Your Browser is Out of Date

ShareDemos uses technology that works best in other browsers.
For a full experience use one of the browsers below
Dell EMC VxRail: Comprehensive Security by Design
Introduction
VxRail overview Security transformation begins with Dell Technologies Bridge to digital future Building trust with Dell EMC product security programs

Building trust with Dell EMC product security programs

  • Dell EMC began formulating its product security policies in 2002 when the company's focus shifted from being primarily a storage hardware vendor to an enterprise-class software provider. The company rolled out its vulnerability response program in 2004 and established a company-wide Product Security Policy in 2005. The policy enacts broad but clear security standards encompassing the complete range of Dell EMC products. This policy was continuously updated, and in 2007, it was integrated into the company's new Security Development Lifecycle (SDL). SDL instilled a series of measurable and repeatable security practices into every step of product development and deployment. In 2012, the company also formalized a supply chain risk management program to extend security practices to Dell EMC's suppliers of product components. Dell EMC continues to evolve its product security programs at the leading edge of industry standards and processes.

    With VxRail, Dell EMC continues its commitment to security. VxRail development lifecycle follows the Dell EMC Product Security development process and Security Development Lifecycle overlay. The Dell EMC Security Development Lifecycle follows a rigorous approach to secure product development and involves executive-level risk management before products are shipped to market. Additionally, VMware vSphere is a significant part of VxRail hyper-converged infrastructure that has also been developed using a similar Security Development Lifecycle.

    Secure Development Lifecycle

    The Dell EMC Secure Development Lifecycle (SDL) outlines the set of activities required throughout the product lifecycle to build security resiliency and consistent security capabilities into the products and to respond to externally reported security vulnerabilities promptly. Aligned with industry best practices, the SDL is based on a set of controls that are implemented by the product R&D organizations. The following figure shows some of the typical activities performed as part of the SDL.

    Figure 2.                  Dell EMC SDL Activities

    Security champions drive the implementation and validation of these controls within the product R&D organizations that work in close collaboration with the Product and Applications Security Standards. The following figure illustrates how these SDL activities map onto a typical Agile lifecycle.

    Figure 3.                  SDL and a Typical Agile Lifecycle

    The scorecard is a mechanism used throughout Dell EMC's business to capture the security posture of a product/solution when it reaches its release Directed Availability/General Availability (DA/GA) date.

    Secure development

    Dell EMCs comprehensive approach to secure development focuses on minimizing the risk of software vulnerabilities and design weaknesses in products.

    This comprehensive approach to secure software development goes across policy, people, processes, and technology and includes the following:

    • Dell EMC product security policy is a common reference for Dell EMC product organizations to benchmark product security against market expectations and industry best practices.
    • Dell EMC engineering teams are a security-aware engineering community. All engineers attend a role-based security engineering program to train on job-specific security best practices and how to use relevant resources. Dell EMC strives to create a security-aware culture across its entire engineering community.
    • Dell EMC development process is secure and repeatable. SDL overlays standard development processes to achieve a high degree of compliance with the Dell EMC product security policy.
    • Dell EMC development teams build on best-in-class security technologies. Dell EMC has developed a set of software, standards, specifications, and designs for common software security elements such as authentication, authorization, audit and accountability, cryptography, and key management using state-of-the-art technology. Where appropriate, open interfaces are used, allowing integration with customers' existing security architectures.
    • Dell EMC's SDL overlays security on standard development processes to achieve a high degree of compliance with the Dell EMC product security policy. The Dell EMC SDL follows a rigorous approach to secure product development that involves executive-level risk management before our products are shipped to market.
    • The SDL is part of a broader set of processes that exist within the secure design standard. The secure design standard is the benchmark for building security into Dell EMC products. The standard relates to the security of all product functionality and describes mandatory security functionality, which must be built into any product delivered by Dell EMC to customers. This standard enables Dell EMC products to:
    • Meet customers rigorous security requirements,
    • Help customers meet regulatory requirements, such as PCI, HIPPA, etc.,
    • Minimize the risks to Dell EMC products and customer environments from security vulnerabilities.
    • Source code protection identifies how to properly secure Dell EMC engineering systems that contain source code to product-related intellectual property and ensure the integrity of products deployed to customer environments.

    Dell EMC vulnerability response

    Security vulnerabilities in any system component can be used by attackers to infiltrate and compromise the entire IT infrastructure. The time between the initial discovery of vulnerabilities and the availability of a fix becomes a race between the attackers and the defenders. A top priority for Dell EMC is to minimize this time gap to reduce risk.

    The Dell Product Security Incident Response Team (PSIRT) is responsible for coordinating the response and disclosure for all externally identified Dell EMC product vulnerabilities. The PSIRT provides customers with timely information, guidance, and mitigation strategies to address threats from vulnerabilities.

    Anyone can notify Dell of potential security flaws in its products through the company's website or by email. Every notice is investigated, validated, remediated, and reported according to industry guidelines.

    Dell releases information about product vulnerabilities to all customers simultaneously. The company's advisories identify the severity of vulnerabilities and spread the information using multiple standardized reporting systems. Like the rest of our product security practices, Dell's disclosure policy is based on industry best practices.

    Supply chain risk management

    Successful product security programs are comprehensive and extend to outsourced components and software. Integrity tests within the supply chain are an essential component of building and preserving trust. Dell Technologies has a formal Supply Chain Risk Management program that ensures the hardware components used in the company's products originate from properly vetted sources.

    Supply chain security is defined as the practice and application of preventive and detective control measures that protect physical assets, inventory, information, intellectual property, and people. Addressing physical, information, and personnel security helps provide supply chain assurance by reducing opportunities for the malicious introduction of malware and counterfeit components into the supply chain.

    Dell's Supply Chain Risk Management framework (below) mirrors that of the comprehensive risk management framework of the National Infrastructure Protection Plan (NIPP), which outlines how government and the private sector can work together to mitigate risks and meet security objectives. Dell's framework incorporates an open feedback loop that allows for continuous improvement. Risk mitigation plans are prioritized and implemented as appropriate throughout the entire solution life cycle. The following figure illustrates the supply chain risk management process:

    Figure 4.                  Dell supply chain risk management process

    Industry collaboration to improve product security

    Dell Technologies believes a collaborative approach is the most efficient and effective way to deal with security threats that continuously emerge and can quickly spread among organizations through today's densely interconnected systems.

    Considering the heightened risks, technology providers must set aside their competing aims in the marketplace when it comes to product security. No single vendor can solve all IT product security problems by itself. IT security is a collective, collaborative endeavor. Dell Technologies believes collaborating with other companies is essential to ensuring that the marketplace remains a venue where everyone can flourish.

    Having spent decades in product security has helped Dell Technologies establish a rich history of successful improvements and insights. The company openly shares what it has learned with its customers, peers, and partners. Dell Technologies understands a customer's IT system may not run solely on Dell Technologies products, so we're committed to improving the ecosystem's security wherever a product operates. That means being an active participant and a positive contributor throughout the industry.

    Dell Technologies long commitment to advancing product security has created an obligation to assist and promote newer industry members. The company's product security leaders facilitate the open exchange of ideas at conferences, through blog posts, and in other social and formal venues.

    Participation in industry product security groups

    Dell Technologies is active in product security groups, where it both learns and teaches progressive best practices and cultivates a sense of communal responsibility for product security. Dell Technologies industry affiliations include:

    • BSIMM—The Building Security in Maturity Model evaluates the industry's software security initiatives, so organizations can see where their security efforts stand and how they should evolve.

    https://www.bsimm.com/content/dam/bsimm/BSIMM-226x110v2.png

    • The Open Group—This 400-member consortium runs respected certification programs for IT personnel, products, and services to design and improve IT standards. The Open Group works to understand current and emerging IT requirements and establish or share best practices to meet them

    http://www.opengroup.org/sites/default/files/opengrouplogo.png

    • SAFECode—The Software Assurance Forum for Excellence in Code, co-founded by Dell EMC, is an industry-led effort to identify and promote best practices for delivering more secure and reliable software, hardware, and services.

    • CSA—The Cloud Security Alliance is the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

    https://cloudsecurityalliance.org/wp-content/themes/csa/static/images/logos/cloud-security-alliance.png

    • FIRST—The Forum of Incident Response and Security Teams is a recognized global leader in incident response. Dell PSIRT is a FIRSTVxRailteam member. 

    https://www.first.org/_/img/first-logo-200x120.png