Author
Updated
24 Oct 2024Form Number
LP1116PDF size
7 pages, 84 KBAbstract
Security threats are constantly evolving, but Lenovo Infrastructure Solutions Group (ISG) builds foundational security into our products and services to guard your data infrastructure against damage from cybersecurity threats.
Change History
Changes in the October 24, 2024 update:
- Removed the reference to Intel Transparent Supply Chain as it is no longer available
Introduction
Cybersecurity has become a major concern for all organizations, large and small. The frequency, severity and cost of data breaches accelerates daily, as the cyber attack surface expands and the breadth of attacks grows to compromise new and different areas. C-Suite executives and Boards want to partner with IT providers that truly understand security and can help them guard against the impact of security breaches. Lenovo ISG’s product security program “bakes in” foundational security to our products in order to minimize security risks and to help customers guard their data and infrastructure.
The Magnitude of the Security Problem
“Lenovo’s ThinkSystem servers provide the best reliability among all x86 servers for the 10th consecutive year and best x86 server security for the last five years.“
— ITIC 2023 Global Server HW, Server OS Reliability Report
“In 2023, only 2% of Lenovo ThinkSystem servers experienced downtime due to a hack attack. This is down from 4% of Lenovo ThinkSystem servers that suffered unplanned downtime due to a security attack in 2021… 78% of Lenovo server respondents said they posted six and seven nines of uptime, the highest reliability score among all x86 hardware distributions for the tenth consecutive year.”
— ITIC 2023 Global Server Hardware, Server OS Security Report
The costs associated with security breaches—both tangible and intangible—are alarming:
In December 2023, the release of the annual FBI Internet Crime Report 2023 revealed that the total number of complaints logged by the FBI in 2023 reached a record level at just over 880,000, and that the monetary consequences increased 22% from 2022, rising to an estimated $12.5 billion. The average cost of a data breach increased 2.6% from USD $4.35 million in 2022 to USD $4.45 million in 2023.
ITIC’s 2023 Global Server Hardware Security survey shows that 84% of corporate enterprises rank security as the leading cause of unplanned server and application downtime, and that the hourly cost of downtime now exceeds USD $300,000 for 91% of SME and large enterprises.
Furthermore, security breaches from issues associated with supply chain and third-party suppliers have increased dramatically since 2019, making supply chain security a crucial focus for enterprises.
Lenovo ISG’s Product Security Program
Lenovo Infrastructure Solutions Group’s (ISG) security program (ThinkShield) has a long heritage, with its roots in System x security foundations. With a goal of being our customers’ most trusted partner, Lenovo ISG equips our customers with secure solutions from edge to cloud. We build security into our products from development through delivery. In a world where bad actors are constantly attacking servers and networks and seeking to steal critical data, Lenovo ISG is committed to programs and actions which will minimize security risks in our products and to our customers.
Lenovo ISG encourages customers to scrutinize all IT suppliers and ask each supplier questions about code origin and security controls, independent product security assessments, security response, and product security governance. Our industry leadership position provides us with significant market insight, which demonstrates that Lenovo ISG’s product security practices exceed industry norms.
A Strong Foundation for Future-Ready IT
Lenovo ISG’s product security program begins with our award-winning secure supply chain and continues with secure business processes throughout the development life cycle, resulting in products that have security built in to help our customers protect their infrastructures from cyberattacks.
Secure Supply Chain |
Secure Business Processes |
Secure Product Design |
---|---|---|
Lenovo ISG owns and controls our manufacturing to ensure security is built into our products from the beginning of development
|
Lenovo’s business processes are based on proven security practices to meet the most rigorous requirements
|
Lenovo’s product design builds security into our products, and we continuously enhance our products to meet the latest security standards
|
Secure Supply Chain
Lenovo builds security into our products from the very beginning of development. Lenovo ISG owns and controls our manufacturing, unlike many of our competitors. Our award-winning supply chain is ranked by Gartner as the #3 High Tech Supply Chain for 2023 (in the Top 7 since 2015), the #8 Global Supply Chain (in the Top 35 since 2013), and the #1 supply chain in AP (2023). This ranking is across all firms and industries evaluated by Gartner.
Through our Trusted Supplier Program we specify supplier security requirements and carefully evaluate and qualify our suppliers to ensure they meet our security standards, and we periodically audit their compliance on a risk basis. This program covers all Intelligent Components (any executable component, memory, semiconductors, etc.)—and their suppliers—that could adversely affect the security of our products.
Lenovo augments our secure supply chain with secure logistics. We ensure that our products remain secure from the time they leave our manufacturing facilities to the time they are delivered and operationalized in customer environments. Once the products are built and tested, they are packaged and prepared for shipping with tamper-evident materials so that any problems can be noticed immediately, en route, and the incident investigated. After packaging, Lenovo works with qualified logistics suppliers to safely deliver products to end customers. Protection throughout the shipping process includes secure facilities, trucks and conveyances, and thoroughly-screened employees, visitors, and drivers. Shipments are tracked from the time they leave Lenovo buildings until they are received at a customer's location.
Beyond our supply chain security, we assist customers with security for their product lifecycle management. For those customers who are interested in secure disposal, Lenovo offers an end-of-life program through our Asset Recovery Services (ARS). Through ARS, Lenovo can securely wipe hard drives and securely recycle parts utilizing industry recognized data sanitization standards such as NIST SP 800-88 R1 and Commission Regulation (EU) 2019/424, compliant with privacy laws such as HIPAA, GDPR, CCPA, Sarbanes Oxley, Gramm-Leach-Bliley, and others.
Lenovo adheres to the World Customs Organization (WCO) SAFE Framework of Standards to Secure and Facilitate Global Trade and Authorized Economic Operators (AEO) requirements. We are committed to strengthening international supply chains and improving United States border security. We are a C-TPAT Tier III partner (“Certified, Exceeding” all minimum criteria), the highest rating provided by the U.S. Customs and Border Protection.
Secure Business Processes
Lenovo has established a governance structure to drive security across products and services development. Our Lenovo Secure Development Lifecycle (LSDL) guides products and services security efforts throughout our business units to reduce risk. We draw from the BSIMM (“Building Security In” Maturity Model) and will be compliant with Cybersecurity Executive Order 14028 “Improving the Nation’s Cybersecurity.” The cornerstone of this LSDL process is the Software Security Review Board (SSRB). The Security Review Board engages with products and services development teams throughout the entire product lifecycle to ensure a secure design and to further review security before release.
Lenovo’s Secure Development Lab is ISO 27001:2022 Information Security Management System (ISMS) certified and has been granted a certification for TAPA Facility Security Requirements (FSR) with IT and Cyber Security Threat Enhancement. This secure development lab is located in the US, managed by US Nationals, with restricted access based on need. It houses ThinkSystem, ThinkEdge, ThinkAgile and CSP ecosystem firmware and software source code build and signing functions. Lenovo firmware is maintained, built, and digitally signed on logically isolated servers in this facility to protect against tampering and ensure secure, trusted boot-up. Our development security enablement embeds security tooling into development teams to enable faster issue identification and remediation.
Lenovo ensures that Security assessments are routinely performed for processes and product offerings. These have included annual third-party (external) security process audits, third-party (external) assessments for major development milestones of core products, and first-party (internal) assessments for each software / firmware release. We have longstanding relationships with third-party security partners, most of whom are approved for use by the US Government.
Our security support for our customers extends throughout the lifecycle. Lenovo’s Product Security Office exists to improve customer trust and awareness in the security of Lenovo product offerings. Our Product Security Incident Response Team (PSIRT) works with customers, suppliers, partners, and researchers to investigate, resolve, and report security vulnerability information related to Lenovo products. We publish security advisories that transparently describe vulnerabilities affecting Lenovo products and provide information on how customers can protect their systems.
Secure Product Design and Continuous Innovation
Lenovo ISG builds security into all our ThinkSystem, ThinkEdge, and ThinkAgile products and continuously enhances our products to increase security for our customers. Our ThinkSystem and ThinkAgile v3 offerings incorporate significant new capabilities to protect against attacks, detect attacks if they occur, and recover from attacks in the unlikely event of tampering or corruption. These include enhancements to our platform protection with an increased number of the latest security standards such as FIPS 140-3 (validation in process), stronger password storage, enhanced compliance with NIST SP800-193 Platform Firmware Resiliency (PFR), and CNSA Suite 1.0 Quantum-resistant cryptography.
Lenovo also offers Lenovo System Guard, which monitors a server’s internal hardware inventory to protect against supply chain attacks or hacking throughout the life cycle. By taking digital “measurements” of critical components such as CPUs, DIMMs, PCI Adapters, drives, risers & backplanes, we can detect if these components are removed or swapped with a different component after shipment from the manufacturing plant, through shipping and delivery, and after deployment in our customers’ infrastructure. In the event a component change is detected, System Guard can be configured either to send an alert to an administrator or to block boot-up.
Lenovo’s immutable hardware Root of Trust (RoT) provides an embedded, silicon-based chip which ensures that the server can only be booted with trusted firmware. Through a carefully choreographed “chain of trust,” the boot process ensures that each of the critical below-OS components has the correct digital signature from our manufacturing plant and has not been tampered with. If any component fails this test the server will not boot, and the administrator is notified of the issue. We have also built in increased redundancy for critical firmware support, which means faster and more reliable recovery in the unlikely event of tampering or corruption.
Summary
Lenovo is committed to programs and processes to deliver products and solutions that not only have the functionality our customers want, but also meet or exceed industry standards for security. We build in security from the beginning of development through our secure supply chain, manufacture our products in Lenovo-owned factories, and ensure security throughout the product lifecycle. The strength of our commitment to security is evidenced not only by third-party assessments and attestations but also by the end result, the security of our products—as demonstrated, for example, by ITIC’s 2023 Global Reliability Survey finding that “Lenovo’s ThinkSystem servers provide the best reliability among all x86 servers for the tenth consecutive year and best server security for the last five years.”
Lenovo provides provably secure solutions via independent audits by customers and third-party consultancies. We support our customers not only with secure products but also through our Product Security Incident Response Team to publish advisories of any potential exposure and help customers with remediation if needed.
Lenovo ISG continues to be a trusted supplier to governments, critical infrastructure industries, and many other security-sensitive customers around the world. Our servers are used in wide-ranging critical applications such as powering more supercomputers than any other supplier to solve some of humanity’s greatest challenges, to supporting critical infrastructure workloads, to serving as a foundational capability for 8 of the top 10 global cloud providers. Robust security is an integral part of our product development process.
About the author
Bob Nevins is an Open Group Master Certified IT Specialist with extensive expertise in IT Strategy and Solution Design. His professional passion is to simplify complex technology for clients and help them apply it to increase business value. During his years in the IT industry, Bob has been a frequent speaker in Executive Briefing Centers and has worked as managing consultant, software designer, and network architect as well as teacher and technical specialist. Bob is currently a Senior Solutions Marketing Consultant focused on Infrastructure Security.
Trademarks
Lenovo and the Lenovo logo are trademarks or registered trademarks of Lenovo in the United States, other countries, or both. A current list of Lenovo trademarks is available on the Web at https://www.lenovo.com/us/en/legal/copytrade/.
The following terms are trademarks of Lenovo in the United States, other countries, or both:
Lenovo®
System x®
ThinkAgile®
ThinkEdge®
ThinkShield®
ThinkSystem®
Other company, product, or service names may be trademarks or service marks of others.
Configure and Buy
Full Change History
Changes in the October 24, 2024 update:
- Removed the reference to Intel Transparent Supply Chain as it is no longer available
Changes in the March 27, 2024 update:
- Updated to include the latest industry data
First published: April 2, 2019
Course Detail
Employees Only Content
The content in this document with a is only visible to employees who are logged in. Logon using your Lenovo ITcode and password via Lenovo single-signon (SSO).
The author of the document has determined that this content is classified as Lenovo Internal and should not be normally be made available to people who are not employees or contractors. This includes partners, customers, and competitors. The reasons may vary and you should reach out to the authors of the document for clarification, if needed. Be cautious about sharing this content with others as it may contain sensitive information.
Any visitor to the Lenovo Press web site who is not logged on will not be able to see this employee-only content. This content is excluded from search engine indexes and will not appear in any search results.
For all users, including logged-in employees, this employee-only content does not appear in the PDF version of this document.
This functionality is cookie based. The web site will normally remember your login state between browser sessions, however, if you clear cookies at the end of a session or work in an Incognito/Private browser window, then you will need to log in each time.
If you have any questions about this feature of the Lenovo Press web, please email David Watts at dwatts@lenovo.com.