Originally written by Richard Westlund
Ongoing commitment to world-class supply chain security measures that cover design and development as well as suppliers, manufacturing sites, and logistics is more important than ever. This holistic approach involves multiple layers of controls to mitigate threats that could be introduced into the supply chain.
Today, Dell’s desktops, laptops, tablets, servers and data storage arrays are conceived, designed, prototyped, implemented, set into production, deployed, maintained and validated with supply chain security as a top priority, as outlined in a recent white paper, “A Partnership of Trust: Dell Supply Chain Security.”
This “defense in depth and breadth” provide members of Dell Technologies Unified Workspace Community (DTUWC) with assurance that new devices can be trusted to arrive without malicious tampering, malware or counterfeit components. Here is a step-by-stop look at Dell’s supply chain security strategy.
Manufacturing
Whether managed by Dell, Original Design Manufacturers (ODM) or contract manufacturers, all PC factories are required to meet the Transported Asset Protection Association’s (TAPA) facility security requirements and comply with Dell Supplier Security Standards. The Dell standards cover:
• Sourcing Security – for the management of component sourcing, inventory controls, software/firmware security, and counterfeit mitigation .
• Cybersecurity – with requirements for suppliers’ digital infrastructure from network security, encryption, patch and vulnerability to incident management and reporting.
• Physical Security – for the protection of physical assets, both in transit and at the manufacturing facility, by means of access controls, documentation, and other related procedures.
• Personnel Security – including a pre-employment suitability screening process as well as ongoing security awareness and compliance training.
• Information Security – as data transfers between Dell and its partners use a combination of encryption methods and private communication channels.
• Security Management Systems – including maintaining proper certifications, hiring practices, and security.
In addition, Dell ensures that all the parts, components, and raw materials are new and authentic. Parts are procured directly from Original Component Manufacturers or an authorized reseller on the approved vendor list. Also, Dell sites implement specific motherboard and SMT assembly controls, including inspection and verification processes.
Design and Development
Dell’s Secure Development Lifecycle (SDL) guides product teams while developing new features and functions. These processes include threat modeling, static code analysis, scanning and security testing. The goal is to mitigate common design weaknesses in software and web applications.
To prevent the insertion of unauthorized code or data modifications. Dell engineers add a cryptographic digital signature to software, application, and firmware to enable confirmation of authenticity and integrity – a process known as code signing.
Toward the end of the design stage, Dell conducts risk assessments using special tools to scan for known security vulnerabilities. In some cases, a team of expert hackers is undertakes penetration testing to identify potential vulnerabilities before release.
Chassis Intrusion – If the chassis on a Dell PowerEdge product is opened, an entry is registered with the Integrated Dell Remote Access Controller (iDRAC) on the motherboard. This makes it possible to track the source, even if the device is turned off. Many other Dell commercial client devices include a chassis intrusion capability that can be monitored via management tools, including Microsoft SCCM and Dell Command Suite.
Delivery
Once a Dell product is finished, shipped directly from the factory or a fulfillment hub. Throughout the world, Dell works with trusted air, land, and sea logistics providers who are required to conform with TAPA freight security requirements or similar regional guidelines. Those protections include tamper-evident packaging, security reviews of shipping lanes, and container integrity requirements. GPS tracking devices may also be placed on any container and monitored until confirmation of delivery. Dell has also established risk management command-and-control centers staffed 24/7 with experts who can draw on the latest information about transport hotspots and track shipments using various monitoring technologies to ensure products reach their destination without disruption. These specialists monitor various sensors on truck and cargo assets for real-time information regarding potential issues.
A Partnership of Trust
Dell’s supply chain security policies and practices are designed to create a partnership of trust with users around the world. In an ever-changing threat landscape, DTUWC members can be assured that their devices are secure from malicious modifications and operate as intended thanks to Dell’s global commitment to supply chain integrity.
Want to know more? See the referenced Dell supply chain security document here, or start a conversation with your community below!