Hewlett Packard Enterprise (HPE) has a plan to continually verify and assert a chain of trust from the workload all the way down to the silicon level and it’s called Project Aurora.

CEO Antonio Neri announced the new security initiative at HPE Discover this week, and said Project Aurora, once built out and integrated with the company’s other networking and cloud security products, will provide a zero-trust architecture that underpins HPE’s entire edge-to-cloud strategy.

Project Aurora builds on HPE’s existing silicon root of trust. This is a hardware-validated boot process that creates a digital fingerprint in silicon and ensures a computer system can only be started using code from an immutable source. HPE also uses cryptographically secured signatures and supply chain security processes to validate its hardware.

Additionally, Project Aurora integrates HPE Integrated Lights-Out 5 (iLO 5) firmware, which verifies all the firmware code is valid, and a trusted platform module (TPM), which ensures the boot process starts with a trusted combination of hardware and software and continues validating the process up the stack until the operating system fully boots and starts running platforms and workloads.

“We’ve taken that to the next level for cloud-native zero trust with the integration of SPIFFE and SPIRE,” Neri said, during a press briefing in advance of HPE Discover.

He’s talking about upcoming integrations with Scytale, a cloud-native security company that HPE acquired last year. Scytale’s founders were among the founding contributors to open source SPIFFEE and SPIRE, and its product is based on these two open source technologies.

SPIFFE (pronounced Spiffy) stands for Secure Production Identity Framework For Everyone. It’s an open-source workload identity framework that supports distributed systems deployed in on-premises, private cloud, and public cloud environments. Its founders modeled it after similar systems at Google, Netflix, and Twitter.

Meanwhile, SPIRE (aka the SPIFFE Runtime Environment) is an open source SPIFFE implementation that allows organizations to provision, deploy, and manage SPIFFE identities throughout their production infrastructure.

Both of these integrations, which need to happen before Project Aurora becomes an actual product, will make it easier for DevSecOps teams to authenticate workload identities rooted in continuously verified hardware, and will help customers deploy a zero-trust architecture across their IT environment, according to HPE executives.

Project Aurora will integrate with HPE GreenLake Lighthouse, HPE GreenLake cloud services, and HPE Ezmeral software by the end of the year, Neri said.

While Project Aurora is new, it’s not HPE’s only zero-trust effort. Zero-trust network access plays an important role in secure access services edge (SASE), and this is where HPE’s Aruba Edge Services platform fits in. This SASE platform — which includes Aruba networking and security technologies, SD-WAN from its $925 million Silver Peak acquisition, and security functions including zero trust from Zscaler — provides zero-trust enabling technologies, albeit from a more network- and edge-centric standpoint compared to Project Aurora.

“For us, edge to cloud is not just the edge,” Neri said, when asked how Project Aurora works with Aruba and Silver Peak. “I need to connect [the edge] to the rest of my enterprise, and this is where Project Aurora brings it all together because it brings it from the networking connectivity standpoint all the way to the compute and storage perspective.”

During a press conference, HPE CTO Kumar Sreekanti indicated that HPE would also integrate Project Aurora with its SASE platform. Project Aurora is “the unifying experience” for zero trust, he added. “There’s a lot of work going on,” Sreekanti said. “I’m very confident that the teams will come back with more cohesive integration.”

HPE tends to employ multiple strategies to solve the same problem, and in this case the problem is zero trust, said ZK Research principal analyst Zeus Kerravala. However, when it comes to zero trust, he’s not sure if this approach will work.

“If you have multiple control points for policy, then I don’t think you have zero trust,” he said. “I talk to companies that are trying to just manage two firewall vendors, and that’s difficult. That’s one small piece of it. Right now [Project Aurora] is multiple policies, but to me, that’s not really zero trust.”

Moor Insights and Strategy senior analyst Matt Kimball, who wrote a white paper about how HPE enables zero trust with Project Aurora, said he views Project Aurora as complimentary to HPE’s SASE partnership with Zscaler. “Project Aurora is about protecting an environment from the infrastructure up to the workloads through custom silicon and scanning agents, whereas Zscaler’s zero-trust architecture focuses at the app level through identity management/policy enforcement.”

Zero trust can be achieved with multiple control points. “But it’s extremely difficult. And HPE has addressed this through two ways,” he added.

“The first to ensure there is overlapping protection between each element,” Kimball said. “And the second is the measurement and attestation as part of the validated hand off from infrastructure to OS to platform to workload.”

HPE’s zero-trust strategy ensures overlap starting at the hardware level. Its secure supply chain initiative and cryptographic signatures “assure that the server being racked in a data center is the very same server that left the assembly line, with the very same components,” he explained. Then, the silicon root of trust takes over to validate the hardware and performs some of the same processes as the secure supply chain — “hence overlapping,” Kimball said, while also ensuring “the entire pre-boot environment is pristine.

“From here, OS trust is instantiated and validated handoff takes place where the kernel and OS environment are measured, and continuously scanned, and to the platform, and workload,” he continued. “So, you can see how Project Aurora accounts for these multiple control points.”