3. Smarter End-to-End Security: How Lenovo is Securing the Supply Chain

InTechnology - Ein Podcast von Camille Morhardt

Kategorien:

In this episode of Cyber Security Inside we'll learn how Lenovo is strengthening the supply chain to further protect its customers by introducing smarter end-to-end security through new services. Our guest is Rebecca Achariyakosol, Executive Director, PC Services Global Marketing at Lenovo.   Tom Garrison: Hello, and welcome to the Cyber Security Inside podcast. In this podcast, we aim to dig into important aspects of cyber security, which can often be highly complex and intimidating and break them down to make them more understandable. We aim to avoid jargon and instead use plain language for thought provoking discussions. Every two weeks, a new podcast will air. We invite you to reach out to us with your questions and ideas for future podcast topics. I'd like to introduce my cohost, Camille Morhardt Technical Assistant, and Chief of Staff at Intel's Product Assurance and Security Division. She's a co-director of Intel's Compute Lifecycle Assurance, an industry initiative to increase supply chain transparency. Camille's conducted hundreds of interviews with leaders in technology and engineering, including many in the C suite of the Fortune 500.   Tom Garrison: Hi, Camille. How are you doing today?   Camille Morhardt: Surf's up! I'm doing well, Tom.   Tom Garrison: (laughs) Nice. That's right. You're at the beach. The benefits of being able to record anywhere in the world. Camille what's on your mind today for today's Security Matters segment?   Camille Morhardt: Well, Tom, I've been thinking about trust. And I've decided that trust is something that you can't actually offer. It's only something that can be bestowed upon you. So given that, what elements go into trust? Is that the same when we're talking about a company or we're talking about a relationship? And you know, what kind of actions could a company or government, say, take to increase your chances of trusting them since it's something you can only bestow upon them?   Tom Garrison: Interesting. So trust, I guess you can decide to inherently trust somebody, but ultimately it's something that you either are adding to the trust or you're taking away from the trust based on your actions.   Camille Morhardt: Yeah. And you don't get to decide whether somebody trusts you or not. You can only offer, I would submit actions, some sort of an action, like being upfront about your intentions or your mistakes potentially would increase trust, say in a romantic relationship. Now, how does that translate when you're talking about the government? Do I trust the government or a company? How do I know whether I trust a company?   Tom Garrison: Yeah, that's a, it's a good topic. So let's say let's stick with companies. So how do companies increase trust?   Camille Morhardt: Well, I think one of the main ways the company can increase trust is to tell you honestly what they're doing. And I think that one way to do that when proxy, I would say almost for trust, is transparency. A bit of a buzzword these days, but that gives you visibility, not just visibility, but actually a complete view into what's happening. Transparency, everything from the, your intentions, which I think in most public companies are maximizing profit. There may be additional intentions or motives. And then after that, how are you going about producing your product?   Tom Garrison: You know, it occurs to me that there's a lot about products in general, that we don't know really much at all. We know who we bought it from. We hopefully we trust that company that they're doing the right things, but there's a lot of yeah of information that could be made available to the customer, the end customer about the devices that they're buying today.   Camille Morhardt: Yeah, is it my business? Do I just get to put trust into a company? Um, and that's good enough. I believe the company, they have a big name. They've got a good brand, you know, do I really, do I have some sort of a right to know more than that? I can buy from whoever I want.   Tom Garrison: Yeah, I think, I think you do. I mean, you know, maybe there's a debate to be had here, but I, I think as the customer, you have the right to any information that is going to have an impact on you the customer moving forward. And that might be things like, you know, maybe a more detailed understanding of what goes into the products that you're buying. And, based on that knowledge, you, you have a better understanding of what risks are involved from a security standpoint. I think you have rights to any information that has to do with the way you're using the product. I don't think you necessarily have rights to the vendor, whoever you chose to buy it from. They've aggregated all the data about all of their customers. I don't think you as a customer have rights to that, but I do think that if you bought 10,000 of something, you have the rights to the aggregated 10,000 that you own.   Camille Morhardt: So do I have a right to know exactly what's in those devices that I own. I mean, if there's sub-vendors that are traded out, uh, we have, now we're using it as a screw from a different company now. Do I need to be burdened with that information?   Tom Garrison: Well, first I think there's a question of how much value do you get from what screw they use. But if you were to say instead, maybe the line is intelligent devices, things that are running software within maybe your PC or within your server, within your IOT device, for a couple of different reasons. Let me just share sort of my view. If there ever turns out to be a security problem down the road with one of those devices, then you want to be able to know about it right away as soon as possible. And so if you already know what are these subcomponents in your device, then you should be able to aggregate your entire installed base of PCs or servers or whatever, and say very quickly, “I just saw about this vulnerability about this component. Do I have that component anywhere in my infrastructure?” Yes or no. There's a huge value in having that. If you have to wait for your system provider to tell you that there was an issue you might've lost two months, three months, six months down the road.   Camille Morhardt: That's seems like bringing some alarms. That seems like a tremendous amount of collaboration which may exist in some industries. I think we have pretty good forward and backward traceability in the food industry in certain parts of the world to protect against bacteria and trace that. But is that level of traceability really necessary, you know, in a pair of running shoes? Maybe it is in a car or in the food that I eat, but are you adding or demanding unnecessary costs in even for the service of understanding, whether I have something, a problem with the thing that I'm using right now.   Tom Garrison: So, I think this is an episode. I think we could narrow it down to platforms. So say PCs and servers and our T devices. And I think this discussion is what we should cover today in today's podcast.   Camille Morhardt: I like it. Yup. Sounds good.   Tom Garrison: Let's go for it.   INTERVIEW Tom Garrison: In today's discussion we'll learn how Lenovo is strengthening the supply chain to further protect its customers by introducing smarter end-to-end security through new services. I'm pleased to introduce our guest Rebecca Achariyakosol Executive Director, Global Marketing, responsible for product marketing and sales enablement for Lenovo IDG services. Rebecca, please take a moment and tell us a little about your role at Lenovo.   Rebecca Achariyakosol: Sure. Hi, Tom. Thanks for the introduction and the opportunity to speak with you today. I've been working scene for Lenovo for almost three years now, and I am responsible for services, product development, marketing, and enablement for our IDG business. So IDG stands for Intelligent Device Group, and that includes all of our laptops, desktops, workstations, and any of our mobility devices like tablets and phones. I don't create products. My job is to build solutions that can solve customer problems.   Tom Garrison: Well, that sounds interesting. Um, can we maybe just jump right into it and talk about some of the new services that Lenovo has introduced?   Rebecca Achariyakosol: So the supply chain is really an area that traditionally has presented some vulnerabilities that can be exploited. The window after devices leave the manufacturer before they reach the end user, that really creates an opening for someone to tamper with the PC. They can remove or replace components and it's really hard to detect that that's happened. So Lenovo is directly addressing this problem within the security supply chain, with two services that we call Transparent Supply Chain and Trusted Device Setup. With these two services changes not only to the hardware, but also to the software can easily be detected.   Tom Garrison: Interesting. So maybe let's start with Transparent Supply Chain. Can you talk more about what Transparent Supply Chain is and how it works?   Rebecca Achariyakosol: Sure, absolutely. So Transparent Supply Chain is exclusively available for PCs with select Intel platforms. And it allows us to detect any hardware changes that were made between the factory and the customer. So it enables the visibility and the traceability of the hardware components so that customers can be confident that the system and hardware is exactly as it left the factory. So what they receive is exactly what was shipped.   Tom Garrison: Okay, so that makes sense. And, and you also mentioned Trusted Device Setup. What does that do?   Rebecca Achariyakosol: So that's kind of the other half of the equation. So Trusted Device Set up. It's a preload verification process. We seal the software at the point of manufacturing, so that any tampering attempts that occur after it's been sealed can be detected and prevented. So it's the second half -- Trusted Device Setup gives you the software security pieces from the software perspective and the Transparent Supply Chain is the hardware half.   Camille Morhardt: Hey, so Rebecca, I'm curious, transparency doesn't actually prevent a problem, right? It just, it just allows people to understand if a problem has occurred. So why do you guys value transparency just to back it up. Why are you pursuing it? How is that important?   Rebecca Achariyakosol: We have our Trusted Supplier Program and that's where we thoroughly vet our vendor and we do audits and inspections and things with our vendors to make sure that there's nothing in the supply chain up to the factory. But we also wanted to further expand how we've used security and provide an additional level for kind of end-to-end protection. So Transparent Supply Chain and Trusted Device Setup, they kind of extend that past the factory through the entire supply chain, to the customer. And with these, we can make sure that the devices are truly what they should be receiving and they don't have any kind of security, risks or concerns because something's been tampered with.   Camille Morhardt: Sometimes as an industry, we tend to throw technology at the problem and forget to adjust processes or training to add the human element and intercept problems or potential problems that way. How are you guys balancing that risk?   Rebecca Achariyakosol: The pieces that we have with our Trusted Supplier Program, you know, that's kind of a little bit more of the, the people element side where we verify with process and, and people in such that, you know, anything coming into our factory we have more control of that and so we can put those pieces in place. But we really don't have any control once it leaves our factory, right? It's really up to how the customer is consuming that product, what route to markets, who they're using and in partnership to help with different pieces of and provisioning, et cetera. And so that's where we really have to lean on the technology piece.   Tom Garrison: I think that's an interesting point that the technology almost serves as a backstop so that you can try to put all the people processes in place, but ultimately the, the last check is the, is the hardware and the, and the services you put on top of that. I wonder if you can maybe just expand a little bit on the fact now people are working from home and workforces in general are more distributed than ever. How does that play into your offerings here?   Rebecca Achariyakosol: In a recent study conducted by the security firm Barracuda Networks, 46% of surveyed global businesses said that they've encountered at least one cyber security scare since shifting to this more remote working model with COVID--and in the first quarter of this year. So that's pretty staggering. Almost half of these companies. And that's due in large part to the security risks that these remote workers pose. Right? So, you know, these services, it makes it easier, more secure to send devices directly from the factory to the employee, which is more what companies are moving to. They don't have the luxury of that coming into the office and being touched by their IT person. So this makes it easier and more secure to send those devices directly from the factory to that end user employee. And they can still have the confidence that it hasn't been tampered with. So this helps increase productivity, it reduces downtime, you get their end users up and running more quickly. And in some cases it really improves the efficiency for the customer's internal IT staff. So, we see this as maybe a continuing trend.   Camille Morhardt: Yeah. Hey Rebecca, do you think we're going to go back?   Rebecca Achariyakosol: Most of the companies that we've talked to, a good majority of them do see this aas somewhat of a permanent shift. Of course some workers are going to go back to a more traditional office, it's not going to be everybody working from home. But this had already been a little bit of a trend, um, where you'd had a more distributed workforce. And I think, you know, this has just become an opportunity, it's accelerated sort of, some of those timelines. It’s become an opportunity for customers in companies to implement a more distributed workforce a little more quickly. So I don't think it's going to go completely back. So that's why things like these technologies are going to remain important.   Tom Garrison: Now you can ship devices instead of going through sort of an IT cage to do the provisioning and so forth. You can just ship directly to the user themself. I wonder if you could talk a little bit about how you, as an IT shop, how you roll out systems with integrity.   Rebecca Achariyakosol: So there's different pieces that you have to go through to make sure that an end user can just receive a box and get up and running. There's lots of technologies that we could kind of talk about, in the provisioning space, that allow customers to be able to get onto their networks seamlessly and very quickly and access all the things that they need. So, we've kind of been on this journey to turn an employee like a laptop into a cell phone experience, right? So you get your new cell phone and it'll log in. They know who you are. You can be pulled down with our apps and things you need, you don't need somebody to get you up and running. This is very similar. And so there's, there's lots of technologies in that space. And then of course, like I said, there's the security pieces, which is a huge part of it. So it's, you know, we were talking about Transparent Supply Chain and Trusted Device Setup and how that plays into it to make sure everything is trustworthy as it gets there. But then there's just kind of the monitoring, patching, all those other types of elements that our customers have to think about as well. And, and we're happy to help them with those pieces too.   Tom Garrison: I wonder if you could speak a little bit about The customers in this space and what customers are interested in Transparent Supply Chain and Trusted Device Setup?   Rebecca Achariyakosol: I mean, honestly, any company that wants to protect their devices through the supply chain can benefit from these services, right? It's also companies that want to drive higher levels of automation in IT Like we were just talking about and they need a mechanism to ensure that what the end user's receiving it hasn't been tampered with. But additionally, specifically, you know, IT and government accounts are particular in who could be interested in those due to, you know, they're obviously highly IP sensitive nature of the work they do and the information that they handle.   Tom Garrison: Yeah. Can you talk more maybe about those classes of accounts--the highly sensitive IT accounts and government accounts?     Rebecca Achariyakosol: Sure. There are emerging standards within IT and government that they're attempting to meet, right? So these types of organizations, they typically require better visible visibility into how and where and with what their computer products are. Belts. The data is valuable for asset tracking and patching when vulnerabilities are disclosed. So it's really about them needing to be sure that everything on their system is secure and that there's nothing been put on there that can help somebody steal or leak out their information.   Tom Garrison: I'd like to transition now a little bit into the future and pick your brain a little bit, Rebecca, if you don't mind. So what do you think are the major shifts and in the next year or two?   Rebecca Achariyakosol: I think that the narratives of today, they're really going to continue forward. I mean, even before COVID-19, we'd seen customers interested in moving to a more modern IT solution and which includes, you know, security pieces. And this was to facilitate them moving to a more distributed workforce and then also to help free up their iIT staff. So these are things that we've been talking about to customers for a while. And I think all COVID is really done is it's accelerated that timeline. Um, and increasingly companies are reporting that even post COVID-19, as we talked about before, or the move will be to have more employees remote. So you're not going, we just see this big shift where everybody's going back into the office. So, it's not going to be business as usual and, and companies are going to continue to invest in modern IT security offerings to facilitate this new normal. I really think the next year or two, as you asked, it's gonna be more of what we're seeing today. Customers are putting stop fixes in place, you know, because COVID happens so quickly, but now they're going to be focused on really streamlining those processes and preparing to have the more distributed workforce.   Tom Garrison: Yeah. I've, I've said to people that have asked me similar questions, that the thing that COVID has done is it changed people's perception about how productive people could be working remotely. Cause it wasn't that long ago where people assumed that if you were working remotely, you weren't as productive as you are in the office. And I think being forced to work remotely, like we all have, we've been able to change that perception pretty significantly. And so going back to the way it used to be, I think is a, is a fantasy. I don't think it's going to happen.   Rebecca Achariyakosol: I've been a big work from home proponent and you can be very productive and there is a lot of benefits to it. So I agree with you. I think it has changed the way people are viewing it. Those that haven't had that opportunity, the world in the business world is, is going to be very different when we come off the other side.   Tom Garrison: I'm going to change gears just a little bit here and maybe have a little bit of fun. I wonder if you could maybe share with us, what's one thing that you've changed to accommodate COVID-19.   Rebecca Achariyakosol: Certainly I'm not on the road. Like I was before, you know, excitement today is defined as a walking in my neighborhood and maybe picking up some takeout. Um, but I've really enjoyed having this time to be home with my family. We've had a lot of changes. We're very much into martial arts and doing our classes via Zoom. They've recently started having some outdoor classes at the gym. So there's, you know, absolutely nothing like being outside in a hundred degree heat with a mass on exercising. (laughs) But you know, it is a chance at least to see some people. Um, and my, my oldest son, uh, every night he ends his prayers by praying COVID goes away, so he can go to his favorite sushi restaurant. Um, you know, he's really focused on all the important,   Tom Garrison: and then there's always takeout sushi, you know, don't, don't, uh, that short.   Rebecca Achariyakosol: We have done that twice now. And although, you know, I have to explain to my son that sushi is not the cheapest meal to do. Um, but he really always that experience where, you know, you, you try things and so if you like something you can continue to kind of order the different pieces that you like. Right. Versus, you know, he's got to think upfront of everything we might want to have from the restaurant. Um, but yes, we're absolutely have done on some special occasions some takeout, sushi.   Camille Morhardt: That sounds like a flexible supply chain.   Rebecca Achariyakosol: (laughs) Exactly. Absolutely. He definitely is always that flexible supply chain at a sushi restaurant. You just can't replicate that at home. I guess I could try and hide some of what we brought all and bring it out to them little by little. (laughs)   Tom Garrison: Great. Well, Rebecca, it's been nice to get to know you and thanks for coming in today and talking about. Lenovo's service offerings around Transparent Supply Chain and Trusted Device Setup. I think it was educational for people to understand what's possible and, and the kinds of protections now that can be built into the platform directly. So thanks for coming in.   Rebecca Achariyakosol: Well, thank you for the opportunity. It was a pleasure to get to know you as well.   Tom Garrison: That's a wrap. Thank you so much for listening. I'll see you next time.   Subscribe and stay tuned for the next episode of cyber security inside. Follow @tommgarrison on Twitter to continue the conversation. Thank you for listening.  

Visit the podcast's native language site