top of page
Writer's pictureChristina Richmond

Catching Up with HP, Inc on Secure By Design

I had the good fortune to be invited to the recent HP, Inc. Security Summit in NYC. I haven’t covered HP device security since the company was still attached to its other half, Hewlett-Packard Enterprise (HPE) prior to 2016. At the time of the separation, I followed the HPE Enterprise side of the house which ultimately led to the CSC/HPE merger (in 2017) and the creation of DXC.  Now, with the launch of my firm, Richmond Advisory Group, I get to dig deep into “Secure by Design” capabilities like those discussed at HP Inc’s Summit last week.


The December 11, 2023 event was kicked off by Boris Balacheff, an HP Fellow and the Chief Technologist for Security Research. These security summits can often be light on actual security insights, but this one did not disappoint. We jumped right in with 5 key areas we would cover throughout the day’s event:


1.       Robust certifiable roots of trust

2.       Self-healing and resilience at scale

3.       Threat containment

4.       Zero trust and distributed security at scale

5.       Security across the device lifecycle


The event covered business PC and printer (enterprise and large format) security, but in the interest of brevity I will focus on the PC segment and go-to-market business changes. There was much discussed in our 8-hour day and some of that was provided under non-disclosure (NDA).



With over two decades of innovating security at the hardware level and a decade of building the HP Endpoint Security Controller into its PCs, the company understands that devices can and should be certified to boot only with validated firmware, should be aware enough to detect anomalous behavior at start up or during runtime usage, and should be able to detect, contain and self-heal the device when threats are present. Additionally, devices should be able to do this from cradle to grave. When done properly security by design inherently enhances a zero-trust journey.


The feature that most impressed me was the security hypervisor that HP. Inc acquired through its Bromium addition in 2019, but this is in part because I was catching up on device security. According to Ian Pratt, ex-CEO of Bromium and now Global Head of Security for HP Personal Systems, micro-virtualization is a concept that enables an endpoint to secure itself “by design”. It relies on the built-in features of computer processors to isolate each untrusted user task, such as opening a browser tab, downloading a document, or clicking on a link. This capability was clearer demonstrated live in the session breakouts.


What’s even more interesting to me is where HP, Inc. is headed with the security hypervisor: the security hypervisor can now attest to the state of the application, the fact that it is running on a particular machine and that the hypervisor is running in a given configuration, so that you know what you’re interacting with and you’re able to do that independent of the state of the rest of the system. The OS and the other applications in residence don’t matter to the attestation because the application in question is independent of them. This concept brings zero trust to a new level. While this is certainly not the full extent of a zero-trust journey, as zero trust discussions mostly center on network access and user identity access management, it highlights zero trust on the endpoint. The direction HP Inc is taking with the security hypervisor extends the security of individual applications running on the endpoint driving user confidence that you are talking to an application running in a secure fashion. This then is a “root of trust” with “highly reliable hardware, firmware, and software components” according to NIST’s Roots of Trust project.


Broadening the zero-trust discussion, the security controller chip which is always on even when powered off now has a low-bandwidth, always-on network connection for remote management. There are many use cases for this feature: asset management, GPS location, remote lock, or wipe when recovery is not possible. Future use cases include real-time security alerts. Attackers are increasingly competent in avoiding Endpoint Detection and Response (EDR) provider detection and response by blocking communication with the cloud or corrupting the list of events sent to the provider. By making use of the always-on monitoring outside of the operating system we can avoid these kinds of attacks.


HP, Inc. has been building the foundation of platform security into its business PCs and printers for years, but now is accelerating customer deployment, control, usage, and operational management. According to Balacheff, this takes endpoint security to a lifecycle approach. Customers realize that they need to not only establish trust on devices that they procure and deploy for their employees but that they need to maintain that trust through the life of the device through an initial environment from factory to decommissioning or redeployment, configurations, as well as auditing the hardware and firmware.


From a business standpoint, HP is pivoting from a la carte offerings to a two-tier sales model, which includes Wolf Pro Security and Wolf Enterprise Security. Pro is targeted at the small and midsized business (SMB) market. The Enterprise package adds HP Sure Click Enterprise and HP Sure Access Enterprise) and is targeted at larger customers or customers that have a more mature security posture. These are available both bundled with HP hardware or with standalone software (for HP and non-HP PCs). Another subscription is the always-on connection (HP Wolf Connect) discussed above.


Overall, it was great to reconnect with HP, Inc and to catch up on the advances the company has made in the last several years. Future secure by design is in good hands with the manufacturer and I expect some exciting news to come out at CES this week. But like any intentions, they are not realized until they are announced and delivered in the customer environment. The “proof is in the pudding,” as they say. I’m impressed with the engineering skill the team has amassed and the company seems to be fully integrated with Bromium’s capabilities and driving innovations forward as its own HP entity after what must have been a challenging separation from its sister company years ago. One piece of advice I’d offer is to continue to push for lock-step engineering, marketing and delivery of PCs and Printers. At the end of the day, an endpoint is an endpoint, and these two device sets need to sing from the same hymn book. While much of what is offered from a security perspective is the same, there are legacy names, and siloed businesses that could benefit from greater cross-pollination. I look forward to tracking this progress and to hearing from HP, Inc on its continued activities with AI, and standards and certification with NIST, and others.

 

 

199 views0 comments

Comments


bottom of page