Addressing Cloud Security Challenges in Aruba Central: Data Security

Share Post

This two-part blog series explores the strong security behind Aruba Central, our cloud-based network operations and assurance platform. This blog explores how Aruba Central ensures data security in a cloud-based multitenant environment. The first blog explores how the design and operations of Aruba Central provides inherently strong security.

Data Security
Data security is an important part of any modern application, where most sensitive information is kept in an electronic form. The main aspect of data security implies that both data at rest and in transit are protected and technical controls for data loss protection are implemented.

The following are some of the data security measures that are present on the Aruba Central platform.

  • Data Transfer - All data exchange between the application and devices and users happens using the secure protocol HTTPs.
  • Data Encryption - All data at rest is encrypted and stored. This includes encryption of Amazon EC2 EBS volumes and S3 buckets. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) uses strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256) to encrypt data. A similar mechanism is in place for EBS volumes.
  • Logical Isolation - Data encryption in transit is not enabled within the VPC; however, there is compensating control for data encryption in transit within VPC. An Amazon AWS VPC provides logical isolation of resources and inherently isolates the components within the Amazon VPC from all other VPCs. Additionally, Aruba limits the number of public subnets within the internal AWS VPC and route egress traffic via NAT located in public subnet. All other hosts are deployed in private subnets.
  • Data Backup - Data backup occurs on a regular basis and backup data is stored in a redundant manner.
  • Data Erasure - All data is stored for a fixed duration of time after which data is purged.
  • Data Access - Each customer’s data is segregated from every other customer’s data. Access to data for troubleshooting purposes can only be provided by the customer’s consent.

Central provides a rich set of APIs for various features and functionality. APIs can be used to integrate to other third-party software or in-house applications such as custom dashboards.

Providing a rich set of APIs means that security has to be built-in. In this case, communications between the REST API and an HTTP client is secured by enabling HTTPS. Central also supports the OAuth 2.0 protocol for authentication and authorization. Access tokens provide a temporary and secure way to access the APIs. The access tokens have a limited lifetime for security reasons and the applications have to use refresh API to obtain new tokens periodically.

API Gateway
Central exposes a component known as the northbound REST APIs to the users to access and manage their Central accounts. Central uses open source Kong (version 0.11.2) as its API Gateway platform.

Unlike with a UI, there is no concept of user session. Every request needs to be accompanied by an OAuth2 token.

OAuth2 Token Generation
A user needs to generate an OAuth2 token before accessing APIs using APIGW. Here are the various modes through which a token can be generated:

Authorization Code Grant

  • Client id and client secret - Alphanumeric string specific for a customer account. These can be generated via Central UI or automation APIs
  • API gateway login API
  • Call REST login API to obtain a user session
  • APIGW server validates user credentials using Aruba IT SSO API / LocalDB API. SAML doesn't work for this case
  • Using user session and client id/secret, generate an authorization code (valid for five minutes and one-time use)
  • Exchange authorization code for an OAuth2 token and a refresh token

Access Control
Access to the Central platform is tightly controlled. All management and monitoring aspects of the cloud environment are handled by a dedicated Aruba DevSecOps team with heavy use of role-based access control (RBAC) and multi-factor authentication (MFA) techniques.

Customer access workflow is integrated from the time a customer purchases their Aruba hardware. The customer admin can control who from their organization is granted what level of access. For troubleshooting purposes, customers are able to grant access to their application instance to the Aruba TAC.

Single Sign-On
Central can be integrated with a SAML 2.0-compliant service to enable single sign-on for a better user experience. This is done by redirecting the user to customer's SAML login URL (based on the email domain). The user authenticates against the SAML server and gets redirected to Central with a SAML assertion. Central validates this SAML assertion with the pre-configured SAML metadata (certificate, etc.) and fetches user email-id and attributes. Central validates this user email-id against the internal data to determine if it's a known user.

In Central public production deployments, authentication is done either by Aruba SSO or customer-specific IDP in case of SAML authentication. As you can appreciate in a SAML environments, customer passwords are not stored in Central. The single source of truth is the SAML server (for a given domain).

Two-Factor Authentication
Applying a two-factor authentication offers a second layer of security to the login process in addition to password. When two-factor authentication is enabled on a user account, the user can sign into their account either through the mobile app or the web application only after providing their password and a six-digit verification code displayed on their trusted devices.

Audit Trail
All actions performed by users are logged within the application with full details. This ensures auditing and meeting compliance requirements.

Standards and Compliance
AWS supports many certifications, frameworks and adherence to privacy laws and regulations. A complete list of their security compliance support can be found here. With Aruba's usage of AWS data centers, compliance such as SSAE 18 SOC 2, PCI, FedRAMP and ISO 27001:2013 certified are inherent.

Aruba applies additional security controls on top of AWS hosting services, which are derived from HPE security policies and security frameworks described in PCI, FedRAMP and SSAE 18 SOC 2 standards. The environment is also covered with a PCI AOC (Attestation of Compliance) for customers covered by PCI. In the future, FedRAMP certification for Federal customers (and also state and local governments who need FedRAMP) will be added.

Independent Assessments
More detailed information around the consensus Assessments Initiative Questionnaire can also be found here.

System and Organization Controls (SOC) Reporting
Organization can get insights and stakeholder assurance through SOC reporting. This help achieves key compliance controls and objectives for year audit cycles. Key benefits include:

  • Reduce compliance costs and time spent on audits and filling out vendor questionnaires
  • Meet contractual obligations and marketplace concerns through flexible, customized reporting
  • Proactively address risks across your organization
  • Increase trust and transparency to internal and external stakeholders

Customers can read more about the SOC reports from Amazon here.

Vulnerability Assessments and Penetration Testing
Aruba runs vulnerability scans every month using standard vulnerability management tools. The issues discovered are fixed based on their severity as below:

  • Critical - 7 days
  • High - 21 days
  • Normal (Medium) - 90 days
  • Low - 180 days

Pen-testing for Aruba Central is also done annually by a third party. For access to the letter, please contact your local Aruba team. Aruba’s policy does not permit on policy for prospects, customers or partners to perform their own penetration tests. As you can imagine, such an activity causes operational overhead and has potential to cause disruption or accidental collateral damage.

Get supplementary information around HPE data privacy and security.