Securing the

BY FRANK MOLSBERRY

Reactionary security add-ons that have been implemented piecemeal

are no match for increasingly sophisticated cyberthreats,

let alone today’s complex regulatory requirements. The Dell scalable

enterprise strategy enables integrated, end-to-end protection

using industry-standard data center components and

a unified management framework that is designed to be

inherently secure from the ground up.

8

Related Categories:

Data security

Enterprise security

Identity management

Regulatory compliance

Scalable enterprise

Security

Security software

Threat management

Visit www.dell.com/powersolutionsfor the complete category index.

DELL POWER SOLUTIONS ember 2006. Copyright © 2006 Dell Inc. All rights reserved. November 2006

FEATURE SECTION: SECURITY

In today’s globally internetworked enterprise, just one nasty e-mail

virus or one database breach has the power to launch a maelstrom

of cleanup, recovery, and damage control—not to mention the

furor that erupts over lost business, damage to reputation, and pos-

sible litigation. Afraid to risk negative publicity that could damage

business even further than the intrusion itself, many enterprises are

reluctant to report security breaches to law enforcement agencies. It

is small wonder that high-stakes cybercrime and the mushrooming

regulatory environment are driving companies to reach deep into

the corporate coffers to protect vital business interests.

For example, a joint study from the Computer Security Insti-

tute (CSI) and the Federal Bureau of Investigation (FBI) reported

that in 2006, firms with annual sales under US$10 million spent

an average of US$1,349 per employee on computer security—a

210 percent increase over the average per-employee expenditure

in 2005.1 While large companies are able to achieve economies

of scale, the same CSI/FBI study reported that organizations

with annual sales between US$10 million and US$99 million

1 2006 CSI/FBI Computer Crime and Security Survey, by the Computer Security Institute, i.cmpnet.com/gocsi/

db_area/pdfs/fbi/FBI2006.pdf.

www.dell.com/powersolutions Reprinted from Dell Power Solutions, November 2006. Copyright © 2006 Dell Inc. All rights reserved. DELL POWER SOLUTIONS 9

Enterprise

increased per-employee computer security expenditures by

327 percent compared to the previous year—to an average of

US$461 per employee in 2006.

Unfortunately, the plethora of security technologies and options

available today has created an extremely confusing situation for IT

organizations charged with securing the enterprise. But this much

is clear: reactionary security add-ons that have been implemented

piecemeal are no match for increasingly sophisticated cyberthreats,

let alone today’s complex regulatory environment. Dell is driving

an open, standards-based foundation for end-to-end protection that

is highly scalable. In this approach, the IT infrastructure is designed

to be inherently secure as it is deployed and scaled to meet evolving

business requirements.

Aligning security with business needs

The sheer number of current security offerings is staggering. In

addition to physical security measures such as asset tags, security

cameras, and fingerprint access mechanisms, methods to pro-

tect data and networks range from passwords and smart cards to

firewall and antivirus software, and from antispam software to

anomaly detection systems.

The problem is that these are typically ad hoc building blocks

that have been tacked onto systems as stopgap measures. Every day,

organizations are being bombarded with information about how to

respond to the latest threat, and they rarely have the opportunity

to step back and see the big picture—to develop sensible policies

for protecting business assets and to find cost-effective solutions for

meeting specific business needs.

The fragmented marketplace is especially challenging for small

businesses. Many simply do not have the expertise, resources, or

time to manage a patchwork of temporary add-ons that routinely

require integration, updating, and support. Yet these organizations

are still affected by regulatory requirements and the threat du jour,

and still must contend with competitive factors that affect how they

run their businesses.

Meanwhile, corporate scandals and widely publicized breaches

in data privacy have shaken consumer confidence on many fronts,

Checklist:

Proactive security measures

✔ Keep up with emerging government regulations. Even if they do not apply to a business today, they set the tone for what may be coming.

✔ Evaluate standards compliance of security solutions. Consider emerging security and management standards from organizations like the Distributed Management Task Force, OASIS (Organization for the Advancement of Structured Information Standards), and the Trusted Computing Group.

✔ Make security part of the design and development process. As OS and application providers evolve their development and update processes to enhance security solutions, the weakest link may be internally developed appli-cations. Every internally written and deployed application should be scrutinized for potential vulnerabilities.

✔ Remember the human element. People are usually the weakest link in the chain. Security solutions should be simple enough that people can easily use them. And although technology can help set and manage corporate policies, effective education and strong enforcement are also key elements in a security program.

DELL POWER SOLUTIONS Reprinted from Dell Power Solutions, November 2006. Copyright © 2006 Dell Inc. All rights reserved. November 200610

especially in regard to online transactions and electronic data

interchange. The question is, How can enterprises regain consumer

confidence in e-commerce and secure electronic transactions with

business partners and vendors while fortifying the all-important

IT foundation on which the enterprise is built?

Building a high-level security framework

Dell believes the answers lie in the cooperation of the computer

industry as a whole to categorically define and promote end-to-end

security that addresses every aspect of the IT environment. Build-

ing a high-level framework around security helps enterprises not

only to protect resources and identities, but also to provision and

manage hardware and software with built-in security components

simply and cost-effectively.

Moving forward, security must be inher-

ent in every aspect of the IT development

process, not an afterthought. Security com-

ponents should be built into each phase of

the life cycle—through design, manufactur-

ing, deployment, provisioning, and retire-

ment. Then, security becomes an integral

part of the preferred enterprise management

framework.

Furthermore, whether users are attached

through a home network, a corporate net-

work, or the Internet, the network and all

endpoints—including clients, servers, and

storage—must be able to self-monitor for

security exposures. In the near future, these

networks will likely be designed to avoid

reactive user events by updating, isolating,

or correcting themselves in an automated,

policy-based fashion. Once environments can

effectively police themselves, policies can be

established to validate users, systems, and

data as well as to define and enforce actions

and events.

That is the vision IT should be painting

today, but the path is not always clear. Dell

believes a phased approach, based on existing

and emerging standards, can provide the best

possible route to the secure destination. Figure 1

shows Dell’s pragmatic, phased approach to

securing the scalable enterprise.

Protecting mobile endpoints

As more users access the Internet and work-

forces become increasingly mobile, devices

such as notebooks and smartphones must be

able to move on and off the network easily while remaining secure

at all times. When a system reaches the end of its life, a user

changes roles, or information becomes outdated, assets must be

removed without risking the release of any personal information

or confidential data.

Dell is calling on the industry to design all hardware com-

ponents and software with a comprehensive, integrated level of

protection—throughout the hardware stack, the middleware, the

OS, and the applications. Today these elements exist in silos with

multiple security components tied to each, including network

appliances, anti virus, antispam, and identity management software

as well as access controls, auditing forensics for regulatory com-

pliance, and offline storage with additional encryption and life

cycle management.

FEATURE SECTION: SECURITY

2006–2008

Today

2008–2010

Tomorrow

2010–2012

Future

• •

•

•

•

•

• •

•

•

•

• •

•

•

•

• •

•

• •

• •

•

•

SECURITY MANAGEMENT

IDENTITY AND ACCESS

RESOURCE PROTECTION

SECURE PLATFORM

Figure 1. Planning the progression toward integrated, end-to-end security

www.dell.com/powersolutions Reprinted from Dell Power Solutions, November 2006. Copyright © 2006 Dell Inc. All rights reserved. DELL POWER SOLUTIONS 11

To achieve fully integrated protection, the industry must move

toward a standards-based management framework that facilitates

all security elements, including information life cycle management;

global policy setting; integration with directory services such as

Microsoft® Active Directory® and Novell® eDirectory™ directory

services; credential management; and federated identities, which

allow trusted credentials to be shared between organizations, com-

panies, or Web sites. And this framework must provide automated

ways of updating information, generating alerts, and establishing

autonomous control.

Facilitating the flow of information

A major step toward the goal of fully integrated protection is to put

all of the object information, the database information, and the infor-

mation flow from solution silos into a common format in a federated

repository, enabling communication among them. Then, each solu-

tion silo can plug into an overall enterprise management framework

where administrators can apply business policy rules and service-level

agreements to define actions and security policies.

Because business transactions today rely so heavily on third-party

solutions and information, it is also important that OS middleware

and application software be regularly updated. When a higher-level

management framework is in overall control, these updates can be

coordinated and scheduled to minimize user disruption. No one can

tolerate gaping holes in the enterprise, which is why Dell continues

to support low-level building-block architectures and standards for

security elements such as biometrics and smart cards as well as

standards for high-level management frameworks.

Dell is committed to developing a highly scalable, standards-

based architecture and solutions for end-to-end security. As a result

of Dell’s work with middleware, software, and virtualization provid-

ers and strong alliances with partners who offer state-of-the-industry

best practices, Dell™ hardware already integrates a variety of security

features. For example, a Trusted Platform Module (TPM) is included

in many Dell client systems for organizations that require security

solutions with multifactor authentication or hardware-backed secure

storage of digital keys, certificates, and passwords.

Laying the foundation with industry standards

Dell has assumed a leadership role in vendor-neutral standards

organizations such as the Trusted Computing Group (TCG). TCG

is developing specifications for trusted computing and security

technologies that are designed to make security inherent in every

aspect of the IT infrastructure as well as the overall management

framework—including hardware components and software inter-

face specifications across a range of platforms and operating

environments.2 For example, TCG specifications define, among

other things, the standards for creating TPMs, which are microcon-

trollers incorporated into computing devices to provide hardware

protection for security tasks and authentication information.

Dell is also working with industry standards bodies such as

the Distributed Management Task Force to define the various char-

acteristics of security objects so these objects can fit into large

management frameworks. This effort includes creating common

information flow formats for issues such as identity management

and vulnerability definitions.

By defining and creating common information schemas, security

objects and information can be shared among security solutions—

allowing organizations the flexibility to choose the most appropri-

ate application environment and management framework for their

particular business needs. In addition, Dell is creating a federated

repository model for flowing information outside the organization.

This model, which also integrates into the management framework,

can help ensure that electronic data interchange is protected.3

The recently announced Dell Unified Manageability Architec-

ture (UMA) is yet another example of Dell’s commitment to help

reduce security management complexity while helping ensure

the best possible protection. Figure 2 depicts UMA as part of a

broader security architecture that also includes other schemas

and scalable enterprise elements. UMA is designed to help enable

well-defined, widely accepted systems management standards that

promote interoperability and flexibility in enterprise computing

environments. The layered design of UMA has built-in security

management so that security objects can be fully integrated into

systems management tools.4

2 For more information about TCG initiatives, see “Enhancing IT Security with Trusted Computing Group Standards,” by Frank Molsberry and Brian Berger, in Dell Power Solutions, November 2006, www.dell.com/downloads/

global/power/ps4q06-20070160-TCG.pdf.

3 For more information, see “Dell Scalable Enterprise Architecture,” by Jimmy Pike and Tim Abels, Dell Inc., August 2005, www.dell.com/downloads/global/vectors/2005_scalable_enterprise.pdf.

4 For more information, see “Dell Unified Manageability Architecture: Blueprint for an Open Management Framework,” by Winston Bumpus, in the Dell OpenManage Newsletter, Dell Power Solutions, November 2006,

www.dell.com/downloads/global/power/ps4q06-20070141-OpenManageNews.pdf. To learn about the Dell UMA specification and implementation examples, visit www.dell.com/standards.

FEATURE SECTION: SECURITY

“We can’t solve problems by using the same kind of thinking we used when we created them.”

—Albert Einstein

DELL POWER SOLUTIONS Reprinted from Dell Power Solutions, November 2006. Copyright © 2006 Dell Inc. All rights reserved. November 200612

An additional example of how Dell is advancing security through

standards is the Dell Secure Exchange Reference Architecture.5 This

architecture comprises industry-standard components that can

help provide data protection and security for Microsoft Exchange

messaging environments. Dell Secure Exchange solutions incorpo-

rate Dell hardware and Symantec security software to help support

and protect the Exchange application platform.

Advancing toward self-policing, plug-and-play security

Stand-alone security functions are being phased out by a network-

oriented approach in which security objects become part of overall

management policies governing the IT infrastructure. To that end,

Dell is playing an industry-leading role by actively participating in

the development of security technology standards, building security-

enabled platforms, and forging strategic partnerships to advance

integrated, end-to-end security solutions.

At the end of the day, however, it is still important for admin-

istrators to remember that as the computer industry strives toward

inherently secure solutions, other weak links in the chain cannot

be overlooked. The human aspect—disgruntled employees, lack of

security education, lack of security policies and enforcement, or

poorly tested internal code and software—presents significant risks

and is an equally important part of the security equation.

Most security experts agree that cybercrime is here to stay

and the threats will only become more sophisticated and poten-

tially more detrimental. However, Dell’s initiative to push forward

with standards-based architectures for managed security is

designed to reduce the complexity and confusion of protecting

against these threats.

Frank Molsberry is the lead security technologist in the office of the chief

technology officer at Dell, and serves as the Dell representative to TCG. He

has more than 20 years of experience in advanced systems software devel-

opment and PC system architectures. Frank is a member of the Computer

Security Institute and has a B.A. in Computer Science from the University

of Texas at Austin.

Trusted third partiesTT

(RSA Security, VeriSign,

Microsoft, Dell)

Enterprise

management

framework

(CA, IBM,

BMC)

Business policies

(compliance, service-

level agreements)

Domain management

(Symantec, McAfee)

Federateddatabases

(identity objects)

Scalable Enterprise

Resource Directory

(SERD) federation

Common schemas

(Common Information

Model)

Com

pliance

Forensics

Audits

Applications

Access m

anagement

Encryption

Information life cycle m

anagement

Storage

Antivirus

Intrusion detection system/

intrusion prevention system

Anom

aly detection

Appliances

Identity managem

ent

Integrated rights managem

entServers

Anti-spyw

are

Identity managem

ent

Clients

Internet

Firewall

Antivirus

Firewall

Antivirus

Firewall

StorageAppliancesServersClients

Unified Manageability Architecture

Commoninformation

formats

(Open

Authentication

[OATH],AA

Common

Vulnerabilities

and Exposures

[CVE], Open

Vulnerability

and Assessment

Language

[OVALVV ] )

Figure 2. Creating a standards-based model enabling inherent security within a unified management framework

FOR MORE INFORMATION

Dell security solutions:

www.dell.com/security

FEATURE SECTION: SECURITY

5 For more information, see “Implementing the Dell Secure Exchange Reference Architecture,” by Suman Kumar Singh and Bharath Vasudevan, Dell Power Solutions, November 2006, www.dell.com/downloads/global/power/

ps4q06-20060452-Singh.pdf.