Lenovo Focusing On Server Security, Just Talks Less About It

By Patrick Moorhead - February 13, 2018
Lenovo’s multi-layer security system architecture

Many datacenter vendors are ramping up their security efforts in response to the increased threat from hackers who are better organized and motivated to go after the datacenter server. Moor Insights & Strategy analysts and I have researched and written a lot about datacenter security lately, focusing in on server and networking. Lenovo has been a bit reserved in communicating its security strategy, primarily because it believes talking about security puts a target on the company and its customer's backs. I understand this. With all of the competitive pressure that is building up between Cisco Systems, Dell EMC, Hewlett Packard Enterprise and Lenovo, and with some even questioning Lenovo’s server security, the company has decided to open up. It is an interesting story that I would like to discuss here.

A threat surface in flux The common backstory to all the recent datacenter security discussion is that cyber threats are evolving and becoming more sophisticated with every passing year. The 2017 Annual Cisco Systems Cybersecurity Report (which I recapped here) cited the server as the fastest growing target for cybercrime, with vulnerabilities rising 34% from the previous year. While traditional threats focused on the application level—disabling security products, stealing data, and controlling applications—cybercriminals have been moving deeper down the stack in recent years, compromising the operating system and virtual machines. The stealthiest threats that have emerged recently attack organizations at the hardware/firmware level, by embedding below the Operating System/Virtual Machine, evading detection, and potentially misdirecting higher layers. This is very sneaky stuff—these attackers are capable of lying dormant for extended periods of time. Lenovo’s answer is similar to what we hear from other datacenter companies—platform security must also evolve to keep up with the changing threats, and needs to be cooked into products from the ground up. I have previously written on the need for enhanced security on the hardware level if you are interested in reading more.
The security of customers’ data is, of course, the most important issue. Additionally, though, these breaches are very costly to businesses—according to a 2017 ITIC Reliability Study cited by Lenovo, 98% of businesses lose at least $150,000 every hour that a commercial site is down (be it for a data breach, or other reason). For that matter, 31% of those surveyed said their hourly costs are in the $400,000 range, and 33% claim their business’s hourly downtime costs somewhere in the $1M to $5M ballpark. This, of course, is in addition to the collateral damage done to the company’s brand by a public, large-scale breach. These attacks are bad news no matter which way you look at it.
Lenovo’s bottoms up security strategy
Lenovo’s strategy starts with the premise that top-down security just isn’t getting the job done anymore. Antivirus and antimalware approaches only protect organizations at the OS and app level and must be paired with a bottoms-up strategy of building security in at the hardware level, where currently the most dangerous security holes reside. Industry-standard security compliance A big part of Lenovo’s strategy is its compliance with a wealth of industry standards. As there is no security “benchmark” to run and compare, compliance with key industry standard security standards is important. It is black or white- you pass, or you fail. Lenovo says ThinkSystem is compliant with NIST (National Institute of Standards and Technology) SP800-131a (cryptographic algorithms and key lengths), NIST SP800-147b (BIOS protection guidelines), Trusted Computing Group (TCG), and PCI-DSS (credit/debit card data security standards). Lenovo says compliance with these standards is baked into the very design of ThinkSystem Servers. Protecting systems management Lenovo ThinkSystem servers also address vulnerabilities in the systems management subsystem—an area many vendors ignore, particularly some ODMs, due to the current lack of any well-defined industry standards. Literally, vulnerabilities come through the systems management controller chip. ThinkSystem offers several protections: host integrity by using a TPM 2.0 (versus older TPM 1.2) chip, centralized user ID and password control, intra- and extra-chassis communication links for use with blades, secure scripting, and command line interface (CLI) application interfaces, and managed (not ad-hoc) security object provisioning. Boot protection Another area of vulnerability Lenovo is attempting to shore up is boot firmware. With subcomponents being manufactured all over the globe, it is currently very hard to monitor and enforce security in this area. If a bad actor manages to corrupt a Core Root of Trust for Measurement (CRTM), they can then implant viruses and malware deep within the system’s subcomponents. With ThinkSystem, Lenovo addresses this with UEFI (Unified Extensible Firmware Interface) Firmware Rollbacks (which prevents rollback to previous, possibly more vulnerable versions of firmware without secure authorization), UEFI code updates (which adds additional functionality and ensures known code problems are fixed), and measures to prevent UEFI attacks via BMC. Firmware is certainly a growing target for cybercriminals--I wrote an article last year on the rise of Denial of Service (DoS) attacks based on firmware exploits. It is good to see Lenovo doing its due diligence in this area. Disposing of old drives Every storage drive has a lifecycle—another critical security issue is figuring out how to securely retire and dispose of old drives without compromising sensitive data. Simply encrypting the data has its drawbacks; it can slow down performance and is still vulnerable to OS and firmware attacks. Lenovo contends that the only way to really make sure data remains safe (without affecting performance) is to “provide encryption at the hardware level,” with self-encrypting drives—SEDs for short. Makes sense to me. Lenovo also offers Secure Key Lifecycle Manager (SKLM) software, which when combined with SEDs, provides some powerful security features to give ThinkSystem Servers centralized authorization key storage, automated management of encryption keys, integration and interoperability across various solutions (ThinkSystem-based and otherwise), and impressive scalability for larger environments. Securing the supply chain The last part of Lenovo’s equation is making ensuring that its supply chain is secure. Lenovo says it works closely with its suppliers to make sure that they are all following industry-standard security practices, including performing audits to make sure everybody is playing by the rules. Lenovo says this process has resulted in multiple suppliers actually being removed from Lenovo’s roster. Lenovo also claims that all third-party source code is closely inspected for quality control, all code changes are tracked/audited, and all source code is housed on U.S.-based code retention servers. IDC recently published a Lenovo-specific paper on Lenovo’s supply chain. Additional security elements One differentiator in Lenovo’s strategy is its Product Security Incident Response team—a task force created to respond to vulnerabilities reported or found in products. The team has some responsibilities, including publishing product security advisories for Lenovo’s customers, coordinating with internal business units to streamline communication, negotiating disclosure timelines with coordination centers and researchers, and interfacing with external PSIRTs to establish best practices. I think it is great that Lenovo has an entire team dedicated to security response. Another thing that is worth noting is that Lenovo’s DCG product security leadership team is located in Morrisville, North Carolina, USA—not China. While competitors often cast doubts about Lenovo’s security, centered around the misconception that it is a communist, Chinese-owned company, Lenovo maintains that it is, in fact, a multinational, 100% publically traded corporation. Keeping the product security team in the U.S. is a good way to assuage any doubts that Lenovo is exploiting loopholes and dodging responsibility.
Wrapping up
I am happy to see that Lenovo is finally opening up a bit about its security strategy and implementations—keeping mum only makes people suspicious. All in all, Lenovo appears to have a solid strategy well-adapted to the current, evolving threat landscape. The company understands that datacenter security has to start at the hardware/firmware level, and the ThinkSystem portfolio accordingly sports an impressive trove of Lenovo-unique security features and compliances with a wide swath of industry standards. The company is clearly doing some things well—the 2017 ITIC survey referenced earlier ranked Lenovo as #1 in reliability/uptime in the x86 market, with Lenovo finishing in either first or second in all reliability categories—security included. Security is, of course, a constantly moving target, new threats are guaranteed to emerge, and all vendors need to be constantly monitored and held accountable. That being said, I am happy with what I see in Lenovo’s current approach—I’ll continue to watch with interest.  
Patrick Moorhead
+ posts

Patrick founded the firm based on his real-world world technology experiences with the understanding of what he wasn’t getting from analysts and consultants. Ten years later, Patrick is ranked #1 among technology industry analysts in terms of “power” (ARInsights)  in “press citations” (Apollo Research). Moorhead is a contributor at Forbes and frequently appears on CNBC. He is a broad-based analyst covering a wide variety of topics including the cloud, enterprise SaaS, collaboration, client computing, and semiconductors. He has 30 years of experience including 15 years of executive experience at high tech companies (NCR, AT&T, Compaq, now HP, and AMD) leading strategy, product management, product marketing, and corporate marketing, including three industry board appointments.