Dell Technologies has unveiled a range of new and enhanced security technologies aimed at further protecting its PCs and servers across the hardware lifecycle, from manufacturing to retirement.
Included among them are two new SafeSupply Chain offerings that augment previously introduced development lifecycle and supply chain safeguards. The first, called SafeSupply Chain Tamper Evident Services, is designed to give businesses greater confidence that newly purchased PCs haven’t been compromised in transit to them from a Dell production facility.
“When the systems leave our factory, there are a lot of things that could happen to them,” observes Sylvia Seybel, vice president of security and commercial client marketing for Dell Technologies. “We want to make sure when our systems and our infrastructure arrive at our customers, that they are not being tampered with.”
The new service uses “tamper-evident seals” attached at the factory both to the device and its box to verify that neither one has been opened during the shipping process. “That avoids security threats like somebody putting in a compromised DRAM or changing a component that might have some kind of backdoor in it,” says John Roese, global CTO for Dell Technologies.
Optional pallet seals are available as well for additional safety.
A companion offering called SafeSupply Chain Data Sanitization Services uses an erasure process compliant with NIST standards to ensure that hard drives arrive free of malware.
“When you start the imaging of the system, you have got a clean slate and you know nobody has tampered with your system,” Seybel says.
PC supply chain exploits sound rarer than they actually are, according to Roese. “It turns out that there’s plenty of examples over the last 20 years where technology moving through not just the supply chain but the distribution channel, the logistics infrastructure, was intercepted and modified in some way,” he says.
To provide similar protection to servers, products in the Dell EMC PowerEdge portfolio now come with Secured Component Verification certificates designed to confirm that devices arrive exactly as they were assembled and shipped.
“As the product’s being built in the factory, we are digitally signing the components to make sure that we have a representation digitally and with a level of authority that the components that were actually produced and put into the product are the components that you receive,” Roese says.
Fully 44% of organizations experienced at least one hardware-level or BIOS attack over the past 12 months, and 16% have had more than one attack, according to data cited by Dell from Futurum Research.
PowerEdge UEFI Secure Boot Customization, another addition to the PowerEdge server family announced today, lets organizations in industries like financial services with especially sensitive information create customized boot sequences. “It really eliminates your dependency on any third-party certificates to boot your systems,” Seybel says.
An update to the integrated Dell Remote Access Controller (iDRAC), which lets businesses enable or disable system lockdowns without executing a reboot, extends that technology to network interface controllers.
“You can now seamlessly lock the NIC configuration to prevent changes to the firmware,” Seybel says.
All of the changes described today are additions to Dell’s “intrinsic security” strategy, which seeks to build security measures not only into the company’s hardware but “into the end-to-end process and experience of consuming, utilizing, and even decommissioning your technology,” Roese says. The goal is to help customers more effectively mitigate today’s proliferating and sophisticated threats, and the increasingly significant financial harm they do.
“There are statistics that tell us that most customers build their security model on the assumption that there are bad actors already in their infrastructure,” Roese notes. “We take a perspective that that’s not a sufficient answer and we need to do more. We need to start transforming the way we think about security and trying to change to a model that at least allows us to keep up with the security threats as they’re emerging.”