How to make data breaches yesterday’s problem

Tikiri Wanduragala

Friday 1 April 2016

Tikiri Wanduragala, Lenovo’s EMEA x86 Server Systems Snr. Consultant, writes for Think Progress on the subject of security, and tells us what Lenovo is doing to help its customers stay safe.

I’ve been in this industry for a while now, and I have seen many ‘priorities’ come and go. Some faded away; some just sort of hung around for a while in a niche capacity; while others were slow-burners that grew to become all-important. Security fits into that last category: I remember a time when it wasn’t given that much thought, but it’s now at the top of everyone’s agenda.

What we have been seeing more recently is that, as security-related stories hit the press, customers are becoming more aware of the threats. It reminds me a lot of the green movement; when we started talking about it in IT circles, in about 2006, we got accused of being tree-huggers! But then things changed, and suddenly everyone was interested. It’s the same with security. It’s always been there but it’s the level of awareness that’s risen.

Security on the agenda

With news about hacking and so on, security is probably the number one issue right now, and it’s an issue that now goes way beyond the CIO – it’s up to CEO, shareholders and the board. That’s because of the potential consequences if something goes wrong. You just have to look at some of the big hacking cases over the last few years to see the impact on businesses, and the fact that CEOs of these companies now appear on BBC News!

And the consequences are severe. The Ponemon Institute’s 2015 Cost of a Data Breach Study found that average total cost of a data breach now stands at $3.8 million (€3.45 million), while lost or stolen records containing sensitive and confidential information were being sold for an average of $154 (€140).

On top of that there are regulatory issues to think about, not to mention the damage to a company’s reputation. How many people have taken their business elsewhere following a big security incident at a retailer, for example? That’s what’s led to a change in customer thinking about security.

For a while, there was a usability penalty with security, of course – encrypting things takes a while, users have to remember strong passwords and so on. Today, the consequences are so huge that it has to be top of the agenda, it has to be in the planning right from the start. Sometimes startups, in particular, are so focused on growth and scaling and being responsive to customers, that security becomes an afterthought. But all companies really have to plan for the worst case scenario.

Securing the code

From an infrastructure point of view, security is a multi-layered thing. It cannot be done by one single piece of technology. To that end, Lenovo’s range of X servers come with something called a Trusted Program Module (TPM). These basically perform a check on the microcode that is executing on the server; they are actually embedded onto the motherboard. A lot of other companies do have TPMs, but only as an option, which I believe negates the whole point of it.

What this means is that every piece of code, when the microcode is updated, is checked to make sure it is the right piece of code running on the right machine. All in real-time, by the way.

A TPM can work as an identifier, as well. In the virtual world, you have to be sure that the code you run on is running on the machine you think it’s running on. That’s important because there’s a lot of stuff moving around between machines, and so you need to be sure that you’re running on the hardware you think you’re running on, as opposed to someone else’s!

TPMs play an important role because some of the backdoor entries into retail systems – that we’ve all be reading about in the news – have happened via the microcode; the microcode is trusted, so if the bad guys can get in there, they’re in as trusted users… and at that point it’s game over.

Encrypted drives

The other step we’ve taken to help protect our customers is to offer encrypted drives. It may seem like a small thing, but it’s an important part of the overall security infrastructure.

On systems which customers feel might be compromised, these sorts of technologies are becoming a requirement. If you have an encrypted drive, you’re that little bit more secure. It’s very difficult to crack.

For true data centre security you need layers, starting with procedures, processors, workers, subcontractors and so on. Then you have the software – endpoint protection, firewalls and so on. You have to make sure that right at the heart, where the actual data is flowing, there is strong protection. And that’s where we feel we have an advantage.