Securing the edge server infrastructure from the ground up

Dell aims to show how it is done with ‘Proactive Resilience’

Paid Feature Edge computing has seen enterprise IT infrastructure escape from the confines of the traditional data center and put processing power closer to where the action is, or at least to where the data is generated. Among the reasons for such edge initiatives is to enable organizations to gain real-time actionable insights from the data.

But building out IT infrastructure at the network edge comes with its challenges. For instance, deploying systems outside the protective walls of a centralized data center can leave them exposed to theft and vandalism, not to mention tampering that could lead to the loss of sensitive data or the compromise of the entire corporate network.

The upshot is that systems for edge deployment must be first-class citizens when it comes to security, and should have the same level of security features as you would find in infrastructure inside a traditional data center.

Edge systems also need security to be built-in from the ground up, in other words, not added as an afterthought. Also, organizations need adaptive and flexible compute infrastructure to handle a diverse range of workloads, with enterprise edge cases including environments such as remote office/branch office, hospitality, logistics operations and retail outlets.

Take me to the edge

These are some of the considerations that Dell Technologies tackles with the latest additions to its Dell EMC PowerEdge server portfolio, designed for small and medium-sized businesses as well as enterprise customers.

These include four entry-level models, and one mid-range to high performance model: the PowerEdge T550 tower server; PowerEdge R250 rack server and PowerEdge R350 rack server; and the PowerEdge T150 tower server and PowerEdge T350 tower server.

The systems are designed as flexible and reliable building blocks for business-critical workloads, cloud infrastructure, and point of sale transactions. According to the firm, the new models incorporate a cyber-resilient architecture, starting at the hardware level with the silicon design and permeating the system’s entire lifecycle, from manufacturing through the supply chain, right through to retirement of the hardware.

Perhaps the most notable new model is the PowerEdge T550, a flexible two-socket tower chassis server that, Dell Technologies says, balances expandability and performance. This system is based on the latest 3rd Gen Intel® Xeon® scalable processors, enabling it to run complex workloads using highly scalable memory, I/O and network options.

With support for up to 16 DDR4 DIMMs and up to 24 drives, the PowerEdge T550 is a substantial general-purpose platform capable of handling demanding workloads and applications, such as data warehousing, ecommerce, databases, and high-performance computing (HPC).

According to Dell Technologies, the PowerEdge T550 supports advanced technologies for enterprise-class workloads such as virtualization, medical imaging, data analytics, and software-defined storage. With 3rd Gen Intel® Xeon® scalable processors, the PowerEdge T550 can also be used for applications requiring AI acceleration thanks to Intel's Deep Learning Boost technology.

Root of Trust

To ensure the security of edge deployments, Dell Technologies employs a multi-layered approach which starts at the hardware with an immutable Root of Trust. In PowerEdge servers, the Root of Trust is based on read-only public keys that at startup attest to the integrity of the system BIOS and the firmware for the Integrated Dell Remote Access Controller (iDRAC).

This enables an end-to-end verified boot, which means that at each stage of the boot cycle, each piece of code is verified by cryptographic signature. If some code fails the verification process, Dell provides the ability to revert to a known good image.

Protecting data is vital for any enterprise, and this goes doubly so in a perhaps vulnerable edge deployment. For this reason, Dell Technologies supports self-encrypting drives (SEDs) in its new PowerEdge servers, with the keys for accessing the drives stored in the PowerEdge Raid Controller (PERC). If a drive is stolen, the data is inaccessible without the key stored in the PERC.

Dell Technologies also provides for a higher-level security management of the keys necessary for accessing the encrypted drives. Secure Enterprise Key Manager (SEKM) implements key management server (KMS) to store keys centrally. It distributes these to the PERC through the iDRAC in each server to unlock access to the server’s storage devices at boot time. This arrangement ensures that even if an entire server is removed from an edge data center or enclosure, the data stored on it remains encrypted and inaccessible without access to the central KMS keys.

The latest PowerEdge systems protect against malicious code that attempts to target the memory space of running applications, courtesy of Software Guard Extensions (SGX) found in newer Intel Xeon processors. This capability enables secure enclaves to be created in memory for sensitive processes, which only that process can access. The 3rd Gen Intel® Xeon® scalable processors in the PowerEdge T550 is Intel’s first mainstream two-socket processor to feature SGX across all SKUs.

Supply chain assurance

As recent supply chain attacks have shown, it is possible to compromise a system at any point in the chain. For example, a server could be infected with malware for later exploitation before it even reaches the customer. To tackle this issue, Dell has introduced Secured Component Verification (SCV), a supply chain assurance scheme to verify that the system that arrives at the customer site is the same as was built in the factory.

This is achieved by generating a certificate from the unique component IDs during the factory assembly process, which is signed in the Dell factory and stored in the server’s iDRAC. The customer can use SCV to validate the system inventory against the SCV certificate, as any swapping or removal of the components from which the certificate was generated at the factory would be identified as a mismatch.

Secure lifecycle

The cyber-resilient architecture of Dell EMC PowerEdge systems supports a secure server lifecycle. This begins with secure provisioning and ensuring that any images loaded on to the server are secure, signed and verified.

In some PowerEdge models, Dell supports live scanning of the system BIOS, which makes it possible to verify the integrity and authenticity of the BIOS image in the primary ROM not just at boot up but also whilst the host is powered on and running. This scan is scheduled through the iDRAC.

The latest generation of PowerEdge servers can also securely control a server’s configuration after it is provisioned. System Lockdown mode prevents users without system privileges from making changes to the configuration or firmware so protecting the system from unintentional or malicious changes.

Security is not something that should be tacked on to servers on an as-you-go basis

Dell Technologies has supported digital signatures on firmware updates for several generations of PowerEdge servers. This feature assures that only authentic firmware is running on the server platform. Dell digitally signs all firmware packages, and the iDRAC scans and compares their signatures with what is expected using the silicon-based Root of Trust. Any firmware package that fails validation is aborted and an error message is logged.

At the end of the system life cycle, Dell’s PowerEdge portfolio includes Secure Erase to remove sensitive data and settings. Customers can wipe storage devices and non-volatile stores such as caches and logs in systems, so that no information is unintentionally exposed after disposal.

The ability to remotely manage systems without an engineer having to physically attend the site is a prerequisite for edge deployments. This is a core capability of the Dell EMC OpenManage Enterprise management platform, which allows IT staff to discover, deploy, update and monitor PowerEdge servers.

For example, OpenManage Enterprise working with iDRAC enables an organization to detect any “drift” from a user-defined configuration template, and fix the issue.

To conclude, security is not something that should be tacked on to servers on an as-you-go basis. It must be built into server hardware from the outset. This is just as important for edge deployments as the data center. With a secure server infrastructure in place, IT teams can spend less time reacting to security issues, thereby improving their productivity.

Dell’s latest PowerEdge server systems show the way with security embedded in the hardware and a secure lifecycle that extends from the factory right through to retirement of the hardware by the customer, to ensure that systems and the data they contain stay as secure as possible.

Sponsored by Dell.

Biting the hand that feeds IT © 1998–2022