Dell adopts Zero Trust security principles

Dell Technologies has announced Zero Trust cybersecurity services along with a Zero Trust Center of Excellence using a US Department of Defense-approved architecture.

The Zero Trust approach is that no IT resource-accessing user or application is trustworthy unless it is verified and undertakes known good activity inside an organization’s IT environment. The aim is to not let in crooks or malware pretending to be known good users or applications by having a quasi-security guard verifying who you are, watching what you do and where you go.

Global chief technology officer John Roese said: “In a multicloud world, an organization’s cybersecurity strategy must transcend its infrastructure and extend to its applications and data. We believe a Zero Trust strategy is the best path forward.”

Dell, together with MISI, CyberPoint International ,and a group of businesses, is setting up a Zero Trust Center of Excellence at DreamPort, Columbia, Maryland. DreamPort was created under a Partnership Intermediary Agreement between MISI and United States Cyber Command (USCYBERCOM) in May 2018. This Dell center will provide organizations with a secure place to validate Zero Trust use cases, using the Department of Defense Zero Trust Reference Architecture as its foundation for users to test configurations before deployment in their own environments.

Dell’s CyberSecurity Advisory Services will help customers move towards a Zero Trust environment, based on their current cybersecurity situation. The services find security gaps, determine technologies customers should implement to address them, and advise on how to enable continuous vigilance and governance for long-term cyber resiliency.

A Dell Vulnerability Management service can regularly scan customer environments and look for vulnerabilities. This will expose weaknesses in a customer’s attack surface and provide education in patching them.

Dell is also offering more device-level protection:

  • PC hardware protection – customers can have Dell disable PC ports prior to shipment to help prevent tampering of BIOS settings. Dell is expanding availability of tamper-evident seals to Asia-Pacific, Europe, the Middle East and Africa to offer more physical security measures during shipment.
  • PC firmware protection – PC BIOS tampering can be detected via telemetry integration between Microsoft Intune (part of Microsoft Endpoint Manager) and Splunk.
  • Data loss prevention – this helps protect sensitive data from unauthorized downloads onto external USB storage devices.

A future release of Intune will enable IT admins to use Microsoft Endpoint Manager facilities to secure, control, and configure Dell PCs, including BIOS configuration and password management.

A final announcement is that Dell’s ECS Enterprise Object Storage platform can now secure object data in an isolated cyber vault residing locally or in a remote environment. Applications and backup servers can continue access the isolated copy, using AWS’s S3 protocol, while supporting legal compliance in the event of a cyberattack that compromises the primary and secondary data copy. This helps them with a faster path to data recovery from ransomware and other malicious attacks.

Zero Trust background

The Zero Trust ideas were first expressed by Forrester analyst John Kindervag in 2010 as a response to perceived failings in the network perimeter security model. If a bad actor penetrated perimeter security, they could then roam at will throughout an organization’s IT network, stealing data or planting malware.

Forrester’s current definition of Zero Trust is that it’s an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices.

The US National Institute of Standards and Technology states: “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.”