How Secure is your Server? Key Things To Consider For Building A Safe, Robust IT Infrastructure Mukund Khatri Sr. Distinguished Engineer / VP Server & Infrastructure Solutions Rick Hall Sr. Product Planning Manager, Server & Infrastructure Solutions
Navigating Cyber-Risk is as challenging as ever Most businesses vulnerable to cyber attacks through firmware, study shows. More than 100 malwares searching for Spectre & Meltdown vulnerabilities. 13 flaws found in AMD processors, AMD given little warning New SCADA Flaws Allow Ransomware, Other Attacks City of Atlanta Hit with Ransomware Attack New malware increased by 10% in Q3, to a record high of 57.6 million samples. Malware-as-a-Service and the affordability of spam botnets (as low as $200 USD per million messages) provide criminals with a low barrier of entry. 2
Enterprises struggle to manage security Business IT Security Data everywhere High impact breaches Increasing privacy regulations Rising risks and costs 3 in 4 say security is retrofitted 75 Avg. number of security tools 3.5M Security talent shortage by 2021 At stake: Trust and confidence 3
Security ranks highest in server purchasing criteria *Hardware includes BIOS and Firmware. Others include Past experience with products Certified support for specific workloads/ applications Speed of deployment Power requirements Source: Value of Secure Server Infrastructure Web Survey 2018, IDC, February, 2018 Overall Rank - When it comes to evaluating the purchase of server infrastructure, what are the three most important selection criteria for your organization? N=301 4
Security must comprehend server infrastructure Cloud Continued focus & $$$ Firewall Applications Server Platform Design is as critical as OS and Applications Often overlooked + Persistent & Stealthy Hypervisor / OS Firmware (BIOS, BMC, HDD, ME ) Hardware Platform design 5
Designing security for server platforms is complex Physical Security: Locks, Ports, Intrusion Detect Secure Decommissioning - Server & Data Data Protection : At-Rest & In-flight Conformance to TCG, DMTF, NIST, other Standards Role-based Access Control Resilient Firmware Architecture Audit Logging & Alerting Robust Security Development Lifecycle, Supply Chain Assurance Centralized Vulnerability & Patch Management New Silicon features: CPU / Chipset IO Devices / FPGA Security Needs to be Built-in, Not Bolted-on 6
Cyber Resilient Architecture in PowerEdge servers EFFECTIVE PROTECTION RELIABLE DETECTION RAPID RECOVERY 7
Secure Firmware Updates : NIST Guidelines Firmware is an attractive target! Dell EMC Server Firmware Stealthy Persistent Powerful CPU/Chipset BMC BIOS Opportunistic Challenging to Secure NICs, CPLD PSUs FC HBAs NIST SP800-147B NIST SP800-193 (draft) Storage Controller Storage Drives 8
PowerEdge Secure Boot : Silicon Root of Trust BOOT UP LIFECYCLE idrac9 Immutable Silicon RoT ROM V idrac9 Boot Block / Uboot V idrac9 Linux & Applications Monitor Cryptographic Update Fused-in Public Key Recover to N image on any V-failure Conceptual idrac9 Boot Process Config Lockdown Drift Detection End to End cryptographic verification of server firmware is critical 9
PowerEdge Secure Boot & Platform Resiliency Conceptual Server Boot Process OS extends Chain of Trust Maintenance Crypto Signed FW Update UEFI Secure Boot BIOS Boot Block Code CPU Domain H/W Root of Trust Verification for Option ROMs Rest of the BIOS Code Verify OS Boot Loader Rapid Recovery Cyber Resilient BIOS Recovery Configuration Recovery Rapid OS Recovery End to End cryptographic verification of server firmware is critical 10
Innovations to protect your business System Lockdown / Drift Detection Virtual lock for preventing server configuration or firmware changes Alternative is to monitor and alert on changes ( Drift Detection ) Hardware Root of Trust An immutable silicon-based root of trust to securely boot idrac and BIOS firmware Rapid recovery to a trusted image when authentication fails Secure Default Password Prevents against inadvertent exposure of new idrac s on unprotected networks Encourages stronger password policies (rather than the tendency to use generic default passwords) Dynamic USB Port Enable Allows USB port disable for normal operation in secure environments Dynamically can be unlocked via idrac authentication when needed without rebooting the server OS Image Rapid Recovery Allows booting of a trusted backup OS image stored in hidden, protected storage System Erase Quickly and securely erase internal server storage devices including HDD, SSD, and NVMe drives Wipe all user configuration and log file information 11
Automate Deployment of Server Security Policies with OpenManage Easily automate security policies for your server infrastructure Intelligent automation at your fingertips Powerful automation APIs like our idrac Restful API with Redfish idrac with Lifecycle Controller OpenManage Enterprise management console Deep integrations with consoles like Microsoft System Center or VMware vcenter Plug and play Zero Touch automation Script Automation GUI 12
Examples of Securing Server Operations DEPLOY UPDATE Employ LDAP or AD for user & role authorization Customize the idrac log-on security notice Restrict users to a specific IP range Dell EMC signed firmware updates Use System Lockdown to prevent unwanted or malicious changes to firmware Use System Erase to securely wipe all user data from drives and non-volatile memory Use the idrac Direct dedicated USB port to locally remediate server or OS issues MAINTAIN Alert for configuration or firmware changes Use SNMP v3 or Redfish eventing Monitor for chassis intrusion events MONITOR 13
Rapid, timely response to new CVE s is critical Common Vulnerabilities and Exposures (CVEs) are newly discovered gaps in software cybersecurity CVEs can occur due to new vulnerabilities in several aspects of remote server management Dell EMC works aggressively to quickly respond to new CVEs 14
Emerging Technologies Bring New Security Challenges Devices with downloadable code EDGE Servers Software Defined Datacenter Running networking on standard x86 servers Governance boundary Trusted hardware in the cloud Cloud Computing Dell EMC Servers best positioned to tackle emerging threats 15
Security Transformation Portfolio Strategy UNIFIED Business Risk Management TRUSTED Expert Advisory Services ADAPTABLE Advanced Security Operations RESILIENT Secure Modern Infrastructure 16
Key Takeaways Security of the Server Infrastructure Matters! New class of attacks targeting your server infrastructure Dell EMC PowerEdge servers provide industry leading security capabilities to protect against these new threats Dell EMC is your trusted partner to provide the secure foundation for your enterprise & cloud Dell EMC PowerEdge Servers are the Bedrock of Modern Datacenter 17
PowerEdge Server Tech Track Sessions Session Title Code Times Locations The Eye on AI : Demystifying Deep Learning, Machine Learning and In-Database Acceleration with PowerEdge Server.01 Tuesday 8:30 AM Thursday 11:00 AM Palazzo L Palazzo K The 4 Things You Need To Know Before Building Your AI Or Analytics Solution Server.02 Monday 3:00 PM Wednesday 8:30AM Murano 3205 Palazzo P How Secure Is Your Server? Key Things To Consider For Building A Safe, Robust IT Infrastructure Server.03 Tuesday 1:30 PM Wednesday 12:00 PM Palazzo N Palazzo K Get The Competitive EDGE: How To Transform Infrastructure At The Edge Server.04 Monday 1:30 PM Wednesday 8:30 AM Lando 4205 Palazzo I Discover How To Increase Data Center Infrastructure Agility With Gen-Z & Modular Server Platforms Server.05 Tuesday 3:00 PM Thursday 8:30 AM Lando 4201A Lido 3001A Best Practices of OpenManage Enterprise - Modernize your Infrastructure Management Server.06 Tuesday 12:00 PM Thursday 11:30 AM Delfino 4005 Lido 3003 19
PowerEdge Server Tech Track Sessions Session Title Code Times Locations Explore The Possibilities Of Machine Learning For Your Organization Server.07 Tuesday 3:00 PM Thursday 11:30 AM Palazzo P Lido 3001A Simplify Your Server Lifecycle Management Server.08 Monday 12:00 PM Wednesday 3:00 PM Marco Polo 701 Palazzo N Hidden Secrets To A Transformed Data Center Server.09 Tuesday 8:30 AM Thursday 1:00 PM Lando 4203 Lando 4201A Pivotal & Dell EMC Guide To Containers & Microservices: Future Server Platforms For "Serverless" Computing SAB.05 Wednesday 3:00pm Thursday 11:30pm Palazzo O San Polo 3405 Best Practices In Managing Dell EMC PowerEdge Servers & VMware SAB.06 Monday 8:30am Wednesday 1:30pm Lando 4205 Lido 3003 Download Dell EMC Power Chips game on Android Google Play and Apple App Store 20 Visit booth #325 for more details