Dell Technologies is doubling down on Zero Trust security with a reference model that is touted to help businesses implement the security model effectively.
Speaking at a virtual briefing with Asia-Pacific media, Dell’s global chief technology officer John Roese said the model is part of the company’s approach to a modern security strategy, starting with having a foundation of trust. .
“Every IT outcome is based on consuming someone’s technology. It turns out that knowing who that person is, how they built that product, how it got to you, and whether it was compromised, is extremely important,” he said.
To that, Roese highlighted Dell’s investment in building one of the world’s largest and strongest supply chains, along with products that incorporate deep levels of security. Roots of trust and hardware certification, as well as fail-safe mechanisms, are also part of the company’s product development efforts, he added.
The second aspect of Dell’s approach is the zero-trust architecture itself, which will enable organizations to protect against threat actors more effectively than traditional product-driven and perimeter security approaches, Roese said.
“So we are investing heavily across the portfolio in our service offerings and in our ecosystem with a vision, namely to accelerate and simplify the adoption of zero trust by enterprises,” he added.
The third and final aspect is cyber recovery, which “is based on the truth that there is no such thing as absolute security,” Roese said.
Noting that there are no security technologies or architectures that won’t fail and that there is always room for human error and misconfiguration, Roese said organizations must have a response when things go wrong.
“We are now in an era where it is incredibly important to have cyber resiliency in every IT architecture because of the significant risk that it could be breached and having that kind of capability allows you to survive and recover,” he said. .
Paradigm shifts with zero trust
Although zero trust is not new, Roese said the concept is confusing and misunderstood, calling for the need to simplify how zero trust works from a technical perspective through three paradigm shifts.
The first is that in a zero-trust architecture, continuous authentication of devices, people, apps, and even data, once optional, is now mandatory.
“That’s a big change, but if you go from an environment where unknown entities could be on your infrastructure, to a zero-trust environment that just doesn’t allow that, your security posture improves dramatically,” Roese said.
The second paradigm shift is with respect to policy, as current security architectures focus primarily on policy controls that prevent known bad behavior.
“In the world of security, there are only three things: the known good, the known bad, and the unknown,” said Roese. “And current architectures try to apply policies and controls to prevent known bad behavior and then figure out in the unknown what might be known bad behavior and stop it.
“The problem with that approach is that it is always reactive. You can’t deal with a zero-day event. It is slow to respond. And so the second change with zero trust is to change the roles of policy from preventing known evil to defining known good behavior and preventing everything else.”
However, this is easier said than done, as most organizations do not understand how their applications and systems work. But in a zero-trust architecture, Roese said, using advanced artificial intelligence to automate security processes can help define known good behavior.
The third paradigm shift deals with threat response and management. Today, many threat detection and management systems sit outside the infrastructure, keeping an eye on things from the outside through telemetry.
“It’s extremely difficult to do that, and it requires huge amounts of data and analytics, but with zero trust, because the only things that can be in the infrastructure are known authenticated entities and you have a well-defined policy that defines good behavior, your threat management it can be deeply rooted, because all it’s looking for is an unauthorized entity,” Roese said.
Dell Zero Trust Reference Model
There are three components to Dell’s Zero Trust Reference Model. The first element is that zero trust must be defined and driven by business controls or business rules on what systems must do.
“Examples would be, I want all data in Europe to be sent to only one European data center or I would like only engineers to access my labs,” Roese said. “They have nothing to do with technology, but in zero trust, it’s critical that you define them.”
The next element is turning business controls into technology and action, which can be done through a control plane consisting of identity management, policy management, and threat management tools.
Roese said those tools already exist today, but at zero trust, they exist together on a common control plane. “The control plane, if done right, is the same control plane for a public cloud or a private cloud or an edge cloud or anything in your environment.
“All devices are subservient to and controlled by that common control plane, and because identity, policy, and threat management are now centrally controlled, the definition of an authenticated user, whether it’s in a public cloud or a private environment, is the same.
“Policy roles can be implemented consistently whether you access via remote access or directly connected to a lab network, and your ability to see the behavior of your business because threat management has been added is also enhanced. it comes back significantly better,” he added.
To facilitate the adoption of zero trust, Dell will establish a zero trust center of excellence in spring 2023 at DreamPort, the US government’s premier cybersecurity innovation facility.
Located in Columbia, Maryland, the center will focus on providing global business and government customers with a place to validate their zero-trust applications and workloads.
Roese said the architecture Dell will use for the center was developed with the US Department of Defense and the US government, which is one of the leading implementers of zero-trust architectures.
“The net result is that we will now have the ability to essentially pre-integrate and pre-define much of the reference architecture that customers need to make zero trust a reality,” he added.