Post on 08-Jun-2020
Securing the
BY FRANK MOLSBERRY
Reactionary security add-ons that have been implemented piecemeal
are no match for increasingly sophisticated cyberthreats,
let alone today’s complex regulatory requirements. The Dell scalable
enterprise strategy enables integrated, end-to-end protection
using industry-standard data center components and
a unified management framework that is designed to be
inherently secure from the ground up.
8
Related Categories:
Data security
Enterprise security
Identity management
Regulatory compliance
Scalable enterprise
Security
Security software
Threat management
Visit www.dell.com/powersolutionsfor the complete category index.
DELL POWER SOLUTIONS ember 2006. Copyright © 2006 Dell Inc. All rights reserved. November 2006
FEATURE SECTION: SECURITY
In today’s globally internetworked enterprise, just one nasty e-mail
virus or one database breach has the power to launch a maelstrom
of cleanup, recovery, and damage control—not to mention the
furor that erupts over lost business, damage to reputation, and pos-
sible litigation. Afraid to risk negative publicity that could damage
business even further than the intrusion itself, many enterprises are
reluctant to report security breaches to law enforcement agencies. It
is small wonder that high-stakes cybercrime and the mushrooming
regulatory environment are driving companies to reach deep into
the corporate coffers to protect vital business interests.
For example, a joint study from the Computer Security Insti-
tute (CSI) and the Federal Bureau of Investigation (FBI) reported
that in 2006, firms with annual sales under US$10 million spent
an average of US$1,349 per employee on computer security—a
210 percent increase over the average per-employee expenditure
in 2005.1 While large companies are able to achieve economies
of scale, the same CSI/FBI study reported that organizations
with annual sales between US$10 million and US$99 million
1 2006 CSI/FBI Computer Crime and Security Survey, by the Computer Security Institute, i.cmpnet.com/gocsi/
db_area/pdfs/fbi/FBI2006.pdf.
www.dell.com/powersolutions Reprinted from Dell Power Solutions, November 2006. Copyright © 2006 Dell Inc. All rights reserved. DELL POWER SOLUTIONS 9
Enterprise
increased per-employee computer security expenditures by
327 percent compared to the previous year—to an average of
US$461 per employee in 2006.
Unfortunately, the plethora of security technologies and options
available today has created an extremely confusing situation for IT
organizations charged with securing the enterprise. But this much
is clear: reactionary security add-ons that have been implemented
piecemeal are no match for increasingly sophisticated cyberthreats,
let alone today’s complex regulatory environment. Dell is driving
an open, standards-based foundation for end-to-end protection that
is highly scalable. In this approach, the IT infrastructure is designed
to be inherently secure as it is deployed and scaled to meet evolving
business requirements.
Aligning security with business needs
The sheer number of current security offerings is staggering. In
addition to physical security measures such as asset tags, security
cameras, and fingerprint access mechanisms, methods to pro-
tect data and networks range from passwords and smart cards to
firewall and antivirus software, and from antispam software to
anomaly detection systems.
The problem is that these are typically ad hoc building blocks
that have been tacked onto systems as stopgap measures. Every day,
organizations are being bombarded with information about how to
respond to the latest threat, and they rarely have the opportunity
to step back and see the big picture—to develop sensible policies
for protecting business assets and to find cost-effective solutions for
meeting specific business needs.
The fragmented marketplace is especially challenging for small
businesses. Many simply do not have the expertise, resources, or
time to manage a patchwork of temporary add-ons that routinely
require integration, updating, and support. Yet these organizations
are still affected by regulatory requirements and the threat du jour,
and still must contend with competitive factors that affect how they
run their businesses.
Meanwhile, corporate scandals and widely publicized breaches
in data privacy have shaken consumer confidence on many fronts,
Checklist:
Proactive security measures
✔ Keep up with emerging government regulations. Even if they do not apply to a business today, they set the tone for what may be coming.
✔ Evaluate standards compliance of security solutions. Consider emerging security and management standards from organizations like the Distributed Management Task Force, OASIS (Organization for the Advancement of Structured Information Standards), and the Trusted Computing Group.
✔ Make security part of the design and development process. As OS and application providers evolve their development and update processes to enhance security solutions, the weakest link may be internally developed appli-cations. Every internally written and deployed application should be scrutinized for potential vulnerabilities.
✔ Remember the human element. People are usually the weakest link in the chain. Security solutions should be simple enough that people can easily use them. And although technology can help set and manage corporate policies, effective education and strong enforcement are also key elements in a security program.
DELL POWER SOLUTIONS Reprinted from Dell Power Solutions, November 2006. Copyright © 2006 Dell Inc. All rights reserved. November 200610
especially in regard to online transactions and electronic data
interchange. The question is, How can enterprises regain consumer
confidence in e-commerce and secure electronic transactions with
business partners and vendors while fortifying the all-important
IT foundation on which the enterprise is built?
Building a high-level security framework
Dell believes the answers lie in the cooperation of the computer
industry as a whole to categorically define and promote end-to-end
security that addresses every aspect of the IT environment. Build-
ing a high-level framework around security helps enterprises not
only to protect resources and identities, but also to provision and
manage hardware and software with built-in security components
simply and cost-effectively.
Moving forward, security must be inher-
ent in every aspect of the IT development
process, not an afterthought. Security com-
ponents should be built into each phase of
the life cycle—through design, manufactur-
ing, deployment, provisioning, and retire-
ment. Then, security becomes an integral
part of the preferred enterprise management
framework.
Furthermore, whether users are attached
through a home network, a corporate net-
work, or the Internet, the network and all
endpoints—including clients, servers, and
storage—must be able to self-monitor for
security exposures. In the near future, these
networks will likely be designed to avoid
reactive user events by updating, isolating,
or correcting themselves in an automated,
policy-based fashion. Once environments can
effectively police themselves, policies can be
established to validate users, systems, and
data as well as to define and enforce actions
and events.
That is the vision IT should be painting
today, but the path is not always clear. Dell
believes a phased approach, based on existing
and emerging standards, can provide the best
possible route to the secure destination. Figure 1
shows Dell’s pragmatic, phased approach to
securing the scalable enterprise.
Protecting mobile endpoints
As more users access the Internet and work-
forces become increasingly mobile, devices
such as notebooks and smartphones must be
able to move on and off the network easily while remaining secure
at all times. When a system reaches the end of its life, a user
changes roles, or information becomes outdated, assets must be
removed without risking the release of any personal information
or confidential data.
Dell is calling on the industry to design all hardware com-
ponents and software with a comprehensive, integrated level of
protection—throughout the hardware stack, the middleware, the
OS, and the applications. Today these elements exist in silos with
multiple security components tied to each, including network
appliances, anti virus, antispam, and identity management software
as well as access controls, auditing forensics for regulatory com-
pliance, and offline storage with additional encryption and life
cycle management.
FEATURE SECTION: SECURITY
2006–2008
Today
2008–2010
Tomorrow
2010–2012
Future
• •
•
•
•
•
• •
•
•
•
• •
•
•
•
• •
•
• •
• •
•
•
SECURITY MANAGEMENT
IDENTITY AND ACCESS
RESOURCE PROTECTION
SECURE PLATFORM
Figure 1. Planning the progression toward integrated, end-to-end security
www.dell.com/powersolutions Reprinted from Dell Power Solutions, November 2006. Copyright © 2006 Dell Inc. All rights reserved. DELL POWER SOLUTIONS 11
To achieve fully integrated protection, the industry must move
toward a standards-based management framework that facilitates
all security elements, including information life cycle management;
global policy setting; integration with directory services such as
Microsoft® Active Directory® and Novell® eDirectory™ directory
services; credential management; and federated identities, which
allow trusted credentials to be shared between organizations, com-
panies, or Web sites. And this framework must provide automated
ways of updating information, generating alerts, and establishing
autonomous control.
Facilitating the flow of information
A major step toward the goal of fully integrated protection is to put
all of the object information, the database information, and the infor-
mation flow from solution silos into a common format in a federated
repository, enabling communication among them. Then, each solu-
tion silo can plug into an overall enterprise management framework
where administrators can apply business policy rules and service-level
agreements to define actions and security policies.
Because business transactions today rely so heavily on third-party
solutions and information, it is also important that OS middleware
and application software be regularly updated. When a higher-level
management framework is in overall control, these updates can be
coordinated and scheduled to minimize user disruption. No one can
tolerate gaping holes in the enterprise, which is why Dell continues
to support low-level building-block architectures and standards for
security elements such as biometrics and smart cards as well as
standards for high-level management frameworks.
Dell is committed to developing a highly scalable, standards-
based architecture and solutions for end-to-end security. As a result
of Dell’s work with middleware, software, and virtualization provid-
ers and strong alliances with partners who offer state-of-the-industry
best practices, Dell™ hardware already integrates a variety of security
features. For example, a Trusted Platform Module (TPM) is included
in many Dell client systems for organizations that require security
solutions with multifactor authentication or hardware-backed secure
storage of digital keys, certificates, and passwords.
Laying the foundation with industry standards
Dell has assumed a leadership role in vendor-neutral standards
organizations such as the Trusted Computing Group (TCG). TCG
is developing specifications for trusted computing and security
technologies that are designed to make security inherent in every
aspect of the IT infrastructure as well as the overall management
framework—including hardware components and software inter-
face specifications across a range of platforms and operating
environments.2 For example, TCG specifications define, among
other things, the standards for creating TPMs, which are microcon-
trollers incorporated into computing devices to provide hardware
protection for security tasks and authentication information.
Dell is also working with industry standards bodies such as
the Distributed Management Task Force to define the various char-
acteristics of security objects so these objects can fit into large
management frameworks. This effort includes creating common
information flow formats for issues such as identity management
and vulnerability definitions.
By defining and creating common information schemas, security
objects and information can be shared among security solutions—
allowing organizations the flexibility to choose the most appropri-
ate application environment and management framework for their
particular business needs. In addition, Dell is creating a federated
repository model for flowing information outside the organization.
This model, which also integrates into the management framework,
can help ensure that electronic data interchange is protected.3
The recently announced Dell Unified Manageability Architec-
ture (UMA) is yet another example of Dell’s commitment to help
reduce security management complexity while helping ensure
the best possible protection. Figure 2 depicts UMA as part of a
broader security architecture that also includes other schemas
and scalable enterprise elements. UMA is designed to help enable
well-defined, widely accepted systems management standards that
promote interoperability and flexibility in enterprise computing
environments. The layered design of UMA has built-in security
management so that security objects can be fully integrated into
systems management tools.4
2 For more information about TCG initiatives, see “Enhancing IT Security with Trusted Computing Group Standards,” by Frank Molsberry and Brian Berger, in Dell Power Solutions, November 2006, www.dell.com/downloads/
global/power/ps4q06-20070160-TCG.pdf.
3 For more information, see “Dell Scalable Enterprise Architecture,” by Jimmy Pike and Tim Abels, Dell Inc., August 2005, www.dell.com/downloads/global/vectors/2005_scalable_enterprise.pdf.
4 For more information, see “Dell Unified Manageability Architecture: Blueprint for an Open Management Framework,” by Winston Bumpus, in the Dell OpenManage Newsletter, Dell Power Solutions, November 2006,
www.dell.com/downloads/global/power/ps4q06-20070141-OpenManageNews.pdf. To learn about the Dell UMA specification and implementation examples, visit www.dell.com/standards.
FEATURE SECTION: SECURITY
“We can’t solve problems by using the same kind of thinking we used when we created them.”
—Albert Einstein
DELL POWER SOLUTIONS Reprinted from Dell Power Solutions, November 2006. Copyright © 2006 Dell Inc. All rights reserved. November 200612
An additional example of how Dell is advancing security through
standards is the Dell Secure Exchange Reference Architecture.5 This
architecture comprises industry-standard components that can
help provide data protection and security for Microsoft Exchange
messaging environments. Dell Secure Exchange solutions incorpo-
rate Dell hardware and Symantec security software to help support
and protect the Exchange application platform.
Advancing toward self-policing, plug-and-play security
Stand-alone security functions are being phased out by a network-
oriented approach in which security objects become part of overall
management policies governing the IT infrastructure. To that end,
Dell is playing an industry-leading role by actively participating in
the development of security technology standards, building security-
enabled platforms, and forging strategic partnerships to advance
integrated, end-to-end security solutions.
At the end of the day, however, it is still important for admin-
istrators to remember that as the computer industry strives toward
inherently secure solutions, other weak links in the chain cannot
be overlooked. The human aspect—disgruntled employees, lack of
security education, lack of security policies and enforcement, or
poorly tested internal code and software—presents significant risks
and is an equally important part of the security equation.
Most security experts agree that cybercrime is here to stay
and the threats will only become more sophisticated and poten-
tially more detrimental. However, Dell’s initiative to push forward
with standards-based architectures for managed security is
designed to reduce the complexity and confusion of protecting
against these threats.
Frank Molsberry is the lead security technologist in the office of the chief
technology officer at Dell, and serves as the Dell representative to TCG. He
has more than 20 years of experience in advanced systems software devel-
opment and PC system architectures. Frank is a member of the Computer
Security Institute and has a B.A. in Computer Science from the University
of Texas at Austin.
Trusted third partiesTT
(RSA Security, VeriSign,
Microsoft, Dell)
Enterprise
management
framework
(CA, IBM,
BMC)
Business policies
(compliance, service-
level agreements)
Domain management
(Symantec, McAfee)
Federateddatabases
(identity objects)
Scalable Enterprise
Resource Directory
(SERD) federation
Common schemas
(Common Information
Model)
Com
pliance
Forensics
Audits
Applications
Access m
anagement
Encryption
Information life cycle m
anagement
Storage
Antivirus
Intrusion detection system/
intrusion prevention system
Anom
aly detection
Appliances
Identity managem
ent
Integrated rights managem
entServers
Anti-spyw
are
Identity managem
ent
Clients
Internet
Firewall
Antivirus
Firewall
Antivirus
Firewall
StorageAppliancesServersClients
Unified Manageability Architecture
Commoninformation
formats
(Open
Authentication
[OATH],AA
Common
Vulnerabilities
and Exposures
[CVE], Open
Vulnerability
and Assessment
Language
[OVALVV ] )
Figure 2. Creating a standards-based model enabling inherent security within a unified management framework
FOR MORE INFORMATION
Dell security solutions:
www.dell.com/security
FEATURE SECTION: SECURITY
5 For more information, see “Implementing the Dell Secure Exchange Reference Architecture,” by Suman Kumar Singh and Bharath Vasudevan, Dell Power Solutions, November 2006, www.dell.com/downloads/global/power/
ps4q06-20060452-Singh.pdf.