Lenovo Security by Design: Foundational Security from Edge to Cloud

Cybersecurity has become a major concern for all organizations, large and small. The frequency, severity and cost of data breaches accelerates daily, as the cyber attack surface expands and the breadth of attacks grows to compromise new and different areas. C-Suite executives and Boards want to partner with IT providers that truly understand security and can help them guard against the impact of security breaches. Lenovo ISG’s product security program “bakes in” foundational security to our products in order to minimize security risks and to help customers guard their data and infrastructure.

The costs associated with security breaches—both tangible and intangible—are alarming:

In December 2023, the release of the annual FBI Internet Crime Report 2023 revealed that the total number of complaints logged by the FBI in 2023 reached a record level at just over 880,000, and that the monetary consequences increased 22% from 2022, rising to an estimated $12.5 billion. The average cost of a data breach increased 2.6% from USD $4.35 million in 2022 to USD $4.45 million in 2023.

ITIC’s 2023 Global Server Hardware Security survey shows that 84% of corporate enterprises rank security as the leading cause of unplanned server and application downtime, and that the hourly cost of downtime now exceeds USD $300,000 for 91% of SME and large enterprises.

Furthermore, security breaches from issues associated with supply chain and third-party suppliers have increased dramatically since 2019, making supply chain security a crucial focus for enterprises.

Lenovo Infrastructure Solutions Group’s (ISG) security program (ThinkShield) has a long heritage, with its roots in System x security foundations. With a goal of being our customers’ most trusted partner, Lenovo ISG equips our customers with secure solutions from edge to cloud. We build security into our products from development through delivery. In a world where bad actors are constantly attacking servers and networks and seeking to steal critical data, Lenovo ISG is committed to programs and actions which will minimize security risks in our products and to our customers.

Lenovo ISG encourages customers to scrutinize all IT suppliers and ask each supplier questions about code origin and security controls, independent product security assessments, security response, and product security governance. Our industry leadership position provides us with significant market insight, which demonstrates that Lenovo ISG’s product security practices exceed industry norms.

Lenovo ISG’s product security program begins with our award-winning secure supply chain and continues with secure business processes throughout the development life cycle, resulting in products that have security built in to help our customers protect their infrastructures from cyberattacks.

Lenovo builds security into our products from the very beginning of development. Lenovo ISG owns and controls our manufacturing, unlike many of our competitors. Our award-winning supply chain is ranked by Gartner as the #3 High Tech Supply Chain for 2023 (in the Top 7 since 2015), the #8 Global Supply Chain (in the Top 35 since 2013), and the #1 supply chain in AP (2023). This ranking is across all firms and industries evaluated by Gartner.

Through our Trusted Supplier Program we specify supplier security requirements and carefully evaluate and qualify our suppliers to ensure they meet our security standards, and we periodically audit their compliance on a risk basis. This program covers all Intelligent Components (any executable component, memory, semiconductors, etc.)—and their suppliers—that could adversely affect the security of our products.

Lenovo was the first Tier 1 manufacturer to offer Intel Transparent Supply Chain (TSC), which provides a “Birth Certificate” for Intel-based ThinkSystem Servers and ThinkAgile Solutions. This birth certificate provides traceability at the system and component level and a statement of conformance, digitally signed by Intel®, to guarantee the authenticity of the systems.

Lenovo augments our secure supply chain with secure logistics. We ensure that our products remain secure from the time they leave our manufacturing facilities to the time they are delivered and operationalized in customer environments. Once the products are built and tested, they are packaged and prepared for shipping with tamper-evident materials so that any problems can be noticed immediately, en route, and the incident investigated. After packaging, Lenovo works with qualified logistics suppliers to safely deliver products to end customers. Protection throughout the shipping process includes secure facilities, trucks and conveyances, and thoroughly-screened employees, visitors, and drivers. Shipments are tracked from the time they leave Lenovo buildings until they are received at a customer's location.

Beyond our supply chain security, we assist customers with security for their product lifecycle management. For those customers who are interested in secure disposal, Lenovo offers an end-of-life program through our Asset Recovery Services (ARS). Through ARS, Lenovo can securely wipe hard drives and securely recycle parts utilizing industry recognized data sanitization standards such as NIST SP 800-88 R1 and Commission Regulation (EU) 2019/424, compliant with privacy laws such as HIPAA, GDPR, CCPA, Sarbanes Oxley, Gramm-Leach-Bliley, and others.

Lenovo adheres to the World Customs Organization (WCO) SAFE Framework of Standards to Secure and Facilitate Global Trade and Authorized Economic Operators (AEO) requirements. We are committed to strengthening international supply chains and improving United States border security. We are a C-TPAT Tier III partner (“Certified, Exceeding” all minimum criteria), the highest rating provided by the U.S. Customs and Border Protection.

Lenovo has established a governance structure to drive security across products and services development. Our Lenovo Secure Development Lifecycle (LSDL) guides products and services security efforts throughout our business units to reduce risk. We draw from the BSIMM (“Building Security In” Maturity Model) and will be compliant with Cybersecurity Executive Order 14028 “Improving the Nation’s Cybersecurity.” The cornerstone of this LSDL process is the Software Security Review Board (SSRB). The Security Review Board engages with products and services development teams throughout the entire product lifecycle to ensure a secure design and to further review security before release.

Lenovo’s Secure Development Lab is ISO 27001:2022 Information Security Management System (ISMS) certified and has been granted a certification for TAPA Facility Security Requirements (FSR) with IT and Cyber Security Threat Enhancement. This secure development lab is located in the US, managed by US Nationals, with restricted access based on need. It houses ThinkSystem, ThinkEdge, ThinkAgile and CSP ecosystem firmware and software source code build and signing functions. Lenovo firmware is maintained, built, and digitally signed on logically isolated servers in this facility to protect against tampering and ensure secure, trusted boot-up. Our development security enablement embeds security tooling into development teams to enable faster issue identification and remediation.

Lenovo ensures that Security assessments are routinely performed for processes and product offerings. These have included annual third-party (external) security process audits, third-party (external) assessments for major development milestones of core products, and first-party (internal) assessments for each software / firmware release. We have longstanding relationships with third-party security partners, most of whom are approved for use by the US Government.

Our security support for our customers extends throughout the lifecycle. Lenovo’s Product Security Office exists to improve customer trust and awareness in the security of Lenovo product offerings. Our Product Security Incident Response Team (PSIRT) works with customers, suppliers, partners, and researchers to investigate, resolve, and report security vulnerability information related to Lenovo products. We publish security advisories that transparently describe vulnerabilities affecting Lenovo products and provide information on how customers can protect their systems.

Lenovo ISG builds security into all our ThinkSystem, ThinkEdge, and ThinkAgile products and continuously enhances our products to increase security for our customers. Our ThinkSystem and ThinkAgile v3 offerings incorporate significant new capabilities to protect against attacks, detect attacks if they occur, and recover from attacks in the unlikely event of tampering or corruption. These include enhancements to our platform protection with an increased number of the latest security standards such as FIPS 140-3 (validation in process), stronger password storage, enhanced compliance with NIST SP800-193 Platform Firmware Resiliency (PFR), and CNSA Suite 1.0 Quantum-resistant cryptography.

Lenovo also offers Lenovo System Guard, which monitors a server’s internal hardware inventory to protect against supply chain attacks or hacking throughout the life cycle. By taking digital “measurements” of critical components such as CPUs, DIMMs, PCI Adapters, drives, risers & backplanes, we can detect if these components are removed or swapped with a different component after shipment from the manufacturing plant, through shipping and delivery, and after deployment in our customers’ infrastructure. In the event a component change is detected, System Guard can be configured either to send an alert to an administrator or to block boot-up.

Lenovo’s immutable hardware Root of Trust (RoT) provides an embedded, silicon-based chip which ensures that the server can only be booted with trusted firmware. Through a carefully choreographed “chain of trust,” the boot process ensures that each of the critical below-OS components has the correct digital signature from our manufacturing plant and has not been tampered with. If any component fails this test the server will not boot, and the administrator is notified of the issue. We have also built in increased redundancy for critical firmware support, which means faster and more reliable recovery in the unlikely event of tampering or corruption. 

Lenovo is committed to programs and processes to deliver products and solutions that not only have the functionality our customers want, but also meet or exceed industry standards for security. We build in security from the beginning of development through our secure supply chain, manufacture our products in Lenovo-owned factories, and ensure security throughout the product lifecycle. The strength of our commitment to security is evidenced not only by third-party assessments and attestations but also by the end result, the security of our products—as demonstrated, for example, by ITIC’s 2023 Global Reliability Survey finding that “Lenovo’s ThinkSystem servers provide the best reliability among all x86 servers for the tenth consecutive year and best server security for the last five years.”

Lenovo provides provably secure solutions via independent audits by customers and third-party consultancies. We support our customers not only with secure products but also through our Product Security Incident Response Team to publish advisories of any potential exposure and help customers with remediation if needed.

Lenovo ISG continues to be a trusted supplier to governments, critical infrastructure industries, and many other security-sensitive customers around the world. Our servers are used in wide-ranging critical applications such as powering more supercomputers than any other supplier to solve some of humanity’s greatest challenges, to supporting critical infrastructure workloads, to serving as a foundational capability for 8 of the top 10 global cloud providers. Robust security is an integral part of our product development process.

Bob Nevins is an Open Group Master Certified IT Specialist with extensive expertise in IT Strategy and Solution Design. His professional passion is to simplify complex technology for clients and help them apply it to increase business value. During his years in the IT industry, Bob has been a frequent speaker in Executive Briefing Centers and has worked as managing consultant, software designer, and network architect as well as teacher and technical specialist. Bob is currently a Senior Solutions Marketing Consultant focused on Infrastructure Security.