aspect of your businessโfrom risk management to brand reputation.
Prioritizing infrastructure security
Purchasing new servers that ship with security standards, such as the FIPS 140-2, can help you avoid costly and embarrassing breaches, according to Luis Luciani, an iLO engineering distinguished technologist for HPE.
"Every news site you read daily has a headline about a breach," he explains. "As an IT expert, you have to be right 100 percent of the time. Investing in products with the right security and validation can give you the assurance that you're on the right track."
When you're responsible for an entire enterprise's infrastructure security, this assurance is priceless.
Making servers more secure
You may not be aware of FIPS, especially if you're not in the government sector, but this U.S. standard is a key component of infrastructure security. FIPS sets specific rules about how information is handled by entities such as computers, servers, and even people. One iteration of FIPSโFIPS 140-2โsets the rules for encryption and cryptographic services, making sure they're secure enough to protect sensitive (but not classified) information.
"FIPS ensures that data is encrypted correctly and that the cryptology is up to snuff," agrees Luciani.
In order for a piece of equipment to be FIPS 140-2 validated, it must be reviewed by an independently accredited lab. Once the lab tests the equipment, the test reports go to the Cryptographic Module Validation Program at the U.S. National Institute of Standards and Technologies (NIST), where they're evaluated and, hopefully, signed off on. It's a grueling and rigorous processโone that often takes more than a year to complete, says Luciani, since several rounds of testing and changes can be requested before the validation is approved.
This is why there's a big difference between FIPS Inside equipment and equipment that's FIPS validated. A product that carries the FIPS Inside logo hasn't gone through the rigorous testing and validation process. It may use FIPS-approved algorithms or libraries, but it hasn't been tested by an outside independent lab, so it may or may not be secure. Corsec, a computer security organization, has a good primer that explains that most companies using a FIPS Inside designation may only have one subcomponent based on the standard.
Leveraging iLO 5's built-in security
HPE's Gen10 server line has top-tier security built into its DNA. These servers feature the fully FIPS-validated iLO 5, an autonomous management chip that functions as what Luciani calls the "brainstem" of the server, monitoring everything from the temperature and fans to remote management of the server.
"You can run scripts," explains Luciani. "You can do mass installations. It's how you can manage and monitor the server, and FIPS 140-2 means you're doing it all in an extremely secure way."
The unique thing about iLO 5โaside from the fact that it's fully FIPS 140-2 validatedโis that it leverages HPE's Silicon Root of Trust technology to protect the server from attack. This built-in security is burned into the chip at the fabrication level, which means it can't be changed or altered by an outside entity without detection. The chip verifies the firmware code every time the server starts up, and it shuts the server down immediately if it sees any issues or potential problems in the code. The various features built into the Gen10 server reduce your business risk and improve your overall security assurance.
Protecting your organization
Of course, users are going to make mistakes, which can lead to costly security breaches. In fact, CSO recently reported that annual cybercrime damage costs will hit $6 trillion by 2021.
"A data breach or hack can be very costly and embarrassing," says Luciani. If your organization suffers an attack, your reputation will take a huge hit, and your loyal customers may lose their faith and trust in your brand. Worse yet, if customer data or personal information is hacked, your organization may even be liable for financial damages.
The fix is building security into your day-to-day processes and making sure it's part of your infrastructure inside and out. So while you may not think your company needs the level of security that a FIPS-validated product has built in, you may want to think again.
This standard isn't just for government agencies and those who do business with the government anymore. In fact, many companies in the health care, legal, and financial verticals have been using FIPS 140-2 to improve their overall security.
"While certain customers already demand FIPS 140-2 compliance, infrastructure security means it's really important for everyone," says Luciani.
So it's only a matter of time before FIPS 140-2 becomes an internal requirement across the board for all verticals.
Me
Karen Stealey has been writing about technology for more than 15 years. Her work has appeared in top technology and business publications including InformationWeek, BusinessWeek, and Forbes.
ComputeExperts
Our team of Hewlett Packard Enterprise server experts helps you to dive deep into relevant infrastructure topics.