Crimeware Protection Whitepaper
Intel® Core™ vPro™ Processors
Data Loss Prevention
How Safe is Safe?
Business data resides in many forms and places today, and often travels outside the corporate physical boundaries: contact lists and communications on smart phones, marketing and business plans on laptops, intellectual property and designs on servers, etc. And it is accessed locally and remotely from a variety of devices through secured tunnels on public networks and over private networks. Protecting the devices as they travel and the data throughout transit and storage from threats is no small IT challenge.
Intel embedded security technologies address data loss prevention – both the data and the devices on which the data might reside with the following capabilities:
- Accelerated encryption/decryption technology.
- Secure, high-performance, pure random number generation technology for seeding the encryption algorithms.
- Physical device security technology.
Enabling Ubiquitous Encryption
Encrypted data is the safest data. Without solid encryption, thieves can easily access an enterprise’s single-most important asset – its collective knowledge. Encryption allows an organization to secure its confidential information using complete disk or selective file/folder encryption. Traditionally, however, on-the-fly encryption and decryption would tax the client’s performance, impacting employee productivity. Thus, enterprises have been reluctant to deploy encryption company-wide.
Algorithms of the Advanced Encryption Standard are widely used in encryption/decryption processes in operating systems and security software. Intel® Advanced Encryption Standard – New Instructions (Intel® AES-NI) includes seven new processor instructions that accelerate encryption and decryption up to four times faster in applications optimized for Intel AES-NI, such as McAfee Endpoint Encryption.* When an optimized encryption product is employed, users avoid a “productivity/performance tax” with Intel AES-NI, enabling enterprises to employ ubiquitous encryption throughout the enterprise across business clients based on Intel Core vPro processors.
Now, it’s possible to simultaneously make data safer, while keeping employees productive.
True Random Numbers
Secure, protected encryption starts with a random number seed, typically provided by a pseudo-random number generator within the client. Higher quality numbers are less predictable and provide better security. And the more protected the number is during generation, the safer is the encryption. Numbers stored in memory during generation are eventually at risk by sophisticated malware.
Intel® Secure Key provides a clean source of random numbers through generation in hardware, out of sight of malware. The autonomous, self-contained digital random number generator resides on the processor package, making it chipset-independent.
Intel Secure Key is:
- Standards-compliant (NIST SP 800-90) and NIST FIPS 140-2 Level 2 certified.
- Easily accessible to all applications and at any privilege level using a new processor instruction.
- A closed system – the state of the system is never seen, never placed in memory, and never “stored anywhere.”
Any software application can benefit from Intel Secure Key, including the following:
- Security ISVs that issue certificates
- Secure web browsers with SSL security links
- Data encryption providers
- Operating systems
Intel Secure Key deepens encryption protection without a performance tax.
Lost, but Not Forgotten
Data on laptops is often some of the most critical and most difficult to protect, even with the toughest mobile usage IT policies. Criminals involved in industrial espionage and trade secret theft understand the vulnerability mobile devices present.
Every day, hundreds of laptops go missing from airports around the world – many with highly sensitive data on them. Intel® Anti-Theft Technology (Intel® AT), embedded in Intel Core vPro processors, self-protects the data and laptop on which it resides if it goes missing. It can even enable the missing client to report its own location. And, Intel AT enables IT to remotely restore a laptop when the system is found and returned.
With Intel AT enabled on a business client, IT security management can define a threat to the device. A threat can be an incorrect login identity entered by a thief, a “fake” login identity entered by a user under duress, or prevention of the device connecting to a corporate network to periodically “check in.” The threat triggers the IT management system to send a “poison pill” to it, locking it down.
With Intel AT, locking down the system includes the following, making the device and data useless:
- Essentially scrambles any security keys embedded in the device so they cannot be used in identity theft; however, the keys can be restored by IT.
- Prevents disk drive access and data decryption, even if it is installed into another device, preventing access to the data on it.
- Disables access to any platform functions once powered on, even if a new drive is installed in the client.
- If the device includes 3G network connectivity, it can send its own GPS location to the IT department.
If the system is eventually recovered, it can be restored to working condition – even remotely by IT – simply by the user contacting the IT staff and providing appropriate authentication. Technicians can restore the identity keys and unlock the system, placing it back in service in minutes rather than hours or days.
Intel hardware-based, built-in security technologies protect data and laptops on the go.