HPE Alletra Storage MP B10000 and NIST CSF 2.0: A Full-Stack Cyber Resilience Architecture by Brian Beeler on June 12, 2026 Data Protection ◇ Enterprise HPE has built a coordinated cyber resilience architecture around the Alletra Storage MP B10000. It extends the platform’s native security capabilities through an integrated stack that includes virtualization with Morpheus and VM Essentials, continuous data protection with Zerto, long-term backup retention with StoreOnce, and observability via vendor-agnostic security information and event management (SIEM) integration. Taken together, the architecture is designed to align directly with the NIST Cybersecurity Framework 2.0, with the B10000 serving as the operational center across every function of the framework. The whole design exists to answer the two questions a security practitioner will ultimately ask about any piece of infrastructure: Is it still under our control, and is the data on it still being protected? Enterprise storage historically sits outside the broader security conversation. In most organizations, a chief information security officer who is worried about a misconfigured router in a branch office or an unpatched laptop on the corporate network pays little attention to the storage array in the data center. The array is behind layers of perimeter security, accessible to a small handful of administrators, and largely invisible to the broader IT organization. On paper, it is one of the safest assets in the building. That assumption no longer holds. Modern ransomware operations have learned that the array is the highest-value target in the data center. Endpoints and servers can be reimaged. Primary storage is where the data actually lives, and an attacker who gains administrative control of the array can encrypt the data, delete the snapshots meant to recover it, and destroy the backups in a single coordinated motion. At that point, the organization is not dealing with an inconvenience; it is negotiating for its survival. The tools available to attackers, including AI-assisted variants that adapt faster than signature-based defenses can keep up with, are increasingly capable of reaching that target. The stakes are no longer only operational. Regulators in the United States, the European Union, and the United Kingdom have moved infrastructure security from a best practice toward a legal obligation. Frameworks such as the EU’s Digital Operational Resilience Act and the NIS2 Directive require demonstrable controls for detection, recovery, and incident reporting, with accountability that extends to the executive level. The organizations carrying these obligations are exactly the ones running enterprise storage at scale: banks and financial services firms, hospitals and healthcare networks, utilities and critical infrastructure operators, government agencies, and the cloud and service providers that host all of the above. For them, failing to secure the infrastructure layer is not only a risk to the business but also a compliance failure with serious consequences. The work of cyber resilience sits in the gap between storage and security teams that report to different leaders, measure success differently, and rarely share the operational language needed to coordinate during an incident. Storage administrators understand throughput, capacity, and recovery objectives. Security teams understand kill chains, attack vectors, and posture management. Most organizations discover the gap only after they have been forced to operate in it. The architecture HPE has assembled is designed to close that gap, and the sections that follow work through each NIST function to test how well it does, returning throughout to the two questions of control and protection. Architecture Overview To provide a practical demonstration environment rather than an oversized enterprise deployment, the HPE team built out a compact but functional recovery and backup stack in their Fort Collins lab. At the center of the environment is a three-node HPE VM Essentials (VME) cluster running on HPE ProLiant DL325 Gen 11 Servers, which provides the compute layer for the demo infrastructure. These hosts are interconnected through the local IP network, which also provides connectivity to the NAS layer used within the environment. Running inside the VME cluster are the HPE Zerto virtual machines, configured similarly to how many organizations currently deploy Zerto in a traditional VMware environment. While the underlying infrastructure here uses HPE VME, the operational flow and recovery functionality remain familiar for administrators experienced with VMware-based disaster recovery workflows. A WAN-connected secondary Zerto environment is available in the Bristol lab in the UK, with firewall rules and network paths in place to support replication from Fort Collins. The intent of this topology is multi-site recovery: continuous replication and disaster-recovery orchestration across geographically separated sites. This would allow workloads protected in Fort Collins to fail over to Bristol if the primary site became unavailable. During this engagement, HPE ran Zerto replication locally in Fort Collins due to bandwidth and distance constraints, and because a second parallel VME cluster was not available to exercise the full cross-site flow. The Bristol leg is documented here as configured and available infrastructure, not as a cross-site failover performed in this session. Storage connectivity in the environment is split between IP and Fibre Channel networking, depending on the workload. The FC SAN fabric connects the VME hosts directly to the HPE Alletra MP B10000 platform, providing shared access to enterprise storage across the cluster. The B10000 also presents Catalyst over Fibre Channel to the StoreOnce Virtual Storage Appliance (VSA), which is the path used for application-consistent backups between the array and the backup target. Virtual Lock snapshots play a central role in the ransomware resilience and immutability workflows on the platform and are exercised in detail in the Protect and Recover sections. For backup infrastructure, HPE deployed a StoreOnce Gen5 VSA running on a single HPE server in the lab. The VSA exposes the same core StoreOnce functionality as the dedicated appliance. Deduplication, backup target presentation, replication behavior, and integration with the broader HPE data protection stack remain fundamentally the same whether deployed as a VSA or on dedicated hardware. The VSA is well-suited for labs, branch offices, testing environments, and smaller production use cases, making this compact demonstration practical to deploy. The physical StoreOnce appliance carries an advantage that goes beyond scale and throughput, and it matters specifically in the ransomware context this paper examines. A VSA runs as a guest on a hypervisor. If an attacker compromises the virtualization layer, every workload on it, including a VSA backup target, is within reach. A physical StoreOnce appliance has no such dependency. It runs on dedicated hardware outside the hypervisor that an attacker would have to traverse, keeping the backup of last resort on infrastructure the attacker has not already breached. For production deployments where StoreOnce is the long-term retention tier in a cyber resilience design, the physical appliance is the stronger choice for exactly this reason. Both the HPE Alletra MP system and the StoreOnce VSA were onboarded to HPE’s Data Services Cloud Console, providing centralized, cloud-based management and visibility across the environment. Through Data Services Cloud Console, the infrastructure can be monitored, managed, and integrated into broader HPE data services workflows from a single interface, tying together storage, backup, and recovery operations. Govern: Implementing Your Strategy HPE does not write your governance plan. Your organization, your insurer, and your legal team arrive at the policy...
