Lock Down Your Servers with Lenovo XClarity and TPA

One of our recent blogs on Trusted Platform Assurance (TPA) covers the unique security features and practices that help protect your organization against malware attacks on server firmware and the server management engine. In case you missed it, I'll recap.

  • Our servers support industry-standard Intel chipset security features, along with NIST and Trusted Computing Group standards.
  • Lenovo uniquely adds two built-in Trusted Zones to its servers — one for the host and one for the management subsystem — to create a chain of trust. Before any firmware on the system is allowed to execute, its digital signature is examined to verify that it originated from digitally signed source code (not object code). The Trusted Zone on the host also stores a tamper-proof history of all running firmware that can be used to validate code authenticity.
  • Only digitally signed and trusted firmware can be loaded onto servers, initially in manufacturing, as well as during system updates. If a firmware package cannot be validated or its digital signature cannot be verified, the update will not be executed.

While using XClarity management software to centrally define and manage Lenovo systems, you can sleep well at night knowing that Lenovo extends inherent architectural security from servers to the XClarity application. Specifically:

  • You can use your existing Microsoft Active Directory server to verify XClarity users. This helps to reduce overhead by applying your existing, standardized user verification process to Lenovo infrastructure.
  • XClarity establishes secure, authenticated connections to managed systems. In default cryptographic mode, XClarity uses 128-bit or longer keys for symmetric encryption. In NIST mode, XClarity implements even stronger cryptography approved by NIST SP 800-131A for enhanced levels of security.
  • XClarity implements Perfect Forward Secrecy (PFS) to generate random keys per session. There is no single secret value that can lead to widespread compromise of multiple messages. In the event one message is compromised, it does not lead to the compromise of others.
  • Before starting the update process for the XClarity application itself, XClarity confirms the update is digitally signed and trusted. If the XClarity update cannot be validated or verified, the update will not be executed.
  • XClarity generates a tamper-proof audit log (historical record) of user actions, such as logging into the XClarity application, creating new users and changing passwords. Tracking user activities can help provide insight and oversight to increase security in a reliable, provable way.

Lenovo infrastructure provides a highly secure foundation for your critical services by making security an inherent architectural component of our hardware systems, including the XClarity hardware management application. By taking extra steps to bake unique security features into Lenovo infrastructure, we can help you stay on top of your game and minimize risk to your business.

For more information on Lenovo XClarity, visit the product web page and the playlist of short product demonstration videos.