The past three years have seen a seismic shift in the security landscape. Cloud computing has achieved widespread enterprise adoption, with 80% of organizations choosing hybrid strategies with multiple public cloud providers.
The percentage of people working outside the secure office perimeter has also ballooned, with high-paying remote job opportunities increasing from 3.69% of all jobs in 2019 to 14.67% in 2021. In response to the increased opportunities offered by the expanded attack surface, cybercrime rates also rose. According to the “2022 Data Protection Trends” report, 76% of organizations suffered from a reported ransomware attack in 2021, with the majority of them attacked more than once.
Before 2020, the United States National Institute of Standards and Technology advised organizations to follow the cybersecurity framework of Identify, Protect, Detect, Respond and Recover. While these five functions are still the backbone of a solid cybersecurity strategy, the rise of cloud and increased threat environment led NIST to publish a set of guidelines for zero-trust architecture in 2020 that are now the default standard for cloud security.
“Over the past couple of years, we have seen how computers evolved, how the threats have evolved,” said Deepak Rangaraj (pictured), PowerEdge security product manager at Dell Technologies Inc. “And we have also seen the regulatory trends and we recognize the fact that the best security strategy for the modern world is a zero-trust approach.”
Rangaraj spoke with theCUBE industry analyst Dave Vellante at the “A Blueprint for Trusted Infrastructure: Episode 2” event during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how Dell is embedding security into its servers. (* Disclosure below.)
Dell implements zero-trust supply chain security in PowerEdge servers
Zero trust acknowledges that security breaches are an inevitability in the current climate, and Dell has adapted its security approach with this in mind.
“Nothing is trusted implicitly. You’re constantly verifying every single user, every single device and every single access in your system at every single level of your IT environment,” Rangaraj said.
When it comes to securing the company’s PowerEdge servers, the list of security measures is not only in line with NIST’s frameworks for daily operation, but takes into account that vulnerabilities can be introduced at any point during the supply chain. Supply chain security starts from sourcing components and includes both the design and manufacturing of the servers. The factories where the servers are built have been verified by Dell, physical security controls are observed, and employees vetted, according to Rangaraj.
Security in transit is also a priority. Packages are GPS tagged so their location can be tracked, but Dell has more sophisticated processes in place to ensure the servers aren’t tampered with during shipping. A feature known as Secured Component Verification generates an inventory of all the components and configurations in the system at the factory, creating a cryptographic certificate based on specific component data and corresponding unique identifiers. This certificate is then stored and delivered to the customer separately from the PowerEdge server itself, explained Rangaraj. When the customer receives their shipment, they are then able to verify that the components and configurations are the same as when the hardware left the factory.
“If any changes are detected we can figure out if there’s an authorized change or an unauthorized change,” Rangaraj said. “Authorized changes could be upgrades to the drives or memory, and unauthorized changes could be any sort of tampering.”
Automation and a zero-trust strategy
Once installed within a customer’s environment, Dell customers have a long list of features that help build their resistance and resilience in the face of cyberattack. One of the most important capabilities is automated detection and remediation.
“As part of zero trust, we need to respond to these things at machine speed, and we cannot do it at human speed,” Rangaraj stated. “Having these automated capabilities is a big deal when achieving that zero-trust strategy.”
PowerEdge servers also provide what Rangaraj refers to as “a silicon-based platform mode of trust.” This is an immutable key programmed into the silicon on the black servers during manufacturing, forming the anchor for a chain of trust that is used to verify everything in the platform from the hardware and software integrity to the boot.
Dell also provides customers with a software bill of materials that lists all the software pieces included in its server portfolio. The SBOM “allows our customers to quickly look at all the different pieces and compare it to the vulnerability database and see if any of the vulnerable pieces which have been discovered out in the wild affect their platforms,” Rangaraj said.
Data protection features that protect data in-use or in-flight and self-encrypting drives that provide scalable and flexible encryption options also contribute to PowerEdge’s security strength, Rangaraj added.
“Coupled with external key management, these provide really good protection for your data address,” he stated.
Other encryption features include dual-layer encryption, where hardware-encrypted drives are complemented with software encryption and external key management. This is important to protect servers against physical theft. The list of security features continues with identity and access management controls, including multifactor authentication, single sign-on, roles, scope, and time-based access controls.
“All of which are critical to enabling that granular control and checks for the zero-trust approach,” Rangaraj stated.
Rounding out the security package, Dell has the capabilities to meet the regulatory and compliance requirements of its customers and the flexibility to meet their needs regardless of their current security levels.
“If you look at the Dell feature set, it’s pretty comprehensive,” Rangaraj said. “In a nutshell, Dell PowerEdge server’s cyber resilient infrastructure helps accelerate zero-trust adoption for customers.”
Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the “A Blueprint for Trusted Infrastructure: Episode 2” event:
(* Disclosure: TheCUBE is a paid media partner for the “A Blueprint for Trusted Infrastructure: Episode 2” event. Neither Dell Technologies Inc., the sponsor of theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)