- Community Home
- >
- Storage
- >
- Around the Storage Block
- >
- How HPE GreenLake Data Services Cloud Console make...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Receive email notifications
- Printer Friendly Page
- Report Inappropriate Content
How HPE GreenLake Data Services Cloud Console makes array certificate management easier
Certificate management is a job few people enjoy. HPE GreenLake Data Services Cloud Console takes the pain out of the process by enabling you to manage all your storage array certificates from one platform. Learn why certificates are important and how you can manage them more easily.
– By Dan Gardner, Senior Technical Marketing Engineer, HPE
It seems like every day there is a news story about a new data breach or a ransomware attack. According to a recent report by Cyberint,1 ransomware cases have increased 67% between Q1 and Q2 of 2023 and are up a massive 97% compared to Q2 of 2022. Verizon’s 2022 Data Breach Investigations Report2 highlights that 74% of all breaches involved some kind of human element (error, privilege misuse, stolen credentials, or social engineering).
Data is one of the most significant assets you organization may possess – with multiple methods used to protect this data and restore it from a known good state in the event it is compromised. However, within the three pillars of IT infrastructure – compute, network, storage – the latter is often the least secured from exploitations like ransomware attacks. One of the key areas identified in the 2023 State of Storage and Backup Security Report by Continuity3 is that of insecure user management and authentication.
As the world moves towards adopting a zero trust approach (ZTA) to network architecture, it’s more important than ever to ensure your public key infrastructure (PKI) covers the whole of the network. A well-managed PKI covers the issuance of certificates which provide trusted, unique digital identities for network entities and protects data-in-transit with secure end-to-end communication. Both of which fully align with the Zero Trust architecture – in fact, PKI is mentioned as one of the key components of ZTA in the NIST Special Publication 800-207.4
What is PKI?
Public Key Infrastructure is a huge part of network security and covers the suite of processes and standards that help establish trusted identity, authentication, and encrypt communication using public keys which are bound to digital certificates by a certificate authority (CA). The use cases of PKI are quite varied, from digital code signing and email encryption to authentication and securing web communication over transport layer security (TLS)
Securing communication over TLS is probably the most common use cases of PKI and is used to encrypt HTTP communications over networks. Website owners obtain an identify certificate from a trusted CA which is installed on the web server, and when a client connects to that server, they can see the certificate is from a trusted entity, thus trusting that the web server is who they say they are. Now trust is established the TLS handshake can continue to establish a secure, encrypted session. I’m not going to cover the process of the TLS handshake here, if you want to dig further into this, the Wikipedia page on TLS is a great place to start.
So where do certificates fit in?
We all know when browsing the web that if we’re presented with an SSL/TLS related warning we should avoid that website and not bypass the warning, but can the same be said for web servers inside an organizations network – after all, this device is on the inside so it must be trustworthy, right?
All too often, internal web servers are left with their default self-signed certificates as this may be a default configuration, and it may be deemed too time consuming or unnecessary to bring these devices into the organization’s PKI. However, when a user is required to click through a browser warning to access the GUI of a network resource every time, it doesn’t take long before this behavior becomes automatic. These bad habits can spread to other areas of the network, and even onto external sites.
Unfortunately, it doesn’t take a lot for a malicious actor to exploit this weakness either. With a bit of social engineering here, a dash of phishing there, a sprinkle of trickery, and a user is presented with a bogus web server that appears to be a legitimate log-in screen for the site they are trying to access. They’ve clicked through that warning page a thousand times, why would this time be any different? From here there are multiple ways the attacker could grab the user’s credentials when they attempt to log in. Once they’re in, they can do anything and everything on that device the legitimate user can.
I did just that in preparation for writing this blog post and, using some quite rudimentary methods which I won’t disclose here, was able to grab the admin credentials for a local web server in a very short space of time.
Any damage that this could cause can be partially mitigated by ensuring that users are given least privilege access to the web server, default account passwords are changed and that settings like dual authorization are enabled where possible to prevent any destructive action.
But why leave this door wide open when it’s so easy to close?
HPE Alletra Storage arrays provide a simple and straightforward way to generate certificate requests, install, and manage CA-signed certificates from both the GUI and CLI so you can ensure that the management web server is as secure as the data held on it. Now this couldn’t be easier for your whole fleet as you can perform all these tasks from Data Ops Manager in Data Services Cloud Console, part of the HPE GreenLake edge-to-cloud platform. Data Services Cloud Console gives you a single pane of glass to view all your HPE storage arrays and manage their certificates wherever the device may be located and without having to go through different GUI or CLI sessions for individual arrays saving you time and effort. Read up on Data Services Cloud Console in this brochure.
By bringing storage arrays into your existing PKI, you can ensure that the network entities inside your organization are trusted, encrypted traffic is more secure, data integrity is maintained and – in combination with ongoing end-user training – bad cybersecurity habits are not reinforced.
Watch the demo on how manage storage array certificates using Data Services Cloud Console:
To learn more how you can manage identity certificates on your HPE Storage arrays, check out these configuration guides:
- Managing SSL/TLS Certificates on HPE Alletra 5000 series, HPE Alletra 6000 series and HPE Nimble Storage Flash arrays
- HPE Alletra 9000: UI 1.4 User Guide
Or search for “certificates” in the articles section within HPE GreenLake Data Services Cloud Console.
Source notes
- https://cyberint.com/blog/research/ransomware-trends-q2-2023-report/
- https://www.verizon.com/business/resources/reports/dbir/2023/master-guide/
- https://www.continuitysoftware.com/resources/the-state-of-storage-backup-security-report-2023/
- https://www.nist.gov/publications/zero-trust-architecture
Meet Storage Expert blogger Dan Gardner, Senior Technical Marketing Engineer
As a member of the Storage Technical Marketing team, Dan focuses on all things security – from platform, to network, to cloud, and everything in between. Bringing security to the forefront of the conversation enables customers to keep their data secure, whether it’s at rest or in flight.
Storage Experts
Hewlett Packard Enterprise
twitter.com/HPE_Storage
linkedin.com/showcase/hpestorage/
hpe.com/storage
- Back to Blog
- Newer Article
- Older Article
- haniff on: High-performance, low-latency networks for edge an...
- StorageExperts on: Configure vSphere Metro Storage Cluster with HPE N...
- haniff on: Need for speed and efficiency from high performanc...
- haniff on: Efficient networking for HPE’s Alletra cloud-nativ...
- CalvinZito on: What’s new in HPE SimpliVity 4.1.0
- MichaelMattsson on: HPE CSI Driver for Kubernetes v1.4.0 with expanded...
- StorageExperts on: HPE Nimble Storage dHCI Intelligent 1-Click Update...
- ORielly on: Power Loss at the Edge? Protect Your Data with New...
- viraj h on: HPE Primera Storage celebrates one year!
- Ron Dharma on: Introducing Language Bindings for HPE SimpliVity R...