As more of IT is outsourced to the cloud, new security and management challenges arise due to the disaggregation and multi-tenancy of systems. This is compounded by the need to operate across enterprise, regulatory and geographic boundaries, all in the context of an increasingly complex threat environment. HP’s goal is to provide our customers with assurance, insight and control when using HP’s products and services in this new world.
HP relies on many different centers of engineering excellence to develop technologies ranging from embedded control points within devices through high level models of cross-boundary automated management. These provide a robust chain of trust from top to bottom. Additionally, HP is constantly exploring new mechanisms for the detection and mitigation of modern attacks of massive scale.
In the 1950s, Edwards Deming and others introduced quality concepts such as Total Quality Management (TQM) to manufacturing. This first took hold in Japan, resulting in Japanese automotive quality greatly surpassing U.S. automotive quality. Quality transformation arrived in the United States in the 1970s, in the IT software arena in the 1980s and at HP with CEO John Young’s 10X quality initiative. Its goal was to improve software quality by an order of magnitude within a decade. These quality initiatives focused on repeatability, building-in quality, managing quality, and going beyond testing.
Security is maintained by deploying security controls at every layer. In the event of a failure at one layer, controls are in place in other areas to minimize breaches and maintain security at all times.
As a one-stop, cloud-based solution for managing an organization’s devices, data, and users, HP DaaS applies industry-proven, service-level security in its architecture as well as its development processes.
HP DaaS Architecture
The HP DaaS with Analytics and Proactive Management (hereafter referred to simply as HP DaaS) architecture consists of the following:
- HP DaaS Backend – Cloud Service that uses the Internet to send tasks to and receive status updates from HP DaaS clients
- HP DaaS Portal- Security enhanced landing page to sign up, sign in and manage account(s)
- Identity Management Component (IdM) – Used to authenticate users
- Device Communication Gateway Component (DCGC) – Provides a security enhanced communication path between the HP DaaS server and all managed devices
- HP DaaS Core – Backend transactional processes that determines roles and privileges
- Services – Modules that provide the actual services to the users
Depending on the operation system, an agent or client application is required and installed on each device during the provisioning process to provide the user with validated information regarding the HP DaaS request to manage their device.
Similarly, the HP DaaS server must know that the current settings, events, and results received from the managed device are accurate. The content and source of all communication from the managed device are validated by the server, and the means of validation is established as part of the managed device enrollment process.
HP Secure Software Development Lifecycle (SSDL)
Typical industry approaches to application security have been reactive and have failed to apply lessons from the quality field. The two prevalent approaches are:
- “Bury head in the sand” – characterized by reactive security patching. This approach relies on CVEs, with little work to avoid or minimize vulnerability introduction. This is most often seen in industry segments with a minimal security relevant regulatory burden.
- “Test security in” – noticeable by the lack of resiliency designed into applications. Instead, effort is applied to find and fix vulnerabilities during testing, in combination with security patching. This approach appears more commonly in the public sector, security regulated industries and healthcare. These segments must show compliance with regulations including the United States’ Federal Information Security Management Act (FISMA), the Payment Card Industry Data Security Standard (PCI-DSS), the Health Information Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH).
However, security as a quality attribute needs to be applied at every stage of the lifecycle in the same way the quality field learned it decades ago. Key tenants include:
- Quality cannot be tested in; it has to be designed and built in, and then tested.
- It is much less expensive to find defects – in this case security defects and vulnerabilities – early, rather than late, in the lifecycle.
HP takes software security very seriously and, as a result, it has adopted a Secure Software Development Lifecycle (SSDL). Several goals are tied to this process:
- Reduce the cyberattack surface via secure software architecture
- Minimize code-induced vulnerabilities
- Protect the privacy and security of customer data and identities
HP includes specific security related procedures in its software development processes, performs milestone reviews to ensure security processes are successfully completed and delivers on-going security training to its software architects, developers, test engineers, program managers and their management.
There are seven stages in the SSDL process. Each stage is outlined below:
- Training (Stage 1) – Formal courses covering the SSDL process, security enhanced design, threat modeling and secure coding
- Requirements (Stage 2) – Planning for security at the very start of the software project, including a featureby-feature security risk assessment
- Design (Stage 3) – Defining and documenting the security architecture; identifying critical security components
- Implementation (Stage 4) – Executing the designed protection scheme and the mitigation approach, along with peer code reviews and validations
- Verification (Stage 5) – Performing dynamic code analysis, fuzz testing and attack surface reviews
- Release (Stage 6) – Verifying the SSDL requirements have been met and no known vulnerabilities exist
- Response (Stage 7) – Executing the response tasks outlined during the Release stage
HP DaaS’ Service-Level Security
This section describes how HP DaaS applies Service-Level Security to ensure security at various layers of communications.
HP DaaS’ Service-Level SecurityAt the physical layer, it is important to address the controls that are in place to secure facilities and the network. Customer and device data is stored in AWS data centers that are geographically distributed to provide redundancy. AWS is a recognized leader in cloud hosting. By partnering with AWS, HP DaaS inherits a cloud infrastructure that has been architected to be one of the most flexible and secure cloud computing environments available today. Some of its key security characteristics include:
- Designed for security
- Highly automated
- Highly available
- Highly Accredited
Data Collection, Retention, Privacy
HP DaaS gathers specific data on devices and users in order to perform IT management tasks. A listing of the data collected follows.
Device data that are collected by HP DaaS may include the following groupings:
- Windows Event Logs
Data retention is an important piece of any compliance program and necessary to fulfill proper stewardship of data. HP’s data retention policy incorporates the following data retention best practices:
- Maintaining data for shorter than necessary periods can violate contractual or legal requirements, or affect security.
- Maintaining data for longer than necessary periods can violate privacy regulations and is a top customer concern and sales inquiry.
- Once data is deleted, there is no obligation to provide it to the customer or law enforcement.
Service Monitoring & Reporting
HP DaaS provides service updates regularly to deliver the latest features and updates to customers. HP DaaS also notifies customers through various methods including email of scheduled or unscheduled updates and changes to the service. For planned service interrupting events such as service maintenance, customers are notified eight hours in advance.