Inside Dell Technologies’ zero-trust approach

Dell Technologies’ zero-trust reference model starts with defining business controls and having a central control plane that manages all the security aspects of an organisation’s infrastructure

Dell Technologies is doubling down on zero-trust security with a reference model that is touted to help enterprises implement the security model effectively.

Speaking at a virtual briefing with Asia-Pacific media, Dell’s global chief technology officer John Roese said the model is part of the company’s approach towards a modern security strategy, starting with having a foundation of trust.

“Every IT outcome is based on consuming technology from someone. It turns out that knowing who that someone is, how they built that product, how it got to you and whether it was compromised, is extremely important,” he said.

To that, Roese noted Dell’s investment in building one of the world’s largest and most robust supply chains, along with products that embed deep levels of security. Hardware Roots of Trust and attestation, as well as failsafe mechanisms are also part of the company’s product development efforts, he added.

The second aspect of Dell’s approach is the zero-trust architecture itself, which will enable organisations to guard against threat actors more effectively than traditional perimeter and product-led security approaches, Roese said.

“And so, we are investing heavily across the entire portfolio in our services offerings and in our ecosystem with one view, that is, to accelerate and simplify the adoption of zero trust by enterprises,” he added.

The third and last aspect is cyber recovery, which is “based on the truth that there is no such thing as absolute security”, Roese said.

Noting that there are no security technologies or architectures that don’t fail and that there’s always room for human error and misconfigurations, Roese said organisations must have an answer when things go south.

“We are now in an era where it is incredibly important to have in every IT architecture a cyber recovery capability because of the significant risk that you could be breached and having that kind of capability allows you to survive and recover from it,” he said.

Paradigm shifts with zero trust

Although zero trust is not new, Roese said the concept is confusing and misunderstood, calling for the need to simplify how zero trust works from a technical perspective through three paradigm shifts.

The first is that in a zero trust architecture, continuous authentication of devices, people, applications and even data, which used to be optional, is now mandatory.

“That is a big shift, but if you go from an environment where unknown entities could be on your infrastructure, to a zero-trust environment that just simply doesn't allow that, your security posture improves dramatically,” Roese said.

The second paradigm shift is with respect to policy, with security architectures today primarily focused on policy controls that prevent known bad behaviour.

“In the security world, there are only three things that exist – the known good, the known bad, and the unknown,” Roese said. “And today’s architectures attempt to apply policy and controls to prevent known bad behaviour and then to discover in the unknown what could be known bad and stop it.

“The problem with that approach is it is always reactive. It cannot deal with a zero-day event. It is slow to respond. And so, the second shift with zero trust is to change policy roles from preventing known bad to defining known good behaviour and preventing everything else.”

That is easier said than done, however, as most organisations do not understand how their applications and systems work. But in a zero trust architecture, Roese said, using advanced machine intelligence to automate security processes can help to define known good behaviour.

The third paradigm shift deals with threat response and management. Today, many threat detection and management systems sit outside of the infrastructure, keeping an eye on things from the outside through telemetry.

“It is extremely hard to do that, and it requires enormous amounts of data and analytics, but in zero trust, because the only things that are allowed to be on the infrastructure are known authenticated entities and you have well-defined policy that defines known good behaviour, your threat management can be deeply embedded, because all it’s looking for is an unauthorised entity,” Roese said.

Dell’s zero-trust reference model

There are three components in Dell’s zero trust reference model. The first element is that zero trust should be defined and driven by business controls, or business rules about what systems should do.

“Examples would be, I want all data in Europe to be pushed to a European datacentre only or I would like only engineers to access my labs,” Roese said. “They have nothing to do with technology, but in zero trust, it is critical that you define them.”

The next element is to convert business controls to technology and action, which can be done via a control plane that consists of identity management, policy management and threat management tools.

Roese said those tools already exist today but in zero trust, they exist together in a common control plane. “The control plane, if done properly, is the same control plane for a public cloud or a private cloud or edge cloud or anything in your environment.

“Devices are all subordinate and controlled by that common control plane and because identity, policy and threat management are now centrally controlled, the definition of an authenticated user whether he’s in a public cloud or private environment is the same.

“The policy roles can be implemented consistently whether you’re coming in through remote access or directly attached to a lab network, and your ability to see the behaviour of your enterprise because threat management has aggregated also becomes significantly better,” he added.

To ease zero trust adoption, Dell will be establishing a zero-trust centre of excellence in the spring of 2023 at DreamPort, the US government’s premier cyber security innovation facility.

Located in Columbia, Maryland, the centre will focus on providing global commercial enterprises and government customers a place to validate their zero-trust workloads and applications.

Roese said the architecture that Dell will be using for the centre was developed with the US Department of Defense and the US government, which is one of the leading implementers of zero trust architectures.

“The net result is that we will now have a capability to essentially pre-integrate and predefined much of the reference architecture customers need to make zero trust real,” he added.

Read more about cyber security in APAC

Next Steps

Cued by breach postmortems, fintech refines zero trust

Read more on IT risk management