What Is Hardware-Based Security?
Security capabilities physically built in at the silicon level are defined as being hardware-based. This differs from traditional software-based protections in which security measures are installed on top of hardware, leaving the layers located below the operating system (OS) vulnerable to a rising class of attacks.
Hardware-based security protection is not intended to replace software security options but rather complement them. This creates a multidimensional and comprehensive security approach that can both detect and prevent a greater range of cyberthreats in today’s increasingly complex and dispersed workplace environments.
Why Software-Based Security Is No Longer Enough
Businesses have traditionally relied on security software to protect their assets. But today’s attacks are changing and shifting toward applications and devices below the operating system. This means software-based security can be bypassed by an attacker who is sophisticated or skilled enough to find and exploit a vulnerability in firmware or hardware.
For example, an emerging area of vulnerability is the code in device firmware that runs at startup to prepare the OS launch. Hackers look for ways to inject malware into this code beneath the operating system, which by default never required security and integrity checks designed into its sequence. As a result, the OS will trust this code even when it contains a nefarious malware payload.
Hardware-based security capabilities built in at the silicon level can help to create a trusted foundation that better secures data, maintains device integrity, and ensures systems start and operate as intended.
Device Tampering
Device tampering is another malware intrusion below the OS that can be addressed with hardware-based security features. Tampering can occur anywhere in the manufacture to delivery process. To counter tampering, investing in a modern device that integrates hardware security capabilities at the assembly line, via the processor, and offers OS security capabilities right out of box is imperative.
IT can also determine whether a newly received device has been tampered with by researching if the manufacturer ensures the authenticity of certified device components and takes baseline measurements of firmware code, also known as golden measurements, before the firmware is sealed, prior to transport and delivery.
After delivery, hardware-based security helps mitigate the risk of device tampering that can occur at any time in the asset’s life cycle. For example, with Intel-based processors, at each startup the technology verifies the loaders that boot the code and execute the boot sequence of the firmware and operating system. This added layer of security helps mitigate the risk of tampering to introduce malicious code under the operating system.
Hardware Security Strategies for the Business Environment
Hardware-enabled security should play a significant role in your business’s overall comprehensive security plan. Consider the following strategies to help ensure all facets of your business environment are protected.
Keep All Layers of Your Endpoints Secured
Security threats start at the endpoint, and your PC fleet endpoints are prime targets for hackers. The increase in employees working from anywhere has only made securing your endpoints more difficult. To better protect all layers of your endpoint devices and mitigate the risks of a dispersed fleet, seek out devices on Intel vPro® that have unique hardware-based security features enabled right out of the box, including active monitoring for attacks. Discover the return you could see from deploying hardware-enabled endpoint security.
Enhance Virtualization Security with Depth-of-Defense Protections
Another security approach that businesses are implementing is virtualization security, in which virtualized containers can be used to isolate and verify the integrity of applications, web browsers, and data running inside those containerized environments. Virtualization provides the ability to offer protection through isolation. It also minimizes what malware can do on the system, as the virtualized workspace has limited access to system resources and lacks the ability to persist on the system.
However, like software-based security options, virtualization security can benefit from extra layers of protection provided by hardware-based security capabilities. Intel offers a full portfolio of technologies and features that provide defense-in-depth virtualization security. For example, hypervisor-based security measures available with Intel vPro® Security exclusively on Windows PCs built on the Intel vPro® platform, help reduce the likelihood of memory redirection attacks that can compromise virtualized containers as well as improved DRAM protection with improved multikey encryption.
Improve Visibility below the OS for Better Protection from Malware
Below-the-OS hardware-based security features can also help to provide improved visibility into the foundational layers—such as the firmware and BIOS—of devices so your team can verify workloads are running on trustworthy platforms.
For example, with Intel® Boot Guard, another feature of Intel vPro® Security, your team can enable a hardware-based static root of trust for measurement and verification of boot integrity before the OS boots up. And with the Intel® Firmware Restart/Recovery feature, which focuses on firmware and BIOS updates and firmware failure recovery, you can help to make devices more secure with resilient updates from day one.
Strengthen the Security of Managed IT Environments
With enhanced manageability capabilities, IT administrators can remotely power systems up to deploy security patching or threat remediation and then power them down when not in use to help conserve energy. They can use an out-of-band keyboard video mouse (KVM) feature to take over the keyboard, monitor, and mouse of off-site endpoints—even unattended systems—to deploy security patches. In addition, a remotely managed IT environment boosts the ability to recover from errors or attacks and prevent denial of service.
Realize the Benefits of Hardware-Based Security with a Hardware Refresh
Upgrading your PC fleet can be a substantial and frustrating endeavor, but putting it on hold can be costly—from increased security risks to loss of productivity and unsatisfied employees.
Major advancements in security over the past few years and new hardware-based security requirements for Windows 11 users have made now the best time to refresh your business PCs.
Trusted Platform Module for Windows 11 Security
To keep PCs secure and make it harder for hackers to commit cybercrimes, Windows 11 now requires all PCs to use trusted platform module (TPM) 2.0 to operate. TPM is a security chip that is part of your computer’s motherboard and helps to keep it secure by offering hardware-level protection against malware and sophisticated cyberattacks. Using cryptography, TPM securely stores essential and critical information on PCs to enable platform authentication. Ensuring your devices are equipped with TPM 2.0 is imperative for the longevity of your fleet, as it will become a standard for future upgrades, and devices without TPM 2.0 will run the risk of outdated security protections.
Learn more about Windows 11 features and benefits to determine if you should upgrade.
Intel® Processor Support for TPM 2.0
Computers based on the 8th Generation or newer Intel® Core™ Processor family support TPM 2.0 through Intel® Platform Trust Technology (Intel® PTT), an integrated TPM that adheres to the 2.0 specifications. Intel® PTT offers the same capabilities of a discrete TPM, only it resides in the system’s firmware, thus removing the need for dedicated processing or memory resources.
However, even if your computer supports TPM 2.0, it still may be time to refresh your PC, as older PCs can leave you more vulnerable to cyberattacks. Learn more about how a PC refresh can help mitigate security risks.
Intel vPro® Enterprise for Windows
Intel vPro® Enterprise for Windows can help protect your people, resources, and data against tomorrow’s cyberthreats by delivering the most-comprehensive security capabilities for your business right out of the box.1 With advanced security capabilities built deep in the silicon, Intel vPro® for Windows can help:
- Reduce the attack surface by an estimated 70 percent when compared to four-year-old PCs.2
- Decrease major security breaches by 26 percent3
- Mitigate impactful security events by 21 percent3
Intel vPro® Enterprise for Windows also features a collection of security technologies that help defend against modern threats at each system layer—hardware, BIOS/firmware, hypervisor, VMs, OS, and applications.
Intel vPro® Security
Intel vPro® Security, exclusive to Windows PCs built on the Intel vPro® platform, helps improve overall security with advanced threat protections, application and data protections, and below-the-OS security. It helps minimize the risk of malware injection by locking down memory in the BIOS when software is running and preventing planted malware from compromising the OS. Additionally, Intel vPro® Security helps boosts security for virtualized environments by allowing you to run virtual machines for security-based isolation with application compatibility across different operating systems running on the same PC. Read more about Intel vPro® Security security features.
Intel® Threat Detection Technology
Another key component of the Intel vPro® platform is Intel® Threat Detection Technology (Intel® TDT). Intel® TDT enables cyberattack monitoring and increased security performance at the hardware level by providing an up to 7x boost in scanning performance.
Intel® TDT can also help to augment any of your software-based security solutions by:
- Uncovering malicious code that is cloaked in a VM or in obfuscated binaries.
- Enhancing detection of fileless malware that runs hidden in memory.
- Supporting real-time discovery of zero-day attacks, new variants, or intermittent encryption.
Hardware Security for Future Attacks and Threats
Unfortunately, bad actors aren’t going away anytime soon, and they will continue to try to hack, encrypt, and steal from your business. Fortunately, we are here to help you create a full-stack strategy that combines hardware-based security features with software security to better protect your business from the most pressing threats of today and tomorrow.
Learn more about how you can begin securing your PCs both above and below the OS with Intel vPro®, and discover the real-world ROI of the Intel vPro® platform.