Dell’s conversation with customers is changing. With a nod to the company’s continued strength in PC, server and data centre markets, in his address to a capacity crowd at the second annual Power to do (even) More event in Toronto last week, president of Dell Canada Kevin Peesker described a fundamental shift that has taken place. According to Peesker, Dell’s dialogue now begins with helping customers understand “how do I best manage the security of my environment, whether it be at the network layer, the desktop layer, the endpoint layer or in the data centre? How do I transition my organization off a legacy mainframe into industry standard x86 environment that is eminently more powerful and more robust? And how do I piece those together with services?” In other words, Dell is now better prepared and more committed to helping resolve customer challenges than to selling components — a critical repositioning that is part and parcel of the company’s transition over the past decade to an end-to-end solution provider.
As Peesker’s remarks suggest, in its transformation Dell has chosen to focus on specific customer pain points, such as security. This intent is perhaps more evident in Dell acquisition strategy: designed to amass security IP that can be applied across the spectrum of customer environments, Dell has acquired key expert firms such as AppAssure, SecureWorks, SonicWall and Credant Technologies over the past two years, as well as Quest Software to stitch together these capabilities in a unified platform that Dell calls Connected Security. Why focus on security? In an early morning presentation at the event, InsightaaS principal analyst Michael O’Neil offered a bifurcated answer featuring a modern take on the tragic-comic elements of Greek theatre, punctuated by movie trivia. Think question: ‘Who knows what technology lurks in the depths of business user settings?’ and answer: ‘The Shadow Knows’ formats.
O’Neil launched his presentation Success & Profitability: Security and the value of IT/Business solutions — a presentation in three acts, with “the good news” — the growing importance of IT in business environments. While approximately 6% of Canadian GDP is allocated to IT spend, in a December 2013 Techaisle survey of 635 Canadian IT and business managers, O’Neil found that 85% of respondents reported that the impact of current IT developments on their businesses is somewhat (34%) or very (51%) high. In terms of where IT may be found, he has catalogued 37 different types of SaaS applications that support different business functions and expects that with adoption of cloud, which decreases the cost and time of deploying technology, and the automation of processes, IT will spread to every corner of the organization. If tech’s growing value is clear; however, so too is the tragic flaw in the good news story: our increasing reliance on IT means that any interruption will have a huge impact, and the pervasiveness of technology means that any IT failure will have a cascade effect, expanding the impact of failure dramatically across the organization.
On “the bad news” side of the equation, O’Neil also outlined the progression of breeches over 2010-2013, citing Dell CSO John McClurg’s evaluation of the threat landscape: “It doesn’t matter if you are small or large, it’s not a matter of ‘if’ you are going to be compromised, it’s ‘when’.” He also described the impact a breech can have on the business: in the Techaisle research, approximately half of survey respondents agreed that a breach would mean that customer trust in the organization would suffer significant damage and that customers’ privacy would be significantly damaged; 30% said the company’s reputation would suffer damage; a quarter claimed substantial damage to the company’s bottom line; and only 16% said there would be no impact. Despite this potentially negative effect on customer relationships, reputation and profitability, O’Neil observed that businesses typically address security challenges in a disconnected way, with assignment of responsibility for policy to business, and responsibility for executing policy relegated to IT. This gap in approach, combined with the shadow IT phenomenon, are putting businesses at risk. However, O’Neil concluded with more good news — growing threats are putting security at the forefront of senior executive agendas and that it is possible, through a 4 stage process to build the cyber resiliency needed to position security as an enabler that can ensure IT delivers expected business value.
From high level business value assessment, Jason Bingo, marketing director for the Dell Software Group, moved in his presentation, Dell Connected Security: Comprehensive protection across your IT environment, to the riveting drama that the threat landscape has become. According to Bingo, “today we are more connected than ever,” and as a result, more exposed to threats at every connection point. At the same time, the nature of the threat has changed though most remain blissfully unaware: most people don’t know if they have experienced a security breach, he argued, even though 51% of respondents in a recent survey had at least one security breach attributed to a web vulnerability in the past year.
Through reverse engineering, Dell is able to track the origin of security breaches, which Bingo explained range from state sponsored attacks — cyber attacks and cyber terrorism that are a component of national strategy, particularly in the Far East and Middle East regions — to organized crime, to well educated, unemployed North American youth with ready online access to exploitation kits like Spy Eye or Phoenix Exploiters Kit, along with YouTube instructions (30,000 videos and counting) on their use. While the intent of state sponsored attacks is likely control of assets and organized crime is motivated by monetary gain, both types of threats are marked by increasing sophistication, persistence, prevalence, scale and the ability to operate undetected for a long time. And while many smaller organizations practice what McClurg called “security by obscurity,” Bingo argued that the average customer may not be the end target, but could still represent a gateway in that is equally vulnerable.
According to Bingo, Dell “didn’t seek to be in the security business” but customers came to them with a number of “security related issues,” such as urgency around BYOD, the need to support new Web 2.0 apps and for increased broadband speeds, compliance risk and flat IT budgets. The idea behind Connected Security was to provide all that was needed in application security, network security and data security to “keep the bad guys out and let good guys in.” For example, at the application layer, Dell provides email security to provide internal protection, and endpoint management to keep threats out. At the network layer, it provides SSL VPN to keep the good guys in, and next generation firewalls to keep intruders out. And at the data layer, AppAssure provides internal security, while Dell Data Protection encryption secures against penetration from outside. The key, though, is that Dell is connecting all these: “we have the best piece parts [security acquisitions] on the market today. We’re connecting them and this matters because we seek to deliver a customer experience and an outcome that doesn’t exist today.” As example, Bingo explained that in a BYOD setting, his iPhone would be denied access to corporate apps and data because the Dell firewall recognizes there is no security on the device. This information would be sent to the identity and access management solution — the “brains of the whole solution” — which in turn would report the attempt to Bingo’s supervisor, and Bingo would be advised to download the latest version of the encryption software onto the device. Another practical application would be quarantine of vms, based on a message from the firewall, until an investigation and remediation had occurred and everything documented for compliance with identity management. In these kinds of scenarios, Bingo claimed, “the end-to-end solution works beautifully. This is something that you can’t buy in the marketplace today. We know, because we tried to buy it.”
A final act in the Power to do More security play was provided by Alan Daines, acting CISO, Dell Global Security, who expanded on the total solution approach with a review of Dell’s own security strategy in a presentation entitled, End to End Security: Dell’s Internal Security Story. In Daines’ view, the challenge is to help organizations achieve balance between security and business needs: “How do we find balance? How do we enable the business, but in a secure manner?” he asked. One answer is to drive thinking around acceptable risk by the business stakeholder, rather than insist on security restriction from IT.
At Dell, for example, risk around cloud adoption is mitigated through identification of a few reliable providers with which there is a contractual relationship — as opposed to a ban which would ultimately be unworkable. In terms of data protection, information is classified as either public, internal, restricted (requires server controls and encryption at rest and in motion), and highly restricted, which must be discovered by legal and is always requires encryption, and security provisions are made according to information tier. Investment is made in understanding the nature of threats — Dell monitors millions of malware items a month, and generates six to nine billion security events a day which are fed into SecureWorks systems to proactively identify the source of threats and to apply up to date tools to lock threats down before they compromise business systems and infrastructure. The company also engages in continuous self-assessment, identifying strengths and weaknesses that form the basis for highly detailed security strategy. The goal has been development of security around connectivity through segmentation, governance and controls, around identity management, which has been bolstered through the Quest acquisition, and around data through classification systems.
Ultimately, the Dell security team aims to “deliver controls and insurance” to respond to evolving threats that “blended in nature.” To achieve this, Daines’ team has worked towards a convergence of technology, people and processes that can offer organizations the best protection against business disruption. Through alignment of Daines’ “organizational agility” and the “security layer,” the group has worked towards a “balance” that Dell believes may also help customers achieve security success — while enabling IT value.
