Security and Cyber Resiliency: Dell PowerEdge and Broadcom
Hello, I'm Russ Fellows from the Futurum Group, and this is another tech webcast. And today I'm joined by Deepak Rangaraj and Brett Henning. I'll let you both introduce yourselves. Brett, you want to tell us a little bit about yourself? Yes. I'm Brett Henning, and I am a security
architect in the Broadcom Data Center Solutions Group. I work on storage, networking and PCI switches. I specifically focus on security for those devices. Excellent. And Deepak? Hi, I’m Deepak Rangaraj. I’m with Dell Technologies. I’m a product manager for the PowerEdge cybersecurity and BIOS capabilities.
Right. And so, today's topic, we're talking about some of the security features within Dell and Broadcom. Right, so the Broadcom, several add-in cards are incorporated in with the Dell PowerEdge server line. And I want to give a little bit of context for what we're
seeing around security. I've been in IT for a long time, going back to the late eighties. So, I was an IT administrator, and I managed a group of I.T. people. And one thing always with security is that we typically did as little as possible, as little as we were required to do just because, you know, we always saw security as getting in the way of either ease of use, usability, you know, complex passwords – why can't I just use Root Calvin for everything, right? But gradually, over time, every year, people have more and more understood, you know, the security implications, and especially in the last five years with the rise of ransomware and a lot of malware attacks, the customers that we're seeing are focusing heavily on security. In fact, you know, security in general, cyber attacks of different sorts. You know, those types of malware
that get in are one of the primary things that our clients are talking with us about. And we've done a number of surveys and, you know, reducing the attack surface is one of the primary conversations that we're having with our I.T clients. So, everybody today realizes the importance of this cyber security in general and want to know what they can do and following best practices. So I think this is really a timely conversation to talk about some of the technologies that are emerging to enhance this further. So one of those one of the frameworks that we developed in order to look at all of this is a security model. So the Futurum security framework and what we did is we
looked at multiple NES standards and some other industry standards and best practices as well. And so we looked across over 65 different areas at the security from the supply chain to the manufacturing to the engineering design and, you know, to the product features as well as to how it's deployed within IT environments. So all these go into making a completely secure environment. So, Deepak, you had a few thoughts around, you know, the security threat landscape
that you want to talk about, you want to kick things off with your perspectives? Yeah, happy to. You covered a lot of things. You know, complexity is a big term which is getting thrown around right now. And that's true even when you look at our server products and where they're getting deployed. It's in data centers, colocations, you know, edge, cloud, right? It's
in the hybrid environment. And again, you’re also dealing with customers who have different requirements. They form this huge spectrum. Some security tolerance and risk tolerance is pretty low because of the kind of workflows that they're running, the mission critical stuff they're running, and others, not so much. They want flexibility. So yeah, our products are designed to operate in that hybrid environment to satisfy the needs of all of those customers. And especially with the complexity of the threat landscape and seeing it's evolving rapidly, right? So there was this one recent survey I was reading that said 85% of the security professionals polled indicated that they're seeing a correlation in the increase of the number of attacks and the frequency of attacks with the rise of AI tools. So the very same tools
that we talk about, which helps us increase our productivity, are helping attackers. And that's the world that we're living in. And we need to do a lot to be able to stay protected in it. And with our PowerEdge servers, you know, being the foundation of our customer’s IT infrastructure, we want to make sure that they’re foundationally secure and they're secure by design so that this customer stays protected and they can do the things that they want to do for new business, innovate on the business, without security becoming a burden for them. So that's a key focus area for Dell. Right, yeah, that makes a lot of sense. And Brett, now, a lot of the add-in components that you work with at Broadcom are designed to work together with the Dell PowerEdge Systems. You want to talk a little bit about some of the principles that you and Broadcom used to integrate with the Dell server line? Yeah. Yeah. And just looking at some of the ways that the industry has changed in the
last few years, you know, when we going back a couple of decades, if you were designing devices that went into a server, you could always just depend on the server to provide a security barrier to you. And that assumption is gone. So an important principle that we've really brought into into our devices and into our engagement with Dell is that we no longer assume that the device is protected by anything outside of it. The device has to be secure on its own, and it has to have a security posture that stands on its own. And so we've been bringing a lot of these same principles to the devices that are going in to the PowerEdge servers. So we're also doing secure design from the start. We are following standards so that
we're following best practices in the industry and we're really trying to make the security stories seamless for customers. So we've been working hand-in-hand with Dell to make sure that we can address everything from those small customers who need something that's very turnkey to the larger customers that really need to be able to customize down to the very core of the product. Right. So the secure by design now there's a term used quite a bit recently, zero trust, right? So that means that nothing implicitly trusts anything else. You have to prove to me who you are and have some type of method of authenticating, right, and device attestation and all that, right. And that's used to then set up secure communications between different devices,
and that can occur between the server and then add-in PCI card or even between PCI cards and other devices. So yeah, I think that zero trust is a component that both Dell and Broadcom are using. So. Deepak, do you have anything you want to talk about with the zero trust capabilities that are designed into the new 16G servers? Yeah, definitely. So zero trust first is a core security principle that we adhere to internally when we are developing a product, we are thinking about it from a zero trust principles perspective. How can we make every
single thing that we do secure internally? At the same time, we also want to deliver capabilities and features to our customers to enable zero trust deployments in their own datacenters to create that zero trust architecture on their end, you know, the zero trust environment and all iterations of it. So they’re building in capabilities with that in mind. So irrespective of where the customers are in their journey to adopting zero trust, we have capabilities built in which can help them. So that's a key part of it. At the same time, you can take a step back and think about it like, you know, zero trust is about the cybersecurity principles, but there's also this requirement from the customers right now for transparency and commitment to doing and developing the products in a secure manner. And that's where I think, you know, security by design kind of jumps into the conversation and it's getting a little more traction. It's all about making customers' lives easier. It's
reducing the security burden on their end. And that's another key focus that we have looking into as part of our coverage. Right. And Brett, I know that you guys are leveraging Zero Trust as well and also working with emerging standards like SPDM for secure communication within systems. Anything you want to talk about there?
Yeah. Yeah. So for us, zero trust is a big part of our posture in the server these days. From the point of view of the device. Yeah. We, we no longer have inherent trust in anything. So every time we boot, we run a secure boot. We don't trust the firmware that's loaded in our device just because it's there. We have to verify it. And then every time
we join the server, we actually have to be authenticated using SPDM. So we have to prove our secure posture every single time the device initializes. And so that's that's really a foundational piece of zero trust for us. Where secure by design also comes in,
and it's good that you brought that up, Deepak, because secure design really guides, points to a number of principles that make our zero trust architecture more trustworthy or more secure. Right. So for those who don't know, we did a pretty in-depth testing and analysis of this product. So we had access to a couple of Dell systems, 16 G servers, current generation, had the latest Broadcom 57508 I believe is the correct model number for the 100 gig Nic along with a Broadcom based PERC card. So this is, you know, a custom Dell product, but it's based on a Broadcom chip design for doing RAID right the PERC chip. So the systems that we tested have both of those in there and we looked at quite a few things. So we tried out the secure
boot both over the NIC and also off the PERC card and verified that you could do all that. And yes, you can definitely make it so that it won't boot if you load an image that is not, you know, does not have the proper credentials. And you know, we tried firmware updates to the lifecycle controller. Actually, we got one image that did not have the proper credentials on purpose and it refused to update it. It said, nope, I don't I don't like the credentials in this this batch of
firmware. I'm not going to update. That was on I believe it's on the PERC card. Right. So it wouldn't updated it there. It updated it everywhere else across the system. You know 17, 18 different firmware patches, you know, I can’t keep track of how many it was but so that was pretty impressive to see that, yes, it works both ways. It does what it should positively and it rejects what it should also negatively, so that's important. Right. Another thing that we found that
I liked a lot was, you know, we looked at the management tools and all of these things are integrated throughout with iDRAC and then the Dell OME tool for, you know, local system management and then also CloudIQ. And in particular, I was pretty impressed with CloudIQ, hadn't used it in a few years, but and I hadn't looked at it so much from a security standpoint before. You know, I've used it from a storage management perspective. And what I noticed is that they, you know, sort all of your different systems by, you know, recommended patches, like here we see that these outstanding issues are the most important things that you should address. Because, again, you know, when I was an IT administrator, you could literally spend your entire day, all day, every day updating systems, right? There's an endless supply of patches. And so it's really important to prioritize, okay, which ones are critical. And so the tools being able
to monitor and prioritize those, I think was a really nice feature saying, Hey, look at these three or four servers and apply these patches because these are the most critical, right? So I was pretty impressed by that and it seems that you both have worked well together because, you know, the the status of all the Broadcom components was right there at every level. So, yeah, anything you want to add on on those thoughts? Yeah. Yeah. Thank you for saying that Russ, glad to know it is appreciated. And you're exactly right. You know vulnerability management is a big part of any IT administrator’s role, right?
And if you look at the amount of effort it takes to figure out once a vulnerability is disclosed, firstly analyzing what is reported, checking if it actually affects your system by keeping track of all of your software assets, all of your hardware assets, mapping it to the CVE to make sure it's affected or not. Now you go check your entire fleet of systems to see if any of those systems have the affected firmware versions. Then figure out if there are patches available and if the systems have been patched. That's a lot of steps that they have to go through and that exactly what
we want to simplify and reduce the burden for customers by putting in all those capabilities into CloudIQ. You have a single dashboard where you can just go look at all of your fleet, figured out which of the systems has a known vulnerability, and if they have a vulnerable firmware version, is there a patch available and there's a button right there that you can just go click and update system. And it's intended to do that. It’s intended to make our customer’s lives easier. And again, extending it to the SPDM piece that you were talking about, that's again, a critical piece. As Brett touched upon it, we would
like to add these robust layers of security to create the difference in depth, and SPDM is an important part of that, right, where we have a load root of trust on the platform-level. The components that we get from our partners like Broadcom, they have their own root of trust. So that adds additional layers. Now you add SPDM top of it, you get the zero trust means right where you have capabilities for testing the identity of the components, capabilities for testing to authenticity, integrity of the components. So that adds more layers and makes our platform even more secure. And that's where we want to partner strongly with our vendors like Broadcom to add to its layers and make it more secure. Yeah, I was pretty impressive that it all seemed
pretty seamless. And then the another thing I noticed was the secure component verification tool, which was pretty nice. So, you know, my system had been modified since manufacturing and it identified the components that were modified so not part of the manufacturing process apparently, the perte card was but the the Broadcom NIC was not part of it. It said, okay, this wasn't part of the original bill of materials and neither were the memory modules.
Right. So it said, okay, these were part of the original order and these items were not part of the original order. It didn't say that they were, you know, suspect or anything, but just this was not on the original bill of materials from the initial order from the factory. So I thought that was interesting to flag that. So, you know, people buying in volume can be assured that they're getting exactly what they ordered. Right. I think that's an important handshake there that
you both seem to do a great job on. So that's good to hear that that went smoothly for you. Yeah. Like I said, you know, I've been doing this for a while. Yeah. So, you know, there's a lot of security built in with the secure boot at the UEFA level and the pixie boot coming off the Broadcom card. All that has to work, you know, together and operate similarly. That's always a tough word for me to say, so that people can, you know, do secure boot in any manner, either from local media or over the network. Right. But we tried those both out and it worked well. So I think that was
goes a long way toward making this realistic. Like you said, you know, people want security now. They're highly concerned about it. They want to follow industry best practices, but they want to do it in a way hopefully that doesn't impact their day job, which is delivering IT services to their clients. Right. So making it as unobtrusive as possible and, you know, integrated throughout the tool stack. So it's pretty impressive. That seems well thought out. Any the other thoughts that you want to add there? I'm glad you had a good experience with that. Our team, our development team,
put a lot of effort into making that as seamless as possible and as smooth as possible. So like you said, security doesn't actually get in the way. It just enhances the experience. Right. That goes back to the principle of secure by design, right? Everything is secure by design. And the default option now is security. So for long-time Dell users,
no more Root Calvin server for the iDRAC, right? It's easy to use and easy to remember, but same goes for hackers, right? So that's no longer the default option, which is great, right? That’s the intent, right? Security's meant to add friction into the system so that it becomes difficult for the attackers. Right. And it's it's a it's also you have to have the right tradeoffs because you need to not affect the productivity of the users adversely by doing these things because it's you know, whether it is encryption, you're sacrificing some performance, for protection or whether it is multi-factor authentication, you know, all of those things are intended to add that friction into the system to make it difficult for attackers, but at the same time have the right balance that the user’s productivity is not affected. Yeah, that's definitely what we saw. So yeah, we have a paper available about an 11 page paper. I have a copy of it right here available and that will be available on the Futurum Group's website as well as Dell Info Hub. So you can find out more details about all this and welcome anybody's questions or feedback. So we love to hear from our IT user community, so I'll close it out for myself, and Deepak and Brett, I'll let you say any final thoughts that you have.
Yeah. Yeah. Well, thanks for having having me here for this discussion. This has been a great discussion. Just talking about where things are in security and really we just look forward to continuing this partnership and what future products will continue to bring to users.
Yeah, that's great. Deepak, any follow up thoughts? Sure. I just want to close by saying, you know, Dell Technologies, we’re investing heavily to make security simple and easy for customers, we don't want it to become a burden where you have to go figure out how to hire experts for every single organization to be able to make products secure. We want it to be simple, right? And that's something we're heavily focused on, making our products foundationally secure and secure by design. It was really great chatting with you both, you know, hearing Brett's perspective, that's always interesting to hear from other experts in the industry. Thank you for having me. This is a great chance to discuss all of these great topics. Yeah, I think people will find this highly
interesting because obviously servers are one of the primary targets within organizations, right? So if you want to start with security, that's a great place to start. And a lot of these tools that we mentioned are just built into the systems now. The secure by design actually means something, right? So it's designed in, they're available and it's integrated throughout the management stack from, you know, iDRAC to OME to CloudIQ. It encompasses all the add-in cards from Broadcom. So it's a pretty holistic viewpoint for security. And I
recommend people take a look at what's available. So we'll have more information available on our website and at the Dell Info Hub, and you can find links to the paper within this video. So I'm Russ Fellows from Futurum Group. Thanks. See you next time.
2024-04-23 02:27
