Sponsored by: Lenovo Robert Ayoub Sean Pike December 2017
IN THIS WHITE PAPER
This IDC white paper explores the potential threats faced by IT departments as they evaluate products entering the enterprise. It also illustrates the need for security throughout the entire supply chain and describes steps vendors should take to secure the supply chain. In particular, this paper examines how managing external development and supplier security can enhance the overall security of all devices, passing that security onto the IT buyer. It also discusses how Lenovo manages its own product development and supply chain and maintains security standards that allow the company to meet even the most stringent requirements of the U.S. federal government (a key Lenovo customer). Finally, it refutes the unfounded claims about Lenovo and Lenovo products that many competitors have used as a marketing tactic
In July 2015, a very disturbing article and video illustrated the failure of security through the supplier life cycle. Reported in Wired magazine, the article described in detail the ability of a potential attacker ©2017 IDC #US43334217 2 to control and ultimately paralyze an operating vehicle on the freeway. The two security researchers who conducted the hacking exercise found vulnerabilities in several vehicle components, including the entertainment system and cellular data connection.
This attack illustrated the damage that can occur via weaknesses in OEM components. Even though Fiat Chrysler (the vehicle manufacturer) was not the builder of the vulnerable components, ultimately the responsibility (and expense) for recalling and patching the 140 million vehicles, along with the negative public perception, fell on its shoulders. Customers — who felt the brunt of the impact — are concerned about the security of the products they buy, and manufacturers must scrutinize their suppliers.
A parallel to IT departments might be the following: A supplier fails to monitor the supply chain closely, and BIOS-level malware is shipped as part of an order of servers. A large customer, say a retailer, places these devices in its datacenter. While the retailer may have appropriate controls in place, these new infected machines automatically bypass all security controls, and the rootkit is extremely difficult to detect. Ultimately, the rootkit causes significant losses for the organization, which will then pursue its vendor for losses.
Scrutinizing the suppliers is not trivial and requires a dedicated and organized effort on the part of the vendor. Suppliers may feel that the extra scrutiny is unwarranted, shows a lack of trust, or is an infringement on the trade secrets of the suppliers. Vendors must find ways to perform audits and set standards that validate the security of the system while protecting the intellectual property of the suppliers. At the end of the day, the security of the customer (the IT buyer) is paramount and is beneficial to all parties.
Programs that vendors should establish with their suppliers include, but are not limited to:
- Conducting unannounced audits of facilities
- Putting controls in place that protect supplier components from overwriting other system components
- Developing threat research capabilities to detect and alert on potential attacks against products
IDC recognizes that every supplier relationship is unique and some suppliers may warrant more or less scrutiny than others. Vendors need to understand the level of risk they are comfortable accepting with every supplier and determine how they can minimize the risk of security to the customer throughout the entire product.
To ensure a secure supply chain, some server vendors audit and validate that their suppliers adhere to a baseline of requirements. By auditing and validating their suppliers' security, a server vendor can both improve the security of its products and deliver a level of comfort to partners, affiliates, and customers, ensuring that they are not blindly accepting third-party components. Ultimately, this leads to the following benefits for the IT buyer:
Improves the overall code base, ensures continuous validation, and confirms updates — all of which establish and maintain a chain of trust for upper-layer software and applications
- Prevents unauthorized changes (that could interrupt operations) by signing code, controlling administrative changes, and verifying all changes and updates ©2017 IDC #US43334217 3
- Reduces audit and compliance problems by using trusted administrative privileges, full-disk hardware-level encryption, key management, secure firmware, and rigorous security testing
- Enables security by default, which provides additional protection, closes "vulnerability windows" opened by manual security processes, and improves datacenter reliability
State of the Industry
Today Generally speaking, most IT buyers have little insight into the development of the products they use. They must assume that the device manufacturer is taking the appropriate steps to ensure the security of the final products. Unlike the automotive industry, some server vendors have addressed security in a coordinated way and continue to do so; however, this is not true of all vendors. The best care very deeply about securing their supply chains, the interoperability of server components and, most importantly, the security of IT buyers.
The more transparent and thorough a vendor can be about its methods of securing its systems, the more trust that vendor can build with customers. There was a time when even the description of security controls was considered a secret — the thought being that if attackers knew the controls, they could get around them. However, in today's security conscious landscape, helping customers understand the steps that their vendors are taking to ensure the security of the products they use can be a competitive advantage.
Why Customers Should Consider Lenovo
Lenovo is a multibillion-dollar global manufacturer of enterprise servers. In 2014, Lenovo acquired IBM’s x86 server division and merged it with its own. Along with IBM’s renowned enterprise-class technologies, the acquisition also included the personnel and testing/manufacturing facilities of that division. According to Lenovo, the company’s multifaceted approach to server security differentiates the company from other companies in the x86 market.
As soon as the agreement was announced, some competitors began a campaign of fear, uncertainly, and doubt (FUD), hoping to scare potential customers away from Lenovo. They made a number of unfounded claims that repeatedly have been proven false.
One such claim is that Lenovo has been banned from consideration as a U.S. government supplier, due to security concerns. This is not true today and never has been true. In fact, as part of the company's acquisition of IBM's System x group, Lenovo underwent a stringent a review by the Committee on Foreign Investment in the United States (CFIUS). Lenovo agreed to maintain and enhance the rigorous development, supply chain processes, and controls used by IBM. Lenovo also agreed to allow the U.S. government (USG) and independent auditors to audit these processes at any time, creating what Lenovo believes to be the most transparent, auditable, and secure supply chain in the server industry. In the three years since the acquisition, Lenovo has passed every security audit conducted by both the USG and independent auditors. (In contrast, competitors are not subject to governmental oversight, providing little transparency into their security processes.)
As a result, not only is Lenovo able to sell to the United States federal government — as well as all state and local governments — Lenovo may (and has) bid on national security contracts for Air Force One, NASA, the Pentagon, and others.
In addition, Lenovo maintains business processes and policies (discussed in the sections that follow) designed to enhance security and mitigate risks.
U.S. Federal Government CFIUS Agreements
The IBM System x acquisition was Lenovo's fifth CFIUS approval. Other acquisitions that required CFIUS approval included IBM's PC Division, Stoneware Inc., EMC's Iomega subsidiary, and Motorola Mobility. In each case, the acquisition was approved by the U.S. government, and Lenovo continued to deliver products that maintain the same level of rigor as before the acquisition.
Trusted Supplier Lists (TSLs)
Lenovo sources components only from trusted suppliers who have undergone auditing for compliance with Lenovo’s strict security requirements. Lenovo’s security and supply experts periodically audit suppliers over time. Those that continue to underperform can be — and some have been — removed from the TSLs.
Incident Response Team
Lenovo maintains a Product Security Incident Response Team (PSIRT) that responds to vulnerabilities reported or discovered in products. This team has several mandates, including:
- Publishing product security advisories for customers
- Coordinating with internal business units and the industry to ensure clear direction and communication
- Negotiating disclosure timelines and plans with researchers and coordination centers
- Engaging with external PSIRTs to establish and promote best practices for handling security vulnerabilities
Secure Software Development Life Cycle
Lenovo developed a secure life-cycle development process to validate that software has no known backdoors, malware, or other vulnerabilities. In addition, Lenovo conducts rigorous testing of thirdparty software that is installed on products.
Building in Security from Design to Manufacturing to Deployment
When Lenovo merged its ThinkSystem technologies with the former IBM System x technologies, it took the best features (including security) of both product lines and designed a whole product line from the ground up with security in mind. ThinkSystem servers — as well as the solutions brand (ThinkAgile) built upon ThinkSystem server hardware — are manufactured using the best of those technologies, as well as brand new ones developed in response to security threats that didn’t even exist a few years ago.
The Lenovo Data Center Group (DCG) employs rigorous business processes, product design, and supply chain controls to ensure products meet stringent requirements. In fact, Lenovo believes the company goes well beyond what other vendors do concerning system security features and quality procedures. As befits perhaps the most scrutinized server vendor, Lenovo's DCG takes extraordinary steps to ensure products are built with components from known, reliable suppliers. And Lenovo goes even further, testing those components and then working with the suppliers to close any vulnerabilities found in testing. In addition, Lenovo offers security training to all suppliers to minimize the chances of vulnerabilities in the future. These steps benefit not only Lenovo customers, but also customers across the industry whose servers include those component.
From the initial design stage, Lenovo servers have security built in on multiple levels. At the hardware and processor level, all the latest x86 industry security standards have been incorporated, including Intel security processor features that enable faster encryption and protection against malware. At this level, ThinkSystem also incorporates the latest technologies from the Trusted Computing Group. On top of these industry standards exists the XClarity Controller, which incorporates a unique set of Lenovo innovations. XClarity Controller features include: 128-bit or longer symmetric encryption, cryptography approved by NIST SP 800-131A, perfect forward secrecy, digital signage validation, and a tamper-proof audit log.
Lenovo performs detailed BIOS and firmware design and code reviews during development to ensure code security, and the company only uses select supplier-certified hardware. Components — including Intel controllers, all firmware, BIOS, BMCs, and even USB ports — are validated according to the FIPS 140-2 standard. In addition, Lenovo performs ongoing threat assessments, including threat modeling and ethical hacking of firmware to continually assess security protection.
Another spurious claim by competitors is that Lenovo is a communist Chinese-owned company and that system security could be compromised as a result. The implication is that when servers are manufactured in China and other parts of the Far East, the Chinese government may be slipping backdoors or other vulnerabilities into the firmware. This is completely false, and in fact stringent security policies and practices are in place that make this impossible.
Lenovo is not Chinese-owned. It is a multinational corporation whose stock is 100% publicly traded. Its corporate leadership team represents seven different nationalities, and the board of directors represents five. In addition, the DCG leadership team is located in Morrisville, North Carolina, not China.
To ensure that firmware is not compromised, all firmware requirements, architecture, and design are performed by United States–based teams, thereby maintaining compliance with Lenovo product requirements, design practices, and industry standards. The company has safeguards in place to ensure that products cannot be hijacked and that compromised firmware cannot find its way into servers once deployed.
Whenever code is developed by third parties, U.S. teams perform rigorous inspections for quality control. All source code is maintained on United States-based code retention servers, and all code changes are tracked and audited. Build servers, also based in the United States, are where source code is compiled and converted into executable code. Before the code is released, it is digitally signed on secure signing servers. The signing servers are highly controlled and are based in a secure U.S. datacenter with limited and auditable access and no connection to corporate networks.
Lenovo is the only x86 vendor with a server manufacturing facility in the U.S. The company offers products built completely within a secure end-to-end process located entirely in the United States by verified U.S. personnel, for those customers that require this level of assurance. Competitors’ servers are manufactured outside of North America, mainly in Asia.
Lenovo owns the majority of its manufacturing facilities around the world (including the one in the U.S.), unlike competitors who use third-party manufacturing facilities for most or all of their servers. This enables an end-to-end business model for vertical integration. By leveraging its own manufacturing capabilities, Lenovo can maintain greater control over both product development and supply chain operations. As a result, Lenovo manufacturing processes maintain and strengthen the rigorous development and supply chain controls used by IBM.
Finally, a security office works closely with DCG leadership to continuously monitor and report on compliance. This office is led by a security director who is backed by a team of security experts. The team is responsible for resolving all validated incidents and also notifies customers and communicates risk and remediation plans.
As the Fiat Chrysler hacking incident demonstrated, a more interconnected world allows for an even greater possibility of attack to the systems we trust most. Weaknesses in any subsystem and within any supplier can be exploited to cause significant damage. Customers whose systems are targeted by attackers must look for suppliers that demonstrate the best security practices throughout the supply chain — from design to manufacturing to deployment. By implementing a repeatable, auditable, security process across the entire supply chain, customers can be reassured that manufacturers are doing their best to ensure the security of the entire system, regardless of where components are developed.
Customers face challenges when trying to judge the security of a vendor's IT life cycle. Not all server vendors place equal emphasis on security during the design, assembly, testing, and updating of their products' security.
Vendors face several challenges associated with building a secure supply chain and delivering a product that is secure from inception to deployment. For IT buyers, a discussion around the following vendor challenges can form the basis for evaluating server security:
In light of the continuing appearance of new vulnerabilities, how does the vendor help IT buyers' nonsecurity specialists to keep up?
- Suppliers are often located in countries that are foreign to the vendor, so how does the vendor ensure that supply chain partners at the local level maintain the necessary security standards?
- Supply chain partners are often located outside the United States, so how does the vendor ensure that local regulations don't impinge upon the security of the finished products?
- What processes does the vendor have in place to ensure the integrity of the server’s firmware?
IDC believes that Lenovo addresses these challenges that are pervasive throughout the industry. IDC also believes IT buyers can use Lenovo's best practices as criteria for ensuring that server security is consistent and auditable across its supply chain.
Server/data security is a major concern for datacenters, and the types, sophistication, and number of threats only increase from year to year. To minimize these threats, datacenters should buy from vendors that use security best practices in the design of their servers and that hold their supply chain to the same high standards. The servers should implement stringent security features at the hardware/firmware level, using components sourced from suppliers that likewise implement security best practices.
The location of manufacturing has little to do with the security around the end-product. What organizations should be concerned about is the security controls applied through the manufacturing process. With proper controls and regular auditing, any problems with the supply chain can be found and corrected before products ever goes to the end user.
IDC believes that Lenovo not only meets these requirements but also offers servers that are designed, coded, and optionally manufactured in the United States. Organizations that are concerned about security should seriously consider Lenovo as a potential server supplier.
About IDC International Data Corporation
(IDC) is the premier global provider of market intelligence, advisory services, and events for the information technology, telecommunications and consumer technology markets. IDC helps IT professionals, business executives, and the investment community make factbased decisions on technology purchases and business strategy. More than 1,100 IDC analysts provide global, regional, and local expertise on technology and industry opportunities and trends in over 110 countries worldwide. For 50 years, IDC has provided strategic insights to help our clients achieve their key business objectives. IDC is a subsidiary of IDG, the world's leading technology media, research, and events company.