Built in or Bolted On?

4 security questions you must ask your server vendor

serversecurity pt2 1000x630
Dell EMC

In a previous post, we established infrastructure security as a top business concern for senior management in information and technology.  New trends and practices such as IoT, open-source technologies, greater transparency and improved connectivity, have dramatically changed the way we collect, store, move and use data. What is also changing is the conversation on how to approach cyber risk.

Security or Resiliency?

Until now, most businesses have focused on cybersecurity. This view is technical, and tends to be binary – either you have a lock on your virtual door, or you don’t. In contrast, cyber-resiliency is a mindset that encompasses the full spectrum of issues that occur before, during and after a system experiences a malicious or adverse event. By expanding the scope to consider not only information security, but business continuity and organizational recovery, cyber-resilience offers a longer-term, sustainable approach to managing business risk.

Based the National Institute of Standards and Technology’s (NIST) five core security guidelines,1 Dell EMC has refined three key aspects of end-to-end security that together create cyber-resilient architecture.

Protect – Resilience starts with a deep layer of defense that includes a dual silicon root of trust, cryptographically signed firmware updates, and always-on intelligent management to help block malicious attacks.

Detect – Suspicious activity can be spotted quickly with continuous monitoring, verification and reporting of abnormal activity. Customer-defined drift can be discovered and repaired, along with detection of any physical tampering. Every event is logged, and alerts that offer recommended actions are sent in real time.

Recover – No system is completely immune to compromise. That’s why resiliency requires the ability to rapidly restore operations to a trusted base. Automatic BIOS recovery and server configuration restoration reduce downtime and protect your business. A secure system erase feature extends that protection to the very end of a server’s lifecycle. 

Partner or Provider?

Server vendors generally fall into two categories when it comes to security. Providers tend to “bolt on” security measures after manufacturing hardware. Partners build security into their products and processes from start to finish. When an organization is embarking on an IT transformation, it’s critical to have the right type of vendor on your side. Wading through carefully crafted marketing materials and sales presentations can be tough, but security-savvy partners should be able to answer these four questions. 2

  1. “Are your servers secure at the hardware and firmware level?”  Many organizations pay most – if not all – of their attention to operating system and application security concerns. No system will ever be completely foolproof, but the most secure systems also address firmware and hardware vulnerabilities. These include providing an immutable silicon root of trust, BIOS security, and physical security.
  1. “Are your servers secure across the full security lifecycle?” The National Institute of Standards and Technology (NIST) defines five core security lifecycle phases.3 A server vendor who is not intimately familiar with the complete security lifecycle is a huge red flag.
  1. “Is security embedded in the product development process?” This question addresses the heart of the difference between cybersecurity and cyber resilience. Cyber resilience requires built-in features at each stage of the server design and production process. Having a security development lifecycle model and fast response capabilities to new vulnerabilities is a key trait of cyber resilience.  However, cybersecurity is bolted on after the product is already complete, or as an afterthought. Built-in security is not easy or cheap – but it offers far superior protection.
  1. “Do I need to pay a licensing fee to benefit from key security features?” Some providers view security features as an additional source of revenue, as opposed to standard service. Partners will provide security features to all customers by default. Read the fine print, and be sure that your servers will be safe even if you don’t purchase an additional security license.

It is vital for businesses to be cyber-resilient so they can protect themselves better, detect malicious intent faster, and recover rapidly from cyber threats. As organizations become more connected and complex, it’s not enough to simply put a lock - even the very best one available - on the virtual door.  Systems that are cyber resilient, with protective and recovery features factored into every step of the design and manufacturing process, are no longer a luxury. They are a necessity.

All Dell EMC PowerEdge servers are designed and built to be cyber-resilient. Visit Dell EMC to learn more about cyber resilience and how to best protect your enterprise.


1,3 “Framework for Improving Critical Infrastructure Cybersecurity,” National Institute of Standards and Technology, 10 January 2017: https://www.nist.gov/sites/default/files/documents////draft-cybersecurity-framework-v1.11.pdf

2 “END-TO-END SERVER SECURITY: THE IT LEADER’S GUIDE,” Dell EMC PowerEdge Server Solutions Group, 2018: http://www.itmanagement.com/research/endtoend-server-security-the-it-leaders-guide-71382

Copyright © 2018 IDG Communications, Inc.