HPE Community
Around the Storage Block
1758338 Members
2252 Online
108868 Solutions
New Article
 
Subscribe to RSS Feed
|
StorageExperts

How HPE GreenLake Data Services Cloud Console makes array certificate management easier

‎10-04-2023 06:03 AM

Certificate management is a job few people enjoy. HPE GreenLake Data Services Cloud Console takes the pain out of the process by enabling you to manage all your storage array certificates from one platform. Learn why certificates are important and how you can manage them more easily.

– By Dan Gardner, Senior Technical Marketing Engineer, HPE

HPE GreenLake Cloud Console-BLOG OG.pngIt seems like every day there is a news story about a new data breach or a ransomware attack. According to a recent report by Cyberint,1 ransomware cases have increased 67% between Q1 and Q2 of 2023 and are up a massive 97% compared to Q2 of 2022. Verizon’s 2022 Data Breach Investigations Report2 highlights that 74% of all breaches involved some kind of human element (error, privilege misuse, stolen credentials, or social engineering).

Data is one of the most significant assets you organization may possess – with multiple methods used to protect this data and restore it from a known good state in the event it is compromised. However, within the three pillars of IT infrastructure – compute, network, storage – the latter is often the least secured from exploitations like ransomware attacks. One of the key areas identified in the 2023 State of Storage and Backup Security Report by Continuity3 is that of insecure user management and authentication.

As the world moves towards adopting a zero trust approach (ZTA) to network architecture, it’s more important than ever to ensure your public key infrastructure (PKI) covers the whole of the network. A well-managed PKI covers the issuance of certificates which provide trusted, unique digital identities for network entities and protects data-in-transit with secure end-to-end communication. Both of which fully align with the Zero Trust architecture – in fact, PKI is mentioned as one of the key components of ZTA in the NIST Special Publication 800-207.4

What is PKI?

Public Key Infrastructure is a huge part of network security and covers the suite of processes and standards that help establish trusted identity, authentication, and encrypt communication using public keys which are bound to digital certificates by a certificate authority (CA). The use cases of PKI are quite varied, from digital code signing and email encryption to authentication and securing web communication over transport layer security (TLS)

Securing communication over TLS is probably the most common use cases of PKI and is used to encrypt HTTP communications over networks. Website owners obtain an identify certificate from a trusted CA which is installed on the web server, and when a client connects to that server, they can see the certificate is from a trusted entity, thus trusting that the web server is who they say they are. Now trust is established the TLS handshake can continue to establish a secure, encrypted session. I’m not going to cover the process of the TLS handshake here, if you want to dig further into this, the Wikipedia page on TLS is a great place to start.

So where do certificates fit in?

We all know when browsing the web that if we’re presented with an SSL/TLS related warning we should avoid that website and not bypass the warning, but can the same be said for web servers inside an organizations network – after all, this device is on the inside so it must be trustworthy, right?

HPE DSCC1.png

All too often, internal web servers are left with their default self-signed certificates as this may be a default configuration, and it may be deemed too time consuming or unnecessary to bring these devices into the organization’s PKI. However, when a user is required to click through a browser warning to access the GUI of a network resource every time, it doesn’t take long before this behavior becomes automatic. These bad habits can spread to other areas of the network, and even onto external sites.

Unfortunately, it doesn’t take a lot for a malicious actor to exploit this weakness either. With a bit of social engineering here, a dash of phishing there, a sprinkle of trickery, and a user is presented with a bogus web server that appears to be a legitimate log-in screen for the site they are trying to access. They’ve clicked through that warning page a thousand times, why would this time be any different? From here there are multiple ways the attacker could grab the user’s credentials when they attempt to log in. Once they’re in, they can do anything and everything on that device the legitimate user can.

I did just that in preparation for writing this blog post and, using some quite rudimentary methods which I won’t disclose here, was able to grab the admin credentials for a local web server in a very short space of time.

Any damage that this could cause can be partially mitigated by ensuring that users are given least privilege access to the web server, default account passwords are changed and that settings like dual authorization are enabled where possible to prevent any destructive action.

But why leave this door wide open when it’s so easy to close?

HPE Alletra Storage arrays provide a simple and straightforward way to generate certificate requests, install, and manage CA-signed certificates from both the GUI and CLI so you can ensure that the management web server is as secure as the data held on it. Now this couldn’t be easier for your whole fleet as you can perform all these tasks from Data Ops Manager in Data Services Cloud Console, part of the HPE GreenLake edge-to-cloud platform. Data Services Cloud Console gives you a single pane of glass to view all your HPE storage arrays and manage their certificates wherever the device may be located and without having to go through different GUI or CLI sessions for individual arrays saving you time and effort. Read up on Data Services Cloud Console in this brochure.

HPE DSCC2.png

 

HPE DSCC3.png

By bringing storage arrays into your existing PKI, you can ensure that the network entities inside your organization are trusted, encrypted traffic is more secure, data integrity is maintained and – in combination with ongoing end-user training – bad cybersecurity habits are not reinforced.

Watch the demo on how manage storage array certificates using Data Services Cloud Console:

To learn more how you can manage identity certificates on your HPE Storage arrays, check out these configuration guides:

Or search for “certificates” in the articles section within HPE GreenLake Data Services Cloud Console.

Source notes

  1. https://cyberint.com/blog/research/ransomware-trends-q2-2023-report/
  2. https://www.verizon.com/business/resources/reports/dbir/2023/master-guide/
  3. https://www.continuitysoftware.com/resources/the-state-of-storage-backup-security-report-2023/
  4. https://www.nist.gov/publications/zero-trust-architecture

Meet Storage Expert blogger Dan Gardner, Senior Technical Marketing Engineer

DAN GARDNER HPE STORAGE.pngAs a member of the Storage Technical Marketing team, Dan focuses on all things security – from platform, to network, to cloud, and everything in between. Bringing security to the forefront of the conversation enables customers to keep their data secure, whether it’s at rest or in flight.

 


Storage Experts
Hewlett Packard Enterprise

twitter.com/HPE_Storage
linkedin.com/showcase/hpestorage/
hpe.com/storage

 

 

 

Labels:
0 Kudos
About the Author

StorageExperts

Our team of Hewlett Packard Enterprise storage experts helps you to dive deep into relevant infrastructure topics.

Top Kudoed Authors Last 30 Days
Author
Kudos
StorageExperts Avatar
StorageExperts
2
MichaelMattsson Avatar
MichaelMattsson
1
View all
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.