Your Browser is Out of Date

Nytro.ai uses technology that works best in other browsers.
For a full experience use one of the browsers below
Dell EMC VxRail: Comprehensive Security by Design
Executive summary Security transformation begins with Dell Technologies Bridge to a digital future
Bridge to a digital future
Building trust with Dell product security programs
VxRail: The foundation for data center modernization and IT transformation VxRail security capabilities VxRail HCI System Software SaaS multi-cluster management security overview Compatible standards and certifications VxRail security solutions and partners Conclusion References

Building trust with Dell product security programs

Building trust with Dell product security programs

  • Dell Technologies strives to build trust and a secure, connected world. We work tirelessly to keep your data, network, organization, and customers’ safety top-of-mind – with security engineered into all our end-to-end solutions. Our Security and Trust Center provides easy access to resources and solutions to help you quickly find answers to your consumer and enterprise security questions.

    Secure Development Lifecycle

    The Dell Secure Development Lifecycle (SDL) outlines the set of activities required throughout the product lifecycle to promptly build security resiliency and consistent security capabilities into the products and respond to externally reported security vulnerabilities. Aligned with industry best practices, the SDL is based on controls that the product R&D organizations implement. The following figure shows some of the typical activities performed as part of the SDL:

    Figure 2.   Dell SDL Activities

    At Dell Security champions drive the implementation and validation of these controls within the product R&D organizations that work in close collaboration with the Product and Applications Security Standards. The following figure illustrates how these SDL activities map onto a typical Agile lifecycle:

    Figure 3.   SDL and a Typical Agile Lifecycle

    The scorecard is a mechanism used throughout Dell's business to capture the security posture of a product/solution when it reaches its release General Availability (GA) date.

    Secure development

    Dell’s comprehensive approach to secure development focuses on minimizing the risk of software vulnerabilities and design weaknesses in products.

    This comprehensive approach to secure software development goes across policy, people, processes, and technology and includes the following:

    • Dell product security policy is a common reference for Dell product organizations to benchmark product security against market expectations and industry best practices.
    • Dell engineering teams are a security-aware engineering community. All engineers attend a role-based security engineering program to train on job-specific security best practices and how to use relevant resources. Dell strives to create a security-aware culture across its entire engineering community.
    • Dell’s development process is secure and repeatable. SDL overlays standard development processes to achieve a high degree of compliance with the Dell product security policy.
    • Dell development teams build on best-in-class security technologies. Dell has developed a set of software, standards, specifications, and designs for common software security elements such as authentication, authorization, audit and accountability, cryptography, and key management using state-of-the-art technology. Where appropriate, open interfaces are used, allowing integration with customers' existing security architectures.
    • Dell's SDL overlays security on standard development processes to achieve a high degree of compliance with the Dell product security policy. The Dell SDL follows a rigorous approach to secure product development that involves executive-level risk management before our products are shipped to market.
    • The SDL is part of a broader set of processes within the secure design standard. The secure design standard is the benchmark for building security into Dell products. The standard relates to the security of all product functionality and describes mandatory security functionality, which must be built into any product delivered by Dell to customers. This standard enables Dell products to:
    • Meet customers’ rigorous security requirements,
    • Help customers meet regulatory requirements, such as PCI, HIPPA, and so on.
    • Minimize the risks to Dell products and customer environments from security vulnerabilities.
    • Source code protection identifies how to properly secure Dell engineering systems that contain source code to product-related intellectual property and ensure the integrity of products deployed to customer environments.

    Dell vulnerability response

    Attackers can use security vulnerabilities in any system component to infiltrate and compromise the entire IT infrastructure. The time between the initial discovery of vulnerabilities and the availability of a fix becomes a race between the attackers and the defenders. Therefore, a top priority for Dell is to minimize this time gap to reduce risk.

    The Dell Product Security Incident Response Team (PSIRT) is responsible for coordinating the response and disclosure for all externally identified Dell product vulnerabilities. The PSIRT provides customers with timely information, guidance, and mitigation strategies to address threats from vulnerabilities.

    Anyone can notify Dell of potential security flaws in its products through the company's website or by email. According to industry guidelines, every notice is investigated, validated, remediated, and reported.

    Dell releases information about product vulnerabilities to all customers simultaneously. The company's advisories identify the severity of vulnerabilities and spread the information using multiple standardized reporting systems. Like the rest of our product security practices, Dell's disclosure policy is based on industry best practices.

    Supply chain risk management

    Successful product security programs are comprehensive and extend to outsourced components and software. Integrity tests within the supply chain are essential for building and preserving trust. Dell Technologies has a formal Supply Chain Risk Management program that ensures the hardware and software components used in the company's products originate from properly vetted sources.

    Supply chain security is the practice and application of preventive and detective control measures that protect physical and digital assets, inventory, information, intellectual property, and people. Addressing information, personnel, and physical security helps provide supply chain security by reducing opportunities for the malicious introduction of malware and counterfeit components into the supply chain. Additionally, cybercriminals have increased the targeting of supply chains with ransomware in an attempt to extort organizations working to recover in 2022. Ransomware attacks range from healthcare and oil pipelines to even food supply chains.

    Dell’s Quality Management System verifies ongoing compliance to engineering specifications and processes, including sourcing from approved vendors. Software engineering best practices integrate security throughout the development process for any code, including operating systems, applications, firmware, and device drivers. Dell reduces opportunities for the exploitation of software security flaws by incorporating secure development lifecycle measures throughout the Design and Development process. These measures are tightly aligned with the Software Assurance Forum for Excellence in Code (SAFECode) guidelines and ISO 27034.

    VxRail secures its BIOS firmware by incorporating a Trusted Platform Module (TPM), which coordinates with the BIOS during the UEFI boot process to maintain the authenticity of BIOS measurements, most importantly a Root of Trust for Measurement (RTM) and a Root of Trust for Reporting (RTR). The Trusted Computing Group (TCG) Measured Boot uses the PC’s TPM as a protected storage area for storing hashes of BIOS and firmwarecode that is loaded and executed in the boot process. The TPM is designed to store these events in a secure way that can be verified post-boot through a process called attestation.

    Proactive verification, validation, and security testing activities are tested throughout the lifecycle help to ensure secure software and reduce the likelihood of malware or coding vulnerabilities being inserted into the software. A robust cybersecurity program improves software integrity by preventing unauthorized access to source code and minimizing the potential for malware to be introduced into a product before it is shipped to the customer.

    For additional information on Dell’s Supply Chain Security, please see this paper.

    Figure 4.        Dell supply chain risk management process

    Industry collaboration to improve product security

    Dell Technologies believes a collaborative approach is the most efficient and effective way to deal with security threats that continuously emerge and can quickly spread among organizations through today's densely interconnected systems.

    Considering the heightened risks, technology providers must set aside their competing aims in the marketplace regarding product security. No single vendor can solve all IT product security problems by itself. IT security is a collective, collaborative endeavor. Dell Technologies believes collaborating with other companies is essential to ensuring that the marketplace remains a venue where everyone can flourish.

    Having spent decades in product security has helped Dell Technologies establish a rich history of successful improvements and insights. The company openly shares what it has learned with its customers, peers, and partners. Dell Technologies understands a customer's IT system may not run solely on Dell Technologies products, so we are committed to improving the ecosystem's security wherever a product operates. That means being an active participant and a positive contributor throughout the industry.

    Dell Technologies’ long commitment to advancing product security has created an obligation to assist and promote newer industry members. As a result, the company’s product security leaders facilitate the open exchange of ideas at conferences, blogs, and other social and formal venues.

    Participation in industry product security groups

    Dell Technologies is active in product security groups, where it both learns and teaches progressive best practices and cultivates a sense of communal responsibility for product security. Dell Technologies’ industry affiliations include:

    • BSIMM—The Building Security in Maturity Model evaluates the industry's software security initiatives, so organizations can see where their security efforts stand and how they should evolve.
    • The Open Group—This 400-member consortium runs respected certification programs for IT personnel, products, and services to design and improve IT standards. The Open Group works to understand current and emerging IT requirements and establish or share best practices to meet them.
    • SAFECode—The Software Assurance Forum for Excellence in Code, co-founded by Dell, is an industry-led effort to identify and promote best practices for delivering more secure and reliable software, hardware, and services.
    • CSA—The Cloud Security Alliance is the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
    • FIRST—The Forum of Incident Response and Security Teams is a recognized global leader in incident response. Dell PSIRT is a FIRST team member.