Governance, Process, Design & Security

Transcription

1 Governance, Process, Design & Security Lenovo Enterprise Products August, 2015

2 Why? Data Centers protect themselves at the edge Are they protected against what is already inside????? 2

3 Lenovo Is A $46 billion, Fortune 500 company 60,000 employees serving customers in 160+ countries 100% publicly traded on the Hong Kong Stock Exchange Globally diverse leadership team Seven different nationalities among top 16 executives Five nationalities represented on BoD Worldwide facilities Enterprise Products HQ in Raleigh, NC 17 manufacturing facilities 7 research centers and 71 offices globally GLOBAL HEADQUARTERS REGIONAL HEADQUARTERS MANUFACTURING RESEARCH CENTER COMPANY LOCATION 3

4 EBG is Truly Global Maximizes use of our resources to create the best products in the most efficient and effective way possible Lenovo managed via decentralized centers-of-excellence Enterprise Business Group a global organization headquartered and managed in the USA Whitsett, NC Morrisville, NC Monterrey, Mexico Guadalajara, Mexico Sarvar, Hungary Beijing, China Shenzhen, China Lenovo owned Enterprise manufacturing factories U.S., Mexico, Brazil, Hungary, China All Lenovo servers for the North America market wil be manufactured in Geography (US, MEX) Itu, Brazil Lenovo EBG Manufacturing Sites Headquarters Locations 4

5 Building Dependable, Reliable and Secure Enterprise Products Lenovo s Enterprise Business Group (EBG) takes extraordinary steps to ensure products are Secure by: Business Processes Designing to industry standards Building with components from known, reliable suppliers Ensuring they cannot be hijacked once deployed Product Design Secure Supply Chain 5

6 Business Processes

7 Business Processes U.S. CFIUS agencies review and approval of Lenovo s System x acquisition included several unique agreements System x products maintain and strengthen rigorous development and supply chain processes and controls used by IBM results in what Lenovo believes is the most transparent, secure and auditable supply chain in the server industry The US government may audit these business processes with only 24 hours advance notice 7

8 Security Governance A security office works closely with EBG leadership Ensures policies are based on industry best practices and international standards including ISO 27000, NIST, and EU Data Privacy Refines practices and policies to ensure they are high, and responsive to the latest threats Continuously monitors and reports on compliance Led by a Security Director Has widely recognized credentials Has the resources needed to do the job No previous relationship to Lenovo or IBM Expertise, focus and oversight 8

9 Product Security Incident Resolution (PSIRT) For security incidents identified by Lenovo, industry, government, or customers Team responsible to drive closure of all validated incidents Notifies customers and communicates risk and remediation plans Active problem resolution and transparency with customers 9

10 Vulnerabilities and Corrective Actions Available on Lenovo.com Security advisories and incident responses are posted and publically available 10

11 How Does Lenovo Compare? We have the most transparent and accountable business processes Lenovo Lenovo s Competitors ODM / White Box Vendors Security procedures published and reviewed with U.S. government Yes Χ No Χ No Mandatory staff training Yes Χ No Χ No Third-party audit rights Yes Χ No Χ No U.S. government inspection rights Yes Χ No Χ No Security governance transparency and accountability Yes 1 Χ No Χ No 1 Special governance in place accountable to U.S. government and Lenovo. 11

12 Product Design

13 Product Development and Security Assurance Security is designed into Lenovo products Detailed BIOS & firmware design and code reviews Select supplier certified hardware Security in Design Threat Modeling Penetration Testing FIPS Validation Validated components Validated BIOS and firmware modules FIPS Compliant/Certified Intel chipsets Training Release Security Review Ongoing threat assessment Threat modeling Security validation ethical hacking Closed loop incident response Incident Response Plan Security built-in by design 13

14 Secure Firmware Development and Delivery Secure firmware development process Architecture and design in US Code maintained and built on servers located in US All released firmware is digitally signed Strict protocols for use of and access to signing servers located in secure US data centers Ultimate security obtained by visibility Accessible for 3 rd party audit Ethical hacking Strict controls to prevent hacking of critical firmware 14

15 Secure Firmware Execution Lenovo innovations such as Trusted Platform Assurance prevents unauthorized firmware from being loaded Boot code is verified at every boot before the operating system is loaded Only genuine firmware updates can be applied Establishes secure chain of trust between firmware and hardware and the OS Ensure only genuine, trusted firmware is able to be loaded and executed 15

16 How Does Lenovo Compare? We have the most secure and transparent firmware development processes Lenovo Lenovo s Competitors ODM / White Box Vendors Firmware development Worldwide Worldwide Worldwide Code provenance (ability to identify, track and trace the authorship of code) Yes Χ No Χ No Auditable build and compile processes Yes 1 Χ No Χ No Third-party validation of quality assurance and testing process Yes 2 Χ No Χ No 3 1 Subject to verification by third parties and the U.S. government 2 Mandatory ethical hacking by screened personnel or CFIUS- approved third parties 3 No assurance that industry or ODM-specific security fixes are actually incorporated into firmware. 16

17 How Does Lenovo Compare? We have the greatest control and oversight of firmware quality and authenticity Lenovo Lenovo s Competitors ODM / White Box Vendors Location of source code repositories and build servers Secure environment in Raleigh, NC Χ Multiple ODMs and owned facilities Χ Multiple ODMs low touch Secure access to source code repositories and build servers Controlled by screened U.S. persons Χ No assurances Χ No assurances 1 Location of code signing servers In high security environment in U.S.; staffed by screened U.S. persons; Subject to audit Χ Location unknown Χ No assurance that code is signed centrally in a secure environment Cryptographic keys and access to code signing servers Located in secure U.S. data center. Access limited to screened U.S. persons. Χ Signing processes not subject to audit, transparency or security requirements Χ No assurance that keys used for signing are protected / not shared 1 May be built in uncontrolled environments such as developer s general-purpose laptop 17

18 Secure Supply Chain

19 Lenovo Owns and Controls Servers Manufacturing Lenovo s leverages WW owned manufacturing capabilities for greater control over supply chain operations Screened Lenovo employees Physical and IT security Offers TAA compliant systems today Lenovo is the only server vendor to also manufacture servers in the US Offers option (Oct 2015) to purchase products built completely within a secure end-to-end process located entirely in the U.S. by verified U.S. persons Lenovo has greater control over supply chain operations with Lenovo owned factories 19

20 Trusted Suppliers Support a Secure Supply Chain Must follow industry-standard security practices for all active components Use and comply with strict security requirements for qualification and quarterly assessments Must provide quick assistance when issues arise on Lenovo products Be transparent with Lenovo when supplier discovers potential risks Information security and control with logistics processes NEED TO KNOW only Supplier self-audit and Lenovo on-site asset protection reviews Ensures secure facilities, trucks/conveyances, employees, visitors and drivers Only selected, trusted suppliers participate in Lenovo s supply chain, ensuring end-to-end security 20

21 Protecting Parts Authenticity and Traceability Lenovo uses unique Vital Product Data (in firmware) and Serialization for each system that stays with each Server/Customer Lenovo uses Security labels on key commodities to deter counterfeit Examples: Memory and HDD s Ensure that parts used are genuine and known to be secure 21

22 Securing Delivery Contractual asset protection requirements GPS technology, security escorts, countersurveillance, background screening Comprehensive conveyance inspection and sealing process Ensures integrity of conveyance / products and aids in tamper detection Packaging security standards prevention and detection capabilities Layered approach with over-packs, banding, stretch wrap, seals and tamper tape Government security programs C-TPAT Tier 3 certified Ensure products are not tampered with and modified after shipment 22

23 How Does Lenovo Compare? We are the only manufacturer to build in the U.S., and have the greatest supply chain control and transparency Lenovo Lenovo s Competitors ODM / White Box Vendors All servers for U.S. market made in North America 1 Server manufacturing locations Offers servers made in USA by verified U.S. persons in secure holding/test facility 2 Χ High % in Asia by ODMs Χ Predominantly in Asia Subject to audit, inspection, and test rights Yes Χ No Χ No 1 Monterrey, MX, or Whitsett, NC (by 8/15/2015) 2 By Oct

24 The Proof

25 Proof Points As a Company Passed U.S. CFIUS process 5 times ( ) Stringent review of supply chain and protection of customer secure data Held GSA schedule for nine years Supplying trade compliant products Passing 100% of audits with zero infractions Sold over $1 billion in PC hardware to the U.S. Federal Government 25

26 Proof Points EBG Specific U.S. Government December 2014 no issues Audit of development and business processes Booz-Allen Completes September 2015 Compliance with National Security Agreement Effectiveness of security processes and controls at each touch point in the supply chain Attestation of trusted suppliers Accuvant, Citigal, CoreLogic, Mitre, LegbaCore LLC Ongoing Vulnerabilities in firmware and software used on products 26

27 For More Help Compliance documents contact Lenovo Partner Assist or your Lenovo Sales Rep. Can be given to customers under NDA. Security Incidents and Responses updated on Lenovo.com Product Security pages Sales support contact your Lenovo Sales Rep or preferred Authorized Lenovo Distributor. 27

28