In the modern enterprise IT world, lines between physical and digital are blurry at best. Remote work, BYOD, and even highly-connected offices have redefined what “edge” really means. This also means that the attack surface for your users and their devices have expanded as well. If you ask a modern security team where they should focus their efforts you will probably hear answers like endpoint detection and software patches. Almost no one would start at the very beginning.

Don’t Break Your Chains

A holistic security approach has to take the device supply chain into account. A device has to be secured before it ever leaves the factory. The rising number of salacious stories about servers being compromised at some point in the supply chain has caused worry in the community. Reassurance that your endpoints are safe and sound along the way can define the relationship that an organization has with a supplier.

During Security Field Day in May, we had a chance to hear from Dell Technologies about how they are working to provide the kinds of security solutions that enterprise users need from a large company like Dell. Not surprisingly one of their big pillars was supply chain security:

Here are some highlights that Dell focused on that I think really speak to the bigger picture when it comes to the importance of the supply chain in the security process.

• Security must be integrated at inception. It must be a part of the design from beginning to end. If you try to bolt on security after the fact you leave gaping holes for threat actors to exploit. In the above example, Dell instills security in their designs from the initial chip designs all the way through to device assembly and delivery. This also means that the designs can’t be mined for potential weaknesses.
• A chain is as strong as the weakest link. Likewise, the supply chain is only as secure as the weakest link. You might be able to assure yourself that your organization is secure. However, what about your partners? Can you be sure they are following the same procedures? Could you imagine what would happen if a nation-state-backed organization was able to compromise the supplier of a baseband management controller (BMC) of a server without the manufacturer knowing? You’d have a very nasty entry point that no one is totally sure of. In Dell’s case, partners are held to a high standard and frequently audited to ensure compliance. This creates a culture of security and accountability.
• Verification goes deeper than just partners. How can you be sure that every part you’ve installed is the right part? Being able to insert parts into the chain could create havoc down the road. You need to have a verifiable way to ensuring the parts you selected for the device are the parts that are in the device. If that sounds daunting you’re on the right track. For a company like Dell the criticality of the identification process is easier to pull off. After all, if you already have a list of parts it’s easy to build a digital fingerprint for those components. Even better, that list can be provided to the customer at any time for verification purposes. It’s an auditors dream!

Bringing It All Together

There’s a lot more great ideas in the Dell video above. Dell has really thought about the whole process from inception to delivery. For a company that touches as many systems as Dell over the course of an endpoint’s lifetime this is crucial to build trust. Dell knows that this is a non-negotiable component of being a trusted supplier of equipment to a modern enterprise. Security analysts might focus on patching and software. They are the first people to warn about not scanning random QR codes or inserting USB drives into secured machines. However, thinking as deep as the supply chain is something that often escapes even the most attentive teams. Thanks to companies like Dell, supply chain security is at the top of mind along the way.