Business PC Security for IT Pros

Today’s IT departments must deal with not only the need to deliver an increasingly complex set of services but also the responsibility to protect the organization as a whole from escalating security threats. Intel® vPro™ technology delivers advanced performance to meet rigorous service-level requirements, robust manageability that makes IT more cost-effective, and embedded security that protects the company’s network and the data housed in it.

Every company, no matter what size it is or what business it is in, must guard itself against increasingly professional and sophisticated attackers. Moreover, it must do so without compromising performance and user freedom to innovate. Intel vPro technology delivers hardware-based functionality that works in concert with software building blocks to help IT meet core security goals1 that include the following:

Strengthen authentication and protect passwords.

Prevent attacks below the OS.

Protect confidential business, employee, and customer information.

Respond to security breaches with speed and agility.

Embedded Security from the 3rd Generation Intel® Core™ vPro™ Processor

Business computing has become more secure with the introduction of the 3rd generation Intel® Core™ vPro™ processor platform. Drawing on feedback from IT organizations worldwide, Intel has developed silicon-based hardware features that address the security threats that system administrators are most concerned with. These embedded security features built into 3rd gen Intel Core vPro processor platforms enable businesses to protect themselves.

Threat management. Features such as Intel® Trusted Execution Technology (Intel® TXT)2 and Intel® Virtualization Technology (Intel® VT)3 help reduce the threat of viruses, rootkits, and other malware.

Identity and access. Enhanced, hardware-based two-factor authentication based on Intel® Identity Protection Technology4 (Intel® IPT) efficiently helps enhance protected access to network resources.

Data protection. Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI)5 accelerates encryption, and Intel® Anti-Theft Technology6 helps mitigate the risk of lost or stolen PCs.

With these and other features of the 3rd gen Intel Core vPro processor platform, IT professionals have a powerful new set of capabilities at their disposal.

Managing Threats with Intel® Trusted Execution Technology and Intel® Virtualization Technology

Malware is front-of-mind in any discussion of security threats to business PCs, and every IT organization must wage an ongoing struggle against attacks by software-based intruders such as viruses and rootkits. While the traditional protection against these threats has been the use of software-based agents, that approach has some limitations. For example, because rootkits operate beneath the level of the OS, they are often hidden from software agents that depend on the OS. Likewise, client virtualization adds complexity to the environment that can challenge traditional anti-malware measures.

Intel TXT is a hardware-based capability that protects against software-based attacks by establishing a chain of trust from the bare-metal hardware up to the OS or hypervisor. This chain of trust provides a “known good sequence” of expected actions at start-up, against which the system can validate the behaviors of key components of the business PC launch environment.

By assessing the expected launch sequence against the actual behavior of the system at start-up, Intel TXT can detect attempts at tampering with the launch environment. In the event that unauthorized code attempts to start up at launch, an Intel TXT-based trusted-platform solution can take appropriate actions such as preventing start-up and alerting IT personnel.

When Intel TXT is used on virtualized client systems, Intel VT works in conjunction with the measured launch environment to enhance security. For example, Intel VT prevents unauthorized virtual machines from accessing restricted areas of memory, using the chain of trust to enhance control of sensitive information. Likewise, Intel VT can be used to provide hardware-based isolation of data or applications.

Guarding Identity and Access with Intel® Identity Protection Technology

Simple username-password pairs are widely regarded as not being sufficient to protect access to many resources, particularly virtual private networks and software-as-a-service applications. To address that shortcoming, many organizations have deployed two-factor authentication measures such as hardware-based or software-based tokens that generate one-time passwords (OTPs) for users to use with their other login credentials. Both these types of tokens have significant limitations.

Software tokens depend on the OS for security. Because the software that generates the OTP works on top of the OS, malware can render the software token’s protection ineffective.

Hardware tokens add complexity and expense. Distributing hardware tokens to large numbers of users is expensive, and, moreover, users often lose them, which leads to further expense.

As a featured technology on Intel vPro technology-based clients, Intel IPT overcomes the limitations of both software and hardware tokens. With Intel IPT with OPT, business organizations can create a strong, two-factor authentication method for accessing their enterprise networks. Intel IPT generates a random six-digit code from the hardware chipset to authenticate a user, making it tamper-resistant to threats that can compromise software tokens working within the OS.

Additionally, unlike software tokens that can be defeated by screen-scraping malware that discovers the OTP, Intel IPT with protected transaction display generates a random number PIN pad using the graphics hardware within the processor, making it invisible to the OS and the rest of the software layer. Likewise, since Intel IPT is built into the PC platform itself, there is no token to break or to be lost or stolen.

Intel IPT with a public-key infrastructure (PKI) on 3rd Generation Intel Core vPro technology-based clients uses public key encryption digital certificates for authentication. With this Intel IPT technology, PKI certificates are stored in the chipset to authenticate the user and the server to each other and to encrypt and digitally sign documents. An added advantage to the fact that all versions of Intel IPT are embedded directly within the PC platform is helping assure businesses that only authorized devices are able to access the network. This capability provides IT an added measure of control over where and how sensitive resources can be accessed.

Protecting Data with Intel® Advanced Encryption Standard New Instructions and Intel® Anti-Theft Technology

Beyond safeguarding client business PCs from malware and ensuring that only authorized users have access to restricted resources, protecting the corporate data itself is also a crucial aspect of information security. Two complementary aspects of this requirement include encrypting the data during normal use and ensuring that data cannot be accessed by unauthorized users in case a business PC is lost or stolen. Intel vPro technology incorporates embedded security technologies to address both those challenges.

Because encrypting and decrypting data is resource intensive, pervasive data encryption has traditionally carried with it significant compromises in terms of performance. Many IT organizations simply were not willing to make the trade-offs required to turn encryption on, even in vital systems, because doing so would significantly impact application performance.

Intel AES-NI provides the means to overcome the need for this compromise by accelerating key parts of the AES algorithm, enabling encrypt and decrypt operations to be handled more quickly than would otherwise be possible. A set of seven new processor instructions, Intel AES-NI enables key parts of encryption to be performed in the platform hardware, encrypting data up to four times faster.7 That hardware-based operation also isolates the encryption operations from the software environment, reducing the attack surface potentially exposed to malware.

Accelerated encryption using Intel AES-NI works quietly in the background, avoiding interference with user productivity. Because encryption operations can be handled more quickly, Intel AES-NI also helps make the use of larger encryption keys viable, for an additional boost to security. Faster encryption also streamlines compliance with regulatory requirements such as the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley.

Lost and stolen business PCs are increasingly common as workforces become more mobile with every passing year. Confidential data loss brings with it the potential risk of financial or legal exposure. Intel® Anti-Theft Technology (Intel® AT) provides one means of mitigating the impact of lost or stolen PCs, to prevent the data housed on them from being accessed by unauthorized parties. It also allows the PC to easily be restored to full functionality if it is recovered.

IT administrators can configure PC behavior with regard to Intel AT using network policy. For example, a PC might lock down after excessive login attempts, if it fails to check in with a network server for a specified period of time, or if it receives an authorized, encrypted text message over a 3G network. The PC can thus be triggered to enter theft mode either automatically or remotely by IT, and it remains effective even if the OS is re-imaged, the boot order is changed, the PC is disconnected from the network, or a new hard drive is installed.

Intel AT Technology also supports fast, easy reactivation and full system recovery in the event that the PC is recovered, or if de-activation has been carried out by mistake. Depending on the preferences of the IT organization, which can control them using network policy, several options are available: the user may enter a local passphrase, the help desk or a service provider may generate a one-time reactivation code, or IT may directly send an encrypted text message to the PC.

Conclusion

The 3rd gen Intel Core vPro processor platform offers IT professionals robust ways to help protect information assets. Hardware-based features help avoid malware threats, provide robust two-factor authentication, accelerate data encryption, and even protect the contents of the business PC if it is lost or stolen.

This comprehensive, multi-faceted approach is a strong foundation to enhancing information security in a world of rapidly growing and evolving threats.

For more information on the capabilities of Intel vPro technology, visit the
Intel® Business Client Developer Community

1 Intel® vPro™ technology is sophisticated and requires setup and configuration. Availability of features and results will depend upon the setup and configuration of your hardware, software, and IT environment. To learn more, visit www.intel.com/technology/vpro/.

2 No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer with Intel® Virtualization Technology, an Intel TXT-enabled processor and BIOS, a chipset, Authenticated Code Modules, and an Intel TXT-compatible measured launched environment (MLE). Intel TXT also requires the system to contain a TPM v1.s. For more information, visit www.intel.com/technology/security.

3 Intel® Virtualization Technology requires a computer system with an enabled Intel processor and BIOS, and a virtual machine monitor (VMM). Functionality, performance, or other benefits will vary depending on hardware and software configurations. Software applications may not be compatible with all operating systems. Consult your PC manufacturer. For more information, visit www.intel.com/go/virtualization.

4 No system can provide absolute security under all conditions. Requires an Intel IPT-enabled system, including a 2nd generation or 3rd generation Intel® Core™ processor, an enabled chipset, firmware, software, and a participating web site. Consult your system manufacturer. Intel assumes no liability for lost or stolen data or systems or any resulting damages. For more information, visit http://ipt.intel.com.

5 Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI) requires a computer system with an Intel AES-NI-enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. Intel AES-NI is available on select Intel® Core™ processors. For availability, consult your system manufacturer. For more  information, visit /en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni.

6 No system can provide absolute security under all conditions. Requires an enabled chipset and BIOS, firmware, software, and a subscription with a capable service provider. Consult your system manufacturer and service provider for availability and functionality. Intel assumes no liability for lost or stolen data or systems or any other damages resulting thereto. For more information, visit www.intel.com/go/anti-theft.

7 Software and workloads used in performance tests may have been optimized for performance only on Intel® microprocessors. Performance tests, such as SYSmark* and MobileMark*, are measured using specific computer systems, components, software, operations, and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products.

For more complete information about compiler optimizations, see our Optimization Notice.