Addressing Cloud Security Challenges in Aruba Central: Secure by Design

Share Post

This two-part blog series explores the strong infrastructure and data security behind Aruba Central. In this blog, I explore how the design and operations of Aruba Central assures strong security in a multitenant cloud service. In my next blog, I will explore the data security, including APIs and access controls that are inherent in Central's secure service.

Aruba Central is a unified network operations, assurance and security platform that simplifies the deployment, management and service assurance of wireless, wired and SD-WAN environments. Central is hosted on Amazon Web Services (AWS) across multiple regions including the US, Asia, Europe, Canada and China.

Cloud Infrastructure Security
To provide a secure, highly available cloud service, Central is hosted on one of the best IaaS providers—AWS. Central leverages various AWS services, such as:

  • Compute - Amazon EC2
  • Network and Content Delivery - Amazon VPC, ELB, Amazon Route 53 and Amazon CloudFront
  • Storage - Amazon S3, Amazon EBS, Amazon EFS and Amazon S3 Glacier
  • Security, Identity and Compliance - AWS IAM, Amazon Macie and Amazon GuardDuty
  • Management and Governance - Amazon CloudWatch, AWS CloudTrail, AWS Trusted Advisor, AWS Config and AWS Management Console

Production Environment
The production instance of Aruba Central is deployed in its own virtual private cloud (VPC) on the IaaS provider’s cloud. Deploying an application within a VPC offers the following advantages:

  • Logically isolated – A section of AWS is used to define and control resources for consumption.
  • VPC security - Leverage security groups and network access control lists to perform access control.
The application architecture of Aruba Central

The application architecture of Aruba Central

Application Architecture and Security
Cloud-based applications are architected, designed, deployed and configured using cloud-native principles. Cloud-native applications are designed to take full advantage of cloud computing delivery model and are generally based on concepts such as DevOps, continuous delivery, microservices and containers

3 tier web architectureCreating cloud-native applications using tools such as microservices and containers also renders itself to a more secure, robust and scalable application design.

Three-Tier Architecture
In the figure, we can see that typically there are different applications tiers such as web, app and databases. These are modeled and designed for performance and scale. The data is also decoupled with caches to improve performance.

These tiers are designed to operate in a allowlist framework. Only necessary and required communication paths are allowed between tiers.

Each instance within a tier is protected by firewall rules to prevent any unauthorized or malicious access.

Central’s security controls include:

  • The Aruba apps are in a private IP space within the Aruba VPC with routing disabled from the Internet.
  • The AWS Elastic Load Balancer protects against DDoS attacks.
  • An added layer of security is provided by a Web Access Firewall in front of a Nginx load balancer that prevents a host of other attacks.
  • The front-end service (web app) uses customer-defined authentication (two-factor authentication) and authorization rules to allow user access.
Aruba Central provides end-to-end security controls.

Aruba Central provides end-to-end security controls.

Central is designed to support thousands of Aruba customers. The application's architecture allows for data separation and segregation. All data stored as part of the application is tagged with a unique customer ID. Access to the application is strictly controlled using authentication and authorization and every request to access data must reference the unique customer ID.

Secure Communication
All traffic that is exchanged between Central and the external environment is done using HTTPS over SSL. All traffic flow is encrypted using AES encryption technology.

Get more supplementary information around HPE data privacy and security.