Achieving pervasive security

above, within and below the

OS
Dell and Intel apply Zero Trust principles to their commercial
PCs to help keep businesses and their employees secure

April 2022

© 2022 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks
of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.
© Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other
names and brands may be claimed as the property of others.
Executive summary
• Keeping business data secure is a challenging task, complicated by the proliferation of
endpoints operating outside of the organizational network and the constant evolution of threat
vectors
• Dell and Intel’s decades long co-enablement relationship is founded on their commitment to
keeping commercial customer networks secure
• Our holistic approach to security employs software-based, “above the OS” protections against
traditional attacks, silicon-based protections from Intel, and hardware-based, “below the OS”
capabilities that help defend against attacks targeting the deepest levels of a device
• In addition to this approach, Dell and Intel have invested in practices and policies to
continually help secure platforms once they are out in the market and subject to attack from
malicious actors

Topics covered in this paper

Security foundation Comprehensive defense framework
Secure Above and
Supply Chain Below the OS Ongoing
Development within the OS
Security security support
Lifecycle security
Dell and Intel design Protections are in Hardware-based Software-based Dell and Intel work to
their products with place along the security capabilities security technologies ensure their products
security as a chief supply chain to help help protect devices and silicon-based remain secure, patch
element and test ensure devices stay from threats that protections are both vulnerabilities, and
rigorously before secure after leaving target their crucial to holistic update silicon-based
release the factory foundational layers device security security within the
OS

Key
78% of security professionals surveyed said attacks
security 78%
increased as a result of employees working from home1
trends
62% of supply chain attacks investigated by the European Union
62% Agency for Cybersecurity were the result of misplaced trust in a
supplier2

Ransomware remains the number one threat for most organizations,

8%
rising 8% YoY in 20213

A recent study found that 44% of organizations experienced at least one

44% hardware-level or BIOS attack over the past 12 months and 16% have had
more than one attack4
1. Surge in Cyberattacks Targets the Anywhere Workforce, VMware, 2021 3. 2021 State of the Threat, Secureworks, 2021
2. Threat Landscape for Supply Chain Attacks, ENISA, 2021 4. Dell Technologies Intrinsic Security Helps Businesses Build Cyber Resilience, Dell Technologies, 2020

2
 Secure
Supply Chain Below the OS Above the OS Ongoing
Introduction Development Conclusion
Security security security support
Your business Lifecycle
Security foundation Comprehensive defense framework

network is as
secure as its
weakest endpoint

It seems that every few months, another prominent Dell and Intel provide built-in,
global brand experiences a major security breach and hardware-based security
the negative public exposure causes major damage to The complexities and concerns of securing devices and
their reputation. It’s enough to keep business owners networks are enough to make your head spin. That’s why
and security professionals worried that they are also we have made it our mission to provide our customers
exposed, be it through an overlooked vulnerability with devices designed with security in mind to enable
baked into their devices or an unknown, exploitable them to focus on what really matters - making their
weakness in their software. You might be able to trust businesses run.
your IT team to secure your networks and implement
Dell and Intel’s co-engineering relationship spans several
data safe practices, but how can you trust all the
decades and has always focused on keeping our
endpoints and applications you rely on to do business
customers’ data secure, especially in the business-to-
when you had no oversight over their manufacturing
business market. Through its partnership with Intel, Dell
or development?
has established a reputation as a go-to provider of
Dell and Intel know that the only way to reliably secure employee devices for companies of all sizes and in every
business devices and networks is through a market.
harmonization of hardware and software security
What goes into a Dell commercial device? It’s more than
technologies working in concert. While our teams
a ramshackle collection of features – Intel and Dell weave
have worked together to create a chainmail of closely
technologies, tools, and policies throughout the
integrated hardware and software security capabilities,
commercial PC lifecycle to help provide end-to-end
other providers may not have made this investment.
security for our customers and their businesses.
A common yet flawed approach to address device
integrity is attempting to create a false sense of Security by design
security through software-only solutions without Intel and Dell look beyond today’s threats when designing
addressing underlying hardware-based vulnerabilities. tomorrow’s systems to minimize the attack surface and
It is important for business leaders to understand the help ensure commercial devices stay secure.
limitations of this strategy: by relying only on software
Protection in transit
to protect their businesses, they leave the hardware
that the software is running on potentially vulnerable We have technologies and polices in place to help
to attacks. In essence, if hardware isn’t secure, protect the integrity of devices before they are in your
security applications and technologies running on it hands, helping to maintain security throughout
cannot be secure either. component sourcing, assembly, and delivery.
Other providers attempt to create a “walled garden” to Defense against evolving threats
protect devices, where limitations are built into the We employ hardware-based security through Dell
apps and services that restrict user flexibility. While Trusted Device technologies and Intel® Hardware Shield
this may make sense in a consumer context, it comes capabilities to harden device defenses through a
at the cost of the freedom to fully leverage devices, a framework of prevention, detection, and response.
challenge that’s only exacerbated in a commercial In addition, Dell and Intel have security teams dedicated
context. This approach may also lead attackers to to probing their products and finding new vulnerabilities
increasingly target and break down these systems to before attackers do – expediently pushing out patches
expose vulnerabilities in common configurations. to help keep you and your team covered.
Simply put, what works for direct-to-consumer devices In this whitepaper, we’ll explore how Dell and Intel
often fails when applied in a commercial environment have worked together to produce commercial PC
that represents a more attractive target for attackers. platforms with security baked in at the deepest levels
That’s why Dell and Intel take a different, holistic to help protect your devices across their lifecycle,
approach to security. through your next refresh, and beyond.

3
 Secure
Supply Chain Below the OS Above the OS Ongoing
Introduction Development Conclusion
Security security security support
Lifecycle

Securing our Security foundation Comprehensive defense framework

platforms starts
at the whiteboard

Before designing their newest platforms and chipsets, respectively, experts at Dell
and Intel set strict parameters for what a secure platform needs to include to
address the security needs of the future and meet required security regulations.
This process starts with a roundtable determination of likely future security and
privacy risks and the activities necessary to address them. This assessment is
used to define the security objectives we will evaluate our architectures against.
Planning,
assessment, With this information, security teams from Dell and Intel develop threat models by
and analysis taking an adversarial mindset to this conceptual architecture, probing for potential
vulnerabilities and exploits which must be mitigated against. This exercise has
proven to deliver significant improvements in finding and mitigating potential
vulnerabilities in BIOS, firmware, and hardware design.

Once the threat assessments are complete and models are created to define what
the threat surface is and where testing should be focused, engineers begin
developing the product code. The security objectives defined in the previous stage
Security- provide guidance during this phase of development and serve as criteria to
centric design determine if the product is on track to meet our customers’ needs.
After the code has been refined to the point of satisfying the security objectives
laid out at the start of the development lifecycle, the product moves forward to a
rigorous testing process.
These tests usually begin with secure code reviews and static code analysis, an
automated process which uses special tools for finding and fixing defects. Some
products with more complicated code then move to a manual review process,
Verification where security experts perform line-by-line reviews of product code to find
and testing previously unknown mistakes and help ensure it has been designed in a safe way.
Finally, teams of expert hackers are directed to engage in penetration testing and
other red team activities to find potential vulnerabilities that were missed in the
earlier phases. These findings are mitigated again based on risk, so that any
additional identified exposure has been documented and corrected.
Once the product has been rigorously tested and found to meet or exceed the
security objectives defined at the start, it is ready for release into the marketplace.
However, these phases represent only a slice of the secure development lifecycle.
For Dell and Intel, the security of our platforms is an ongoing effort. Our teams
work to discover vulnerabilities before they can be exploited by attackers, then
develop and push out security updates to patch them.
An example of Dell and Intel’s commitment to end-to-end security is their
Release and investment in a safe supply chain between assembly and delivery of a device, one
post-release of the fastest growing attack vectors for malicious actors. In the next section, we’ll
dive into how Dell and Intel mitigate risks along their supply chains to help ensure
the device that is delivered to your doorstep is secure from the first boot.

4 4
 Secure
Supply Chain Below the OS Above the OS Ongoing
Introduction Development Conclusion
Security security security support
Supply chain Lifecycle
Security foundation Comprehensive defense framework

assurance is
foundational to
device security
A lot can happen between the time a component or device leaves the factory and when it arrives to its
destination. Each step in the supply chain represents a new vector that opens your employees, your business,
and your customers up to potential attack. Dell and Intel have developed tools, technologies, and processes to
help ensure the security of their products before they get to customer businesses and enable self-verification of
device authenticity before being deployed to employees.

Source
Dell employs a rigorous partner screening process to help ensure the quality and security of devices and
their components. These partners also routinely undergo audits to ensure compliance with Dell’s
comprehensive set of Supply Chain Security Standards.

Make
In addition to adhering to Dell’s Supply Chain Security Standards, Dell device manufacturers also frequently
test parts during manufacturing to help ensure counterfeit products do not sneak into the supply chain. To
further mitigate this risk, Unique Piece Part Identification Number (PPID) labels are affixed to specific high-
risk components, containing information about the supplier, part number, country of origin, and date of
manufacture so that Dell can identify, authenticate, track, and finally validate these components to help
ensure the customer receives exactly what was shipped.

Deliver
Dell freight is protected through layers of physical security, from tamper-evident seals and door locking
mechanisms to a variety of tracking devices designed to detect if the Dell devices inside have been tampered
with in transit.
Dell devices themselves also feature tamper detection technologies. Dell Technologies SafeSupply Chain
solutions cover supply chain security and integrity controls like tamper evident seals and NIST level hard
drive wipes to help ensure a clean slate for your corporate image.

Verify
Dell commercial devices ship with cryptographically signed platform certificates that capture snapshot
attributes of platforms during manufacturing, assembly, testing, and integration. These platform attributes are
then cryptographically linked to the specific device using the Trusted Platform Module (TPM) as the hardware
root of trust.
Dell has implemented Trusted Computing Group platform certificates within the Dell Secured Component
Verification (SCV) solution for commercial PCs with Intel processors. SCV delivers cryptographically
signed inventory certificates to IT for supported Dell devices. With secure self-verification tools, SCV helps
assure full hardware integrity during transit to IT environments and allows customers to verify that Dell
commercial PCs and key components arrive as they were ordered and built.
Similarly, Intel has been enabling vendors with base digital supply chain transparency and traceability for
many years. Intel® Transparent Supply Chain (Intel® TSC) delivers TCG platform certificates and
component data for supporting Intel-based platforms using a cloud API available to IT through the Intel®
TSC web portal. Although Dell and Intel opted to implement independent solutions, TCG platform
certificates are a common ingredient between Intel® TSC and Dell SCV. This commonality provides
compatibility and interoperability that enable enterprise and government buyers to deploy TCG platform
certificates for improved digital supply chain security assurance for Intel-based devices.

5 5
 Secure
Supply Chain Below the OS Above the OS Ongoing
Introduction Development Conclusion
Security security security support
Built-in security Lifecycle
Security foundation Comprehensive defense framework

technologies
help prevent, detect,
and respond to threats
Holistic security means going beyond the legacy model of software protecting software to keep up with new
categories of threats against digital security, safety, and privacy. Combining it with hardware-based, “below the
OS” security technology helps protect every layer of the compute stack by working to prevent and detect
foundational attacks, including threat variants that most commonly occur along the supply chain. Dell and
Intel’s co-engineering relationship has focused on covering this attack surface with an intricate tapestry of
technologies at both the component and platform level. In addition to other Dell and Intel tools and
technologies, Intel® Hardware Shield and Dell’s SafeBIOS framework provide built-in, hardware-based
protection to Dell commercial device users.

Dell and Intel above the OS solutions

Dell hardware-based protections
Dell SafeBIOS Dell SafeID Dell SafeScreen

Intel® Hardware Shield

Advance Threat Protections Application & Data Protections Below-the-OS Security

Silicon
Figure 1: Intel® Hardware Shield and Dell hardware-based protections are security layers that help defend against foundational level attacks
Intel® Hardware Shield
Intel Hardware Shield is included with every Dell commercial device running on the Intel vPro® platform and
delivers hardware-enhanced security features that help protect all layers in the computing stack.
Intel Hardware Shield consists of Advanced Threat Protections, Application and Data Protections, and Below the
OS Security, which encompass over twenty innovative security technologies. Dell has harnessed almost every
one of these capabilities to develop security solutions that draw on their foundational features to provide
customers with one of the most secure commercial devices on the market. These solutions include the Dell
SafeBIOS framework, Dell SafeID, and Dell SafeScreen, together helping to offer an even greater level of
security assurance against current and future threats.
Dell SafeBIOS framework, Dell SafeID, and Dell SafeScreen
Basic Input Output System (BIOS) protection is crucial to device security. If an attacker manages to corrupt a
device’s BIOS, they would be able to gain control of the entire device due to BIOS’s unique and privileged
position within the device architecture. To protect this critical layer, Dell commercial devices ship with
SafeBIOS, a suite of tools that help prevent BIOS attacks, detect if the BIOS has been compromised, and
respond by alerting IT if irregularities are found.
Select Dell commercial devices also include Dell SafeID, which secures end user credentials in a dedicated
security chip to keep them hidden from malware that looks for and steals access credentials, a breach that
could potentially compromise an entire business network.
In addition, Dell enables end users to work from anywhere while keeping private information private by
including Dell SafeScreen on select commercial devices. Dell SafeScreen helps keep sensitive information and
credentials safe from physical threats with an integrated digital privacy screen and sensor-enabled webcam.
Below-the-OS security is only one part of the holistic approach Dell takes to securing devices
To more wholly secure Dell commercial devices, Dell and Intel have also invested heavily in security solutions
within and above the OS. These capabilities do more to help protect devices from advanced threats posed by
sophisticated attackers by offering an additional layer of protection at the data and application layer.

6
 Secure
Supply Chain Below the OS Above the OS Ongoing
Introduction Development Conclusion

Dell and Intel’s

Security security security support
Lifecycle
Security foundation Comprehensive defense framework

above-the-OS
solutions help keep
endpoints secure
Despite the rising threat of below-the-OS attacks, protection above-the-OS is more important than ever before. With the
number of end users who are working remotely and on-the go increasing exponentially, you need intelligent solutions that
prevent, detect, and respond to threats wherever they occur. The Dell Trusted Devices endpoint security portfolio includes
optional software like Dell SafeGuard and Response, Dell SafeData, and VMware Workspace ONE® to provide business
leaders what they need to protect their endpoints. Intel security capabilities, integrated deep in the silicon, such as Intel®
Control-flow Enforcement Technology, protect against attacks targeting the OS, while other capabilities within Intel
Hardware Shield protect below the OS, secure applications and data, and provide advanced threat protections.

VMware® Secureworks® Customer

Carbon Black Taegis™ XDR Network

Customer Data
Public/Private Cloud
Netskope

Absolute

Figure 2: The Dell Trusted Device endpoint security portfolio combined with Intel’s vPro hardware-
based security capabilities provide efficient security performance from chip to cloud.

Dell SafeGuard and Response is powered by VMware® Carbon Black and Secureworks® Taegis™ XDR,
combining a next-generation antivirus with security telemetry analysis on endpoint, network, and cloud. Dell
SafeGuard and Response helps businesses detect, investigate, and respond to advanced threats across their
organization.

Dell SafeData encrypts sensitive information and protects data with Netskope and Absolute. These applications
provide visibility, monitoring, and data loss prevention for cloud-based applications and restore endpoint
applications to their original safe state in the case of malicious attacks.

VMware Workspace ONE® is an intelligence driven digital workspace platform that simply and securely delivers
and manages any app on any device by integrating access control, application management, and multiplatform
endpoint management. With the recent integration of Intel vPro® platform technologies with VMware
Workspace ONE, IT teams benefit from better security, and chip-to-cloud management of endpoints.

Dell and Intel’s above- and below-the-OS security frameworks offer a holistic approach to protecting
commercial devices, but as security experts we know that no device is absolutely secure. That is why
we are industry leaders for post-release security investments to help ensure our devices remain
secure for years after release.

7
 Secure
Supply Chain Below the OS Above the OS Ongoing
Introduction Development Conclusion
Security security security support
Dell and Intel Lifecycle
Security foundation Comprehensive defense framework

invest in ongoing
security of their
platforms post release

Dell and Intel have made significant and sustained investments to help assure security throughout a
product’s lifecycle. Once a device or platform is out in the market, teams at Dell and Intel continue to
actively probe their products for vulnerabilities. For Intel, this process includes working together with
researchers and universities to find possible exploitations before malicious actors do, quickly patch
any vulnerabilities found, and then report them after the security loophole has been closed.
As part of this effort, Intel funds a bug bounty program that is one of the best in the industry,
accounting for 86% of externally found vulnerabilities in 2021. The CVEs (Common Vulnerabilities and
Exposures) found through this program and by internal or external researchers are logged in a public
database. As a proud leader in post-release vulnerability monitoring and reporting, Intel has logged
and patched more potential vulnerabilities than most competitors, staying ahead of chip manufacturers
who do not match our commitment to transparency and device security.
To address the CVEs found through their extensive programs, Intel regularly pushes out Intel Platform
Updates to all systems running on their products. This rollout is an extensive process that requires
validation from Intel’s partner ecosystem, including CSPs, ISVs, OEM/ODMs, and SIs.
Coordinating the disclosure of and response to identified product vulnerabilities is handled by Dell and
Intel’s dedicated Product Security Incident Response Teams. Together, they work to help ensure
CVEs are handled quickly and securely, effectively mitigating any risks they pose.
Dell and Intel have made these investments to provide ongoing support to our customers and ease
the burden on their IT teams. We’ve hired researchers, security architects, and cyber forensic analysts
to help keep your business secure and enable your teams to focus on equipping your employees to do
their best work.

2021 Count of Intel product Intel's investment accounts for

CVEs by Severity 93% of vulnerabilities
160 addressed in 2021
147
140
120 16

100
80 113
97
60 52

40
25
20
2
0
Low Medium High Critical Internally Found Bug Bounty Other*

Figure 3: Count of Intel product CVEs found by internal Figure 4: Internal and external teams worked to find
and external researchers in 2021 vulnerabilities in Intel platforms that were patched before
they could be exploited

8
 Secure
Supply Chain Below the OS Above the OS Ongoing
Introduction Development Conclusion
Security security security support
Dell and Intel are Lifecycle
Security foundation Comprehensive defense framework

committed to helping
you secure your
growing business
The battle of cybersecurity is won or lost based on your ability to collect, analyze and
respond to threat intelligence.
Today’s attackers are innovative. Understanding that most security solutions focus on securing
software only, they are looking at below-the-OS layers and the supply chain as new vectors to
compromise your security and exploit businesses like yours.
To stay ahead of these bad actors and to keep their businesses protected, today’s leaders must
consider built-in, hardware-based security technologies deep in the silicon as crucial when deploying
commercial devices to their employees.
Dell and Intel have been partnering in the commercial device space for decades and have earned our
customers’ trust with some of the most secure commercial devices in the industry. Our joint expertise
and co-engineering relationship enable us to
stay ahead of hackers through our consistent Learn more…
research, diligence, and innovation. As leaders
…about Dell Technologies offerings
in the commercial device space for decades,
Intel and Dell see more and stop more – Dell Technologies Safety and Security webpage
constantly acting on an immense set of data Dell Trusted Devices webpage
and telemetry to continually help enable and Dell Trusted Device Below-the-OS whitepaper
improve the security of our joint customers’ Dell SafeGuard and Response datasheet
commercial devices. Our thought leaders meet Dell SafeBIOS datasheet
regularly to discuss what comprehensive
Dell Supply Chain Assurance brief
security looks like today, what it will look like
tomorrow, and the investments needed to
ensure our products remain at the leading edge …about Intel offerings
of commercial cybersecurity. Intel vPro® Platform security manifesto
With world-class supply chain security, Intel® Hardware Shield webpage
hardware-based protections, and ongoing Intel® Hardware Shield whitepaper
support, Dell and Intel are ready to offer you
Intel Advanced Threat Protections whitepaper
and your business commercial devices that get
the job done and are designed to help keep Intel Virtualization Technologies whitepaper
your business data off the dark web. Speak to Intel Below-the-OS Security whitepaper
your Dell sales rep today to learn more about Intel Transparent Supply Chain webpage
our commercial device programs and how we Intel 2021 Product Security Report
can help you achieve your business objectives.
© 2022 Dell, Inc. ALL RIGHTS RESERVED. No part of this document may be reproduced or transmitted in any form or by
any means, electronic or mechanical, including photocopying and recording for any purpose without the written
permission of Dell, Inc. (“Dell”).
Dell, the Dell logo and products — as identified in this document — are registered trademarks of Dell, Inc. in the U.S.A.
and/or other countries. All other trademarks and registered trademarks are property of their respective owners.
Intel technologies may require enabled hardware, software or service activation. No product or component can be
absolutely secure. Your costs and results may vary. © Intel Corporation. Intel, the Intel logo, and other Intel marks are
trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others.
No product or component can be absolutely secure. Your costs and results may vary.

9
Intel® Hardware Shield technologies on
Windows-based devices

Below-the-OS Security

Application & Data Protections

Advanced Threat Protections

Every Dell commercial device running on the Intel® vPro® platform includes Intel Hardware Shield. As a
fully-integrated foundation for Dell devices, Intel Hardware Shield protects above, within, and below the
OS, and enhances Dell’s full-stack security efforts.

Below-the-OS Security
Provided by BIOS & boot flow protection technology
• Intel® BIOS Guard • Intel® Runtime BIOS Resilience
• Intel® Boot Guard • Intel® System Resources Defense
• Intel Firmware Guard Update/Recovery • Intel® Trusted Execution Technology (Intel® TXT)
• Intel® Platform Trust Technology (Intel® PTT) • Intel® System Security Report
• Tunable Replica Circuit – Fault Injection Detection

Application & Data Protections

Achieved through virtualization-based security
• Intel® Virtualization Technology (Intel® VT-x) • Intel® Total Memory Encryption (Intel® TME)
• Intel® Virtualization Technology for Directed I/O • Intel® Total Memory Encryption – Multi-Key
(Intel® VT-d) (Intel® TME-MK)
• Intel® Virtualization Technology – Redirect • Intel® Advanced Encryption Standard New
Protections (Intel® VT-rp) Instructions (Intel® AES-NI)
• Mode-Based Execution Control • Advanced Programmable Interrupt
• Kernel DMA Protection Controller Virtualization

Advanced Threat Protections

Enabled by monitoring CPU behavior & GPU offloading
• Intel® Threat Detection Technology (Intel® TDT) • Intel® TDT – Advanced Platform Telemetry
• Intel® TDT – Accelerated Memory Scanning • Intel® Control-flow Enforcement Technology
• Intel® TDT – Anomalous Behavior Detection (Intel® CET)

10
Dell commercial devices feature end-to-end security,
from design to delivery and beyond
Design

Planning, Security-Centric Verification and Release

Assessment, and Design Testing
Analysis

On the way to you

Secure facilities, vetted Dell Secured Component Dell devices are

staff, and trusted partners Verification* or Intel delivered through vetted
undergo frequent audits to Transparent Supply logistics providers and
help ensure assembled Chain tools with Intel are protected by physical
products leave our sites as vPro® platforms offer security layers and
secure devices built-in, hardware-based tamper detection
security verification technologies
While in use

Dell SafeGuard VMware

Dell SafeData
and Response Workspace ONE®

Above the OS
Below the OS

Dell protections Intel® Hardware Shield

Security Dell Dell Dell Advanced Application Below-the-

solutions SafeBIOS SafeID SafeScreen Threat and Data OS Security
from Dell Protections Protections
and Intel
Ongoing support and threat monitoring from Dell and Intel security teams

Figure 5: Dell and Intel work together to provide secure systems for your business
* Available currently for US Federal only
11