The latest security measures that will keep your data safe

Thorsten Stremlau

Thursday 15 September 2016

Thorsten Stremlau, Lenovo’s WW Principal IT Architect, on the features that turn your notebook into a digital Fort Knox.

Lenovo is seen as a Chinese company, which some people think compromises our security. That couldn’t be further from the truth. Firstly, we’re a very international company. Our headquarters are split between North Carolina and Beijing, and we have seven research facilities around the world, most of which are outside China. We’re also 100 per cent publicly traded on the Hong Kong Stock Exchange. Our IBM heritage continues to influence the Lenovo culture. And no more so than when it comes to security.

Refocusing our security

The last couple of years have seen a complete end-to-end reworking of our security focus.

We created a Product Security Office (PSO), which ensures each process within Lenovo is completely secure, whether it’s the software development process, the hardware process, or anything in between.

We became a member of the Forum of Incident Response and Security Teams (FIRST). This gives guidance on how to handle security exposures in terms of communication and transparency. So now we follow an industry-recognised process in our approach to security.

We also installed a chief information and security officer who was formerly the CIO for the Department of Justice in the US. It’s a big responsibility, so we wanted the absolute best person for the job. Those are the new processes we implemented. But what about new strategies?

Secure strategies

Lenovo created a security committee – which I’m part of – that does a complete security review of all of our products.

We now have a Product Security Incident Response Team, which is something completely new in the PC industry. It’s completely transparent about any security incidents identified either by Lenovo, the industry, governments or customers. We publish online all incidences – both hardware and software – and communicate any risks and a remediation plan. We get a lot of flak for it because we’re so open. Our competitors are a bit quieter, which can lead some of our customers to think it’s only us who are affected by these incidences. In fact, they usually affect all manufacturers.

There’s also the Lenovo BIOS reading room programme. This involves customers coming into our labs and checking the BIOS source code for any back doors or possible compromises.

We build and maintain the code for our firmware development process on our own servers, and the release firmware is always digitally signed. There are extremely strict protocols dictating who has access to the signing servers.

We also offer a tool that lets you validate the BIOS of anything you’ve downloaded from us against our webpage. That way, you can ensure that what you’re about to install hasn’t been modified or infected in any way.

Making the products more secure

And the products themselves? Glad you asked! Every component that can be labelled has a tamper-evident label, so you can see they’re genuine Lenovo parts and not fakes. We do a complete validation of all of the BIOS components in our machines, and our components are certified by international security standards.

All current and future Lenovo ThinkPads will integrate Intel BIOS Boot Guard – this is a way of securing the BIOS firmware update. A Trusted Platform Module (TPM) on all machines lets you encrypt your data locally. Plus we support a whole range of technologies around full disc encryption.

We’ve also accounted for possible thefts. Even if a thief wipes the hard disc drive, it will still send back information about where it is and who’s using it. Of course, you can perform a remote secure erase of your machine, too.

Our machines don’t come with any bloatware. Instead, we use a clean Windows 10 image, meaning less clutter, fewer vulnerabilities and a streamlined user experience.

Thanks to Intel Authenticate, authentication is integrated into the hardware rather than the software, which adds another layer of security. We strongly support NFC smart card readers and our ThinkPads use a new fingerprint reader – both of these measures are more secure. In fact, these measures formed a part of one of my previous columns: Why the password’s days are numbered.

We can block certain USB devices, so even if someone bypassed the software security, they can’t steal data using a USB key. A properly configured ThinkPad would’ve stopped Edward Snowden, for example.

Finally, our documented asset recovery service wipes the data from a device three times in accordance with the Department of Defence process.


Obviously this all means nothing if our suppliers’ security is lax. That’s why we introduced a 250-question questionnaire for them that’s focused on security. This lets us vet them, then we only work with suppliers we deem to be trusted.

All our service providers must sign a legal agreement that binds them to all privacy laws in the countries in which they deliver the service, and another saying they must take steps to not ship products with vulnerabilities. They must also notify us if any government entities ask them to disclose any pertinent information.

We’re taking security to the absolute next level. We don’t have any choice – our customers and partners rely on it.




Building the next-gen data centre

Where traditional and web-scale apps co-exist