Security and Cyber Resiliency Dell PowerEdge and Broadcom

Show video

Hello, I'm Russ Fellows from the Futurum Group,  and this is another tech webcast. And today I'm   joined by Deepak Rangaraj and Brett Henning.  I'll let you both introduce yourselves. Brett,   you want to tell us a little bit about yourself? Yes. I'm Brett Henning, and I am a security  

architect in the Broadcom Data Center  Solutions Group. I work on storage,   networking and PCI switches. I specifically  focus on security for those devices.   Excellent. And Deepak? Hi, I’m Deepak Rangaraj. I’m with   Dell Technologies. I’m a product manager for the  PowerEdge cybersecurity and BIOS capabilities.  

Right. And so, today's topic, we're talking  about some of the security features within   Dell and Broadcom. Right, so the Broadcom,  several add-in cards are incorporated in   with the Dell PowerEdge server line. And I want  to give a little bit of context for what we're  

seeing around security. I've been in IT for a  long time, going back to the late eighties.   So, I was an IT administrator, and I managed  a group of I.T. people. And one thing always   with security is that we typically did as little  as possible, as little as we were required to do   just because, you know, we always saw security  as getting in the way of either ease of use,   usability, you know, complex passwords – why  can't I just use Root Calvin for everything,   right? But gradually, over time, every year,  people have more and more understood, you know,   the security implications, and especially in the  last five years with the rise of ransomware and a   lot of malware attacks, the customers that we're  seeing are focusing heavily on security. In fact,   you know, security in general, cyber attacks of  different sorts. You know, those types of malware  

that get in are one of the primary things that our  clients are talking with us about. And we've done   a number of surveys and, you know, reducing the  attack surface is one of the primary conversations   that we're having with our I.T clients. So,  everybody today realizes the importance of   this cyber security in general and want to know  what they can do and following best practices.   So I think this is really a timely conversation  to talk about some of the technologies that are   emerging to enhance this further. So one of those  one of the frameworks that we developed in order   to look at all of this is a security model. So the  Futurum security framework and what we did is we  

looked at multiple NES standards and some other  industry standards and best practices as well.   And so we looked across over 65 different  areas at the security from the supply chain   to the manufacturing to the engineering design  and, you know, to the product features as well   as to how it's deployed within IT environments.  So all these go into making a completely secure   environment. So, Deepak, you had a few thoughts  around, you know, the security threat landscape  

that you want to talk about, you want to  kick things off with your perspectives?   Yeah, happy to. You covered a lot of things. You  know, complexity is a big term which is getting   thrown around right now. And that's true even  when you look at our server products and where   they're getting deployed. It's in data centers,  colocations, you know, edge, cloud, right? It's  

in the hybrid environment. And again, you’re  also dealing with customers who have different   requirements. They form this huge spectrum. Some security tolerance and risk tolerance is   pretty low because of the kind of workflows  that they're running, the mission critical   stuff they're running, and others, not so much.  They want flexibility. So yeah, our products are   designed to operate in that hybrid environment to  satisfy the needs of all of those customers. And   especially with the complexity of the threat  landscape and seeing it's evolving rapidly,   right? So there was this one recent survey  I was reading that said 85% of the security   professionals polled indicated that they're  seeing a correlation in the increase of the   number of attacks and the frequency of attacks  with the rise of AI tools. So the very same tools  

that we talk about, which helps us increase  our productivity, are helping attackers.   And that's the world that we're living in.  And we need to do a lot to be able to stay   protected in it. And with our PowerEdge servers,  you know, being the foundation of our customer’s   IT infrastructure, we want to make sure that  they’re foundationally secure and they're   secure by design so that this customer stays  protected and they can do the things that they   want to do for new business, innovate on the  business, without security becoming a burden   for them. So that's a key focus area for Dell. Right, yeah, that makes a lot of sense. And Brett,   now, a lot of the add-in components that you  work with at Broadcom are designed to work   together with the Dell PowerEdge Systems.  You want to talk a little bit about some of   the principles that you and Broadcom used  to integrate with the Dell server line?   Yeah. Yeah. And just looking at some of the  ways that the industry has changed in the  

last few years, you know, when we going back  a couple of decades, if you were designing   devices that went into a server, you could  always just depend on the server to provide   a security barrier to you. And that assumption  is gone. So an important principle that we've   really brought into into our devices and into  our engagement with Dell is that we no longer   assume that the device is protected by anything  outside of it. The device has to be secure on its   own, and it has to have a security posture that  stands on its own. And so we've been bringing a   lot of these same principles to the devices  that are going in to the PowerEdge servers.   So we're also doing secure design from the  start. We are following standards so that  

we're following best practices in the industry and  we're really trying to make the security stories   seamless for customers. So we've been working  hand-in-hand with Dell to make sure that we can   address everything from those small customers  who need something that's very turnkey to the   larger customers that really need to be able to  customize down to the very core of the product.   Right. So the secure by design now there's a  term used quite a bit recently, zero trust,   right? So that means that nothing implicitly  trusts anything else. You have to prove to   me who you are and have some type of method of  authenticating, right, and device attestation and   all that, right. And that's used to then set up  secure communications between different devices,  

and that can occur between the server and then  add-in PCI card or even between PCI cards and   other devices. So yeah, I think that zero trust  is a component that both Dell and Broadcom are   using. So. Deepak, do you have anything you want  to talk about with the zero trust capabilities   that are designed into the new 16G servers? Yeah, definitely. So zero trust first is a   core security principle that we adhere to  internally when we are developing a product,   we are thinking about it from a zero trust  principles perspective. How can we make every  

single thing that we do secure internally? At the  same time, we also want to deliver capabilities   and features to our customers to enable zero  trust deployments in their own datacenters   to create that zero trust architecture  on their end, you know, the zero trust   environment and all iterations of it. So they’re  building in capabilities with that in mind.   So irrespective of where the customers are  in their journey to adopting zero trust,   we have capabilities built in which can help them.  So that's a key part of it. At the same time,   you can take a step back and think about  it like, you know, zero trust is about   the cybersecurity principles, but there's also  this requirement from the customers right now   for transparency and commitment to doing and  developing the products in a secure manner.   And that's where I think, you know, security  by design kind of jumps into the conversation   and it's getting a little more traction. It's  all about making customers' lives easier. It's  

reducing the security burden on their end.  And that's another key focus that we have   looking into as part of our coverage. Right. And Brett, I know that you guys   are leveraging Zero Trust as well and also  working with emerging standards like SPDM   for secure communication within systems.  Anything you want to talk about there?  

Yeah. Yeah. So for us, zero trust is a big part  of our posture in the server these days. From   the point of view of the device. Yeah. We, we  no longer have inherent trust in anything. So   every time we boot, we run a secure boot.  We don't trust the firmware that's loaded   in our device just because it's there. We have to verify it. And then every time  

we join the server, we actually have to  be authenticated using SPDM. So we have   to prove our secure posture every single time  the device initializes. And so that's that's   really a foundational piece of zero trust  for us. Where secure by design also comes in,  

and it's good that you brought that up, Deepak,  because secure design really guides, points to   a number of principles that make our zero trust  architecture more trustworthy or more secure.   Right. So for those who don't know, we did a  pretty in-depth testing and analysis of this   product. So we had access to a couple of Dell  systems, 16 G servers, current generation,   had the latest Broadcom 57508 I believe is  the correct model number for the 100 gig   Nic along with a Broadcom based PERC card. So this is, you know, a custom Dell product,   but it's based on a Broadcom chip design for doing  RAID right the PERC chip. So the systems that we   tested have both of those in there and we looked  at quite a few things. So we tried out the secure  

boot both over the NIC and also off the PERC card  and verified that you could do all that. And yes,   you can definitely make it so that it won't  boot if you load an image that is not, you know,   does not have the proper credentials. And you  know, we tried firmware updates to the lifecycle   controller. Actually, we got one image that did  not have the proper credentials on purpose and   it refused to update it. It said, nope, I don't I  don't like the credentials in this this batch of  

firmware. I'm not going to update. That was  on I believe it's on the PERC card. Right.   So it wouldn't updated it there. It updated it  everywhere else across the system. You know 17,   18 different firmware patches, you know, I can’t  keep track of how many it was but so that was   pretty impressive to see that, yes, it works both  ways. It does what it should positively and it   rejects what it should also negatively, so that's  important. Right. Another thing that we found that  

I liked a lot was, you know, we looked at the  management tools and all of these things are   integrated throughout with iDRAC and then the Dell  OME tool for, you know, local system management   and then also CloudIQ. And in particular, I was  pretty impressed with CloudIQ, hadn't used it   in a few years, but and I hadn't looked at it so  much from a security standpoint before. You know,   I've used it from a storage management  perspective. And what I noticed is that they,   you know, sort all of your different systems  by, you know, recommended patches, like here   we see that these outstanding issues are the most  important things that you should address. Because,   again, you know, when I was an IT administrator,  you could literally spend your entire day,   all day, every day updating systems, right? There's an endless supply of patches. And so   it's really important to prioritize, okay, which  ones are critical. And so the tools being able  

to monitor and prioritize those, I think was a  really nice feature saying, Hey, look at these   three or four servers and apply these patches  because these are the most critical, right?   So I was pretty impressed by that and it seems  that you both have worked well together because,   you know, the the status of all the Broadcom  components was right there at every level.   So, yeah, anything you want  to add on on those thoughts?   Yeah. Yeah. Thank you for saying that Russ, glad  to know it is appreciated. And you're exactly   right. You know vulnerability management is a  big part of any IT administrator’s role, right?  

And if you look at the amount of effort it takes  to figure out once a vulnerability is disclosed,   firstly analyzing what is reported, checking if it  actually affects your system by keeping track of   all of your software assets, all of your hardware  assets, mapping it to the CVE to make sure it's   affected or not. Now you go check your entire  fleet of systems to see if any of those systems   have the affected firmware versions. Then figure  out if there are patches available and if the   systems have been patched. That's a lot of steps  that they have to go through and that exactly what  

we want to simplify and reduce the burden for  customers by putting in all those capabilities   into CloudIQ. You have a single dashboard where  you can just go look at all of your fleet,   figured out which of the systems has a known  vulnerability, and if they have a vulnerable   firmware version, is there a patch available  and there's a button right there that you can   just go click and update system. And it's  intended to do that. It’s intended to make   our customer’s lives easier. And again, extending  it to the SPDM piece that you were talking about,   that's again, a critical piece. As Brett touched upon it, we would  

like to add these robust layers of security to  create the difference in depth, and SPDM is an   important part of that, right, where we have a  load root of trust on the platform-level. The   components that we get from our partners like  Broadcom, they have their own root of trust. So   that adds additional layers. Now you add SPDM top  of it, you get the zero trust means right where   you have capabilities for testing the identity  of the components, capabilities for testing to   authenticity, integrity of the components. So  that adds more layers and makes our platform   even more secure. And that's where we want to  partner strongly with our vendors like Broadcom   to add to its layers and make it more secure. Yeah, I was pretty impressive that it all seemed  

pretty seamless. And then the another thing I  noticed was the secure component verification   tool, which was pretty nice. So, you know, my  system had been modified since manufacturing   and it identified the components that were  modified so not part of the manufacturing   process apparently, the perte card was but the  the Broadcom NIC was not part of it. It said,   okay, this wasn't part of the original bill of  materials and neither were the memory modules.  

Right. So it said, okay, these were part of the  original order and these items were not part of   the original order. It didn't say that they  were, you know, suspect or anything, but just   this was not on the original bill of materials  from the initial order from the factory. So I   thought that was interesting to flag that. So, you  know, people buying in volume can be assured that   they're getting exactly what they ordered. Right.  I think that's an important handshake there that  

you both seem to do a great job on. So that's good to hear that that   went smoothly for you. Yeah. Like I said, you know,   I've been doing this for a while. Yeah. So,  you know, there's a lot of security built   in with the secure boot at the UEFA level and  the pixie boot coming off the Broadcom card.   All that has to work, you know, together and  operate similarly. That's always a tough word   for me to say, so that people can, you know, do  secure boot in any manner, either from local media   or over the network. Right. But we tried those  both out and it worked well. So I think that was  

goes a long way toward making this realistic. Like you said, you know, people want security   now. They're highly concerned about it.  They want to follow industry best practices,   but they want to do it in a way hopefully that  doesn't impact their day job, which is delivering   IT services to their clients. Right. So making  it as unobtrusive as possible and, you know,   integrated throughout the tool stack. So it's  pretty impressive. That seems well thought out.   Any the other thoughts that  you want to add there?   I'm glad you had a good experience with  that. Our team, our development team,  

put a lot of effort into making that as seamless  as possible and as smooth as possible. So like   you said, security doesn't actually get in  the way. It just enhances the experience.   Right. That goes back to the principle  of secure by design, right? Everything   is secure by design. And the default option  now is security. So for long-time Dell users,  

no more Root Calvin server for the iDRAC,  right? It's easy to use and easy to remember,   but same goes for hackers, right? So that's no  longer the default option, which is great, right?   That’s the intent, right? Security's meant to  add friction into the system so that it becomes   difficult for the attackers. Right. And it's it's  a it's also you have to have the right tradeoffs   because you need to not affect the productivity of  the users adversely by doing these things because   it's you know, whether it is encryption,  you're sacrificing some performance,   for protection or whether it is multi-factor  authentication, you know, all of those things   are intended to add that friction into the  system to make it difficult for attackers,   but at the same time have the right balance  that the user’s productivity is not affected.   Yeah, that's definitely what we saw. So yeah, we  have a paper available about an 11 page paper. I   have a copy of it right here available and that  will be available on the Futurum Group's website   as well as Dell Info Hub. So you can find  out more details about all this and welcome   anybody's questions or feedback. So we love to  hear from our IT user community, so I'll close   it out for myself, and Deepak and Brett, I'll  let you say any final thoughts that you have.  

Yeah. Yeah. Well, thanks for having having me  here for this discussion. This has been a great   discussion. Just talking about where things are  in security and really we just look forward to   continuing this partnership and what future  products will continue to bring to users.  

Yeah, that's great. Deepak,  any follow up thoughts?   Sure. I just want to close by saying, you know,  Dell Technologies, we’re investing heavily to make   security simple and easy for customers, we  don't want it to become a burden where you   have to go figure out how to hire experts for  every single organization to be able to make   products secure. We want it to be simple, right?  And that's something we're heavily focused on,   making our products foundationally secure and  secure by design. It was really great chatting   with you both, you know, hearing Brett's  perspective, that's always interesting to   hear from other experts in the industry.  Thank you for having me. This is a great   chance to discuss all of these great topics. Yeah, I think people will find this highly  

interesting because obviously servers are one  of the primary targets within organizations,   right? So if you want to start with security,  that's a great place to start. And a lot of   these tools that we mentioned are just  built into the systems now. The secure   by design actually means something, right? So  it's designed in, they're available and it's   integrated throughout the management stack from,  you know, iDRAC to OME to CloudIQ. It encompasses   all the add-in cards from Broadcom. So it's a  pretty holistic viewpoint for security. And I  

recommend people take a look at what's available.  So we'll have more information available on our   website and at the Dell Info Hub, and you can  find links to the paper within this video.   So I'm Russ Fellows from Futurum  Group. Thanks. See you next time.

2024-04-23

Show video