Intel® vPro™ Technology Improves Data Security to Protect Sensitive Information at Rest

By Chris Burchett, CTO and Co-Founder, Credant Technologies

The loss of laptops, smart phones, and other mobile devices that carry sensitive data has become a mission-critical issue for many organizations. Often, this problem leads to splashy headlines and reputation damage. At government agencies and large corporations alike, high-profile data breaches have fueled renewed interest in encryption products. Such products strive to prevent unauthorized access to sensitive data that's at rest on mobile devices that are lost or stolen.

Current solutions are software-based. Programs encrypt either the entire mobile device (full-disk encryption) or the sensitive data in files or folders (intelligent encryption) with policy-based controls and central management. In fact, the market is demanding more robust encryption solutions that include:

  • Seamless end-user transparency and ease of use
  • The highest level of data security in the industry
  • Simplicity of management and deployment in a complex enterprise setting
  • Support for all operating systems (OSs) and devices in use by the organizations – typically Windows 2000, XP, and now Vista, Windows Mobile, Palm, Symbian, RIM, USB devices, and – increasingly – MP3 players

But there are limits to what can be accomplished with a software-only solution. Imagine if data security could be built at the microprocessor platform level for a bottom-up approach, which complements the software-based, top-down solution. Recently, Intel collaborated with Credant Technologies to enable data security for its customers based on Intel® vPro™ technology. Intel vPro technology is permitting data security to be enhanced at the Intel platform level. At the same time, it eases the development challenges of a software-based data-security solution.

While Intel vPro technology provides many new enhanced capabilities, there are four that are particularly beneficial in raising the bar on the level of security and ease of management for data encryption:

1 A remote communication channel that's always available to authorized IT
2 Persistent, nonvolatile memory where third-party application information can be safely stored
3 Agent presence checking to provide a hardware-based "heartbeat" to ensure that third-party software agents are always running
4 Virtualization technology built into the hardware to enable third parties to run in an isolated environment, where they're protected from any possible threat of malware

How can embedded designers take advantage of these capabilities for enhanced data-encryption management? This article provides an overview of how Intel vPro technology is helping designers address the three big challenges that enterprise customers face today.

How can we protect software from attack by malicious code or determined expert attack?

Tamper-resistance technology can be provided through integrity checks and software watchdog timers, which automatically restart software or reboot a device that shows signs of tampering. In fact, penetration attacks by third parties haven't yet succeeded in exposing encrypted data that's protected by the software. Unfortunately, however, software methods can only take us so far. It's theoretically possible for a determined attacker, who has enough time and technical know-how and is equipped with malicious code like root-kits, to attack any software in such a way that it is compromised. In the case of tamper resistance, this may mean that the software is changed without triggering fail-safes. With encryption software, it may mean that encryption keys become compromised.

In this area, Intel vPro technology provides two aids. By providing hardware-based agent presence checking, the watchdog-timer mechanism cannot be tampered with or defeated in the same way that a software mechanism might be compromised. As a result, an attacker won't be able to defeat the watchdog and shut down the software to expose it to a more methodical or unanticipated attack vector. Secondly, the Intel vPro virtualization technology allows parts of the solution to be moved into a virtual machine. There, it's protected from attack by malware and malicious users.

How can we enable enterprise customers to remotely identify the need and then repair a machine when issues arise and remote break-fix is required?

The remote communication and management capabilities of Intel vPro technology enables embedded designers to detect the need for maintenance and reboot machines even if the machine isn't currently operable. Remote break-fix situations are therefore greatly simplified. Essentially, Intel vPro technology enables third parties to define responses for system alerts that are stored in tamper-resistant event logs. Responses may include forwarding an alert to an IT-management console or triggering an action immediately on the device. A policy-based approach further allows the organization to determine how and when alerts are forwarded. In addition, Intel vPro technology eases the remote restoration of the device to an operational state – even when the OS is corrupted by enabling the machine to boot using an OS image located on a network drive.

How can we enable enterprise customers to track the deployment status of the software and report compliance to their data-protection policies? Hhow can we be sure that a device always receives a security policy update (perhaps to suspend the device from a malicious user)?

With the remote communication and management capability of Intel vPro technology, users can remotely communicate with machines regardless of their power state. Thus, users will always have the most up-to-date deployment status regardless of whether the machines are powered on when the status query arrives. In addition to the remote communication and system alerts discussed above, Intel vPro technology provides an additional capability that's useful in solving these questions – namely, persistent nonvolatile storage. This capability will allow designers to use this storage to enable the software on a machine to securely communicate encryption status, version information, system-health information, and critical-audit information through this out-of-band mechanism. The third-party servers also can be used to place urgent policy changes in the nonvolatile storage. There, the policies will be retrieved by the security software running on the machine. In this way, no machine will ever be unable to receive a policy update or report its real-time status information for compliance reporting.

The strategic benefits from Intel vPro technology and Intel® Active Management Technology are aiding the development of an even more secure and manageable solution to protect sensitive data at rest. In addition to taking advantage of Intel vPro technology features to enhance Credant's software-based solution, expect hardware-based solutions with Intel later this year.

Chris Burchett is CTO and Co-Founder of Credant Technologies. An expert in both embedded firmware and enterprise software, Burchett is the author of numerous patents. He previously served as Director of Research and Development for i2 Technologies. During his tenure, Burchett led that company's mobile wireless initiative as well as the first large-scale development of its forecast, supply, capacity, allocation, and order-planning products. Prior to i2, Burchett designed and developed real-time embedded systems using artificial intelligence for top-secret projects. He received a Bachelor's degree in Computer Science from Texas Tech University and a Master's degree in Computer Science from Southern Methodist University.