HPE launches industry-standard servers with firmware security

Hewlett Packard Enterprise (HPE) is the first vendor to put silicon-based security into its industry-standard servers. Calling them the "world’s most secure"¹, HPE has designed its new ProLiant portfolio to address firmware attacks. The Information Systems Audit and Control Association (ISACA) research reveals² more than 50% of cyber security professionals reported at least one incident of malware-infected firmware in 2016.

HPE has developed the “silicon root of trust” – a unique link between custom HPE silicon and HPE Integrated Lights Out (iLO) firmware that includes encryption and breach detection technologies and is complemented by HPE supply chain security and HPE Pointnext security assessment and protection services. Building this security directly into the silicon provides the ultimate protection against firmware attacks, as well as the ability to recover essential server firmware automatically. Essentially HPE’s silicon root of trust ensures the servers cannot boot up unless the firmware matches an internal fingerprint, so the servers are unable to execute compromised firmware code.

"The major requirement for IT to grow and move forward is trust," said Paul Haverfield, CTO, Data Cetnre and Hybrid Cloud, Enterprise Group, Asia Pacific and Japan, HPE.

Source: HPE. Paul Haverfield, CTO DCHC (Data Center Hybrid Cloud) Technologies, HPE APJ with a HPE Gen10 Server.

Because HPE has total control of its own custom-made silicon chip and the server-essential firmware, it is the only vendor in the industry that can offer this advantage, HPE noted. Haverfield explained that the technology is actually on selected server Intel chips but only switched on for the new HPE servers, and noted that competitors typically focus more on protecting other aspects of the infrastructure such as software and the operating system as opposed to the firmware.

“A security breach in firmware is one of the most difficult to detect but can be one of the most damaging. Unfortunately, firmware is often overlooked in c-suite conversations about data
center security, and cyber criminals are targeting this as a new attack surface,” said Patrick Moorhead, President and Principal Analyst of technology analyst and advisory firm Moor Insights & Strategy.

“While many servers have some level of hardware security already built-in, HPE is creating firmware security inextricably tied with its custom made silicon, to help customers protect against these malicious attacks.”

The iLO chip is the square chip in the centre.

The iLO chip cannot be hacked, unlike programmable chips, Haverfield explained. "The iLO firmware is burned in; it can't be hacked, it can't be modified. As long as (a chip) can be modified you can bet your last dollar in your bank account that someone will find a way to modify it," he said.

When the HPE Gen10 server boots up, code from the iLO chip executes before the operating system takes over, he said. That code self validates various server components, such as the firmware, BIOS operating system, and master boot record. The iLO chip continues to monitor operations in the background thereafter, checking for intrusions, and can recover from damage. Recovery is within 30-60 minutes in tests by HPE, he said.

The threat of rogue employees is addressed with technology from Niara, a recent HPE acquisition, Haverfield added. Niara's technology tracks human behaviour with machine learning and can identify potential behavioural risks.

The new compute experience offers customers the ability to accelerate applications and business insights through software-defined infrastructure. The enhancements revolve around three pillars:

• Security – what HPE can do to instill greater trust in infrastructure as well as in cloud providers 
• Agility – how to give customers more tools and better tools for better productivity to compete better in the marketplace 
• Economic control – providing pay-per-use, or utility-style billing and pricing for the IT core.

Updates include:

 HPE OneView 3.1 supports the end-to-end Gen10 server platform and will transform compute, storage and network into software-defined infrastructure. The next generation, version 3.1, delivers composable storage capabilities, improved firmware management, extended support for a broad range of HPE compute platforms and support for new composable ecosystem partners including Mesosphere DC/OS. HPE and Mesosphere recently announced a strategic alliance that will help customers benefit from joint engineering, reference architecture and improved time to value.

 HPE Intelligent System Tuning offers a dynamic experience around applications in partnership with Intel on the Intel Xeon Scalable processor family. Algorithms that HPE developed in conjunction with Intel are embedded in all of the CPUs, but only turned on in a HPE server, Haverfield said. These functions include modulate frequency (jitter smoothing), increased performance (core boosting), and tuning of the server to match workload profiles.

Haverfield elaborated that the BIOS in the server has up to 1,000 settings that can be tuned. HPE has preconfigured optimised profiles for 10 different workloads such as web servers, messaging gateways, and database servers, so the customer no longer has to change the settings manually. Customers can also create their own profiles. All templates can be applied en masse in an automated fashion.

On jitter smoothing, Haverfield said that multicore CPUs from Intel have a turbo mode to temporarily boost the frequency of some cores, at sacrifice of other cores. When these cores stop running, any app that is running at the time may stop for a short time, Haverfield said. "Even if it's only half a millisecond, it can cause unpredictable performance," he said. "Jitter smoothing prevents cores having to stop...Every CPU has small differences in the actual frequency that different cores can run at. (HPE has a) self learning algorithm that can remember (the optimal frequencies)."

A new experience in “time to insight”:

 HPE Synergy for Gen10 including HPE Synergy 480 and HPE Synergy 660 are compute modules that deliver increased performance across compute-and data-intensive workloads, such as financial modelling. In addition, they deliver Ethernet 25/50 GB connectivity and a 2.8x increase in direct-attached storage (DAS) capacity.

As part of the new compute experience, storage offerings were also announced on May 24, 2017. "We're bringing a new class of memory-based computing for workloads that are very intensive like with data analytics," Haverfield said. These deliver a new experience in workload optimisation, accelerating data-driven applications:

 HPE Scalable Persistent Memory, an integrated storage solution that runs at memory speeds with terabyte-scale capacity, unlocking new levels of compute performance with built-in persistence. With up to 27 times faster³ application checkpoint operations and 20 times faster⁴ database restores, HPE Scalable Persistent Memory delivers the fastest persistent memory in the market at scale⁵.

Haverfield explained that bringing storage closer to the CPU allows big data and analytics workloads to execute more quickly, and the current transaction is not lost in the event of a crash. The server DIMM slots in a Gen10 server can be populated by non-volatile memory DIMMs, packaged as persistent memory, he shared.

High performance computing (HPC) solution

HPE has also introduced a new HPC solution, the HPE Apollo 6000 Gen10. The HPE Apollo 6000 Gen10 is workload-optimised to deliver faster, more efficient insights while reducing vulnerability to cyber-attacks and improving economic control. A large commercial, air-cooled, HPC platform, the HPE Apollo 6000 Gen10 has been redesigned to deliver more than 300 teraflops per rack, higher rack-scale efficiency and exceptional price performance. The HPE Apollo 6000 Gen10 is also the most secure HPC system in the world leveraging the unique “silicon root of trust” technology for security threat protection.

Key new capabilities of this system include:

 Industry leading reliability, accessibility, serviceability and manageability

 Greater application licensing efficiency

 Reduced latency and higher IOPs performance

 Reduced power consumption and cooling requirements

Chemical company BASF, which has a strong presence in the Asia Pacific and Middle East regions, is one of the first users of the HPE Apollo 6000 Gen10 system. BASF jointly developed a supercomputer for the digital transformation of chemical research with HPE. This is the largest supercomputer used for industrial chemical research and enables BASF to reduce computer simulation and modelling times from months to days, accelerating time to market and lowering costs.

Pay-as-you-go options

Customers can accelerate business insights across a hybrid world of traditional IT, public and private cloud with HPE’s pay-as-you-go options. HPE offers consumption-based IT payment models that deliver the business outcomes customers need – whether it is cash flow improvement, accelerated deployment or cost effective capacity management. HPE Flexible Capacity changes the way customers consume IT to align with actual business needs. By paying only for what they use and leveraging an on-site buffer to scale up or down on demand, customers can save money by eliminating over-provisioning.

"Economic control takes away one of those factors that drive customers towards public cloud," Haverfield observed. "We can have a public cloud style experience without having customers moving to public clouds."

To help customers align IT to business needs, HPE is introducing two new offerings:

 HPE Capacity Care Service enabling mid-sized companies to control utilisation and capacity management in order to reduce over-provisioning and raise utilisation levels.

 IT Investment Strategy Workshops which are designed to help companies develop an IT investment strategy with funding models aligned to an IT investment roadmap.

“Customers shouldn’t have to compromise when it comes to security, the agility of software-defined infrastructure and the flexibility of cloud economics,” said Haverfield. “With our ProLiant Gen 10 portfolio, HPE is offering customers the best compute experience in the industry with unmatched security, new ways to accelerate insights and payment models that allow customers to choose options that work best for them.”

Interested?

The new generation of HPE ProLiant Servers, HPE Synergy Compute Modules, HPE Converged System and HPE Apollo 6000 Gen10 System is now available.

Read the Moor Insights white papers:

 HPE Locks Down Server Security (PDF)

 Hybrid IT Helps Businesses Navigate Through Digital Transformation (PDF)

1 Based on new silicon root of trust technology and other comprehensive security features, verified by InfusionPoints.   

2 ISACA Study on Firmware Security Risks and Mitigation: Enterprise Practices and Challenges, 2016. 

3 Twenty-seven times faster checkpoint operations comparing doing application checkpoint with MySQL on hard disk drives (HDDs) compared to HPE Scalable Persistent Memory.   

4 Twenty times faster restores comparing restoring a Microsoft SQL Hekaton in-memory database with solid state drives (SSDs) vs. restoring with HPE Scalable Persistent Memory. 

5 Fastest persistent memory in the market substantiation based on HPE’s solution using all DRAM – the fastest media on the memory bus. Rapid procurement and subscriptions are the two major benefits attracting customers to the public cloud.