Intel I5, I7 Better protection through smarter security, Robust security schemes for remote communication

The hardware-based communication and manageability capabilities are secured through a variety of robust methodologies, technologies, and schemes. These include:

•Transport Layer Security (TLS).

•HTTP authentication.

•Enterprise-level authentication using Microsoft Active Directory*

(Kerberos).

•Access control lists (ACLs).

•Digital firmware signing.

•Other advanced methodologies and technologies (refer to the

Intel® vPro™ Technology Expert Center at communities.intel.com/ docs/DOC-1370).

The security measures built into laptop and desktop PCs with a new Intel Core vPro processor can be active even when the PC is off, software agents have been disabled, or the OS is unresponsive. These measures help ensure the security of stored information and the confidentiality and authentication of the communication channel and hardware-based capabilities.

Better protection through smarter security

Security remains one of the highest priorities for IT. The number of security incidents has grown dramatically each year and the nature of these threats has changed as the motivations of attackers have shifted from bragging rights to financial gain. The cost of a data breach is also rising. A recent survey of 43 companies in 2008 found that the average cost of a lost or stolen laptop is $49,000.22

The all new 2010 Intel Core vPro processor family can make it easier to protect data and assets. Once Intel vPro technology is activated, IT can take advantage of intelligent new security features, such as hardware-based PC disable and full manageability for encrypted PCs. For example, IT can use programmable defense filters to automatically guard against viruses and malicious attacks. When Intel AT is also acti- vated, IT can use anti-theft triggers to help determine when a laptop is in unauthorized hands, and lock down the machine to thwart data breaches attempted by thieves. These features help IT secure laptop and desktop PCs, both inside and outside the corporate network.

•Push updates down the wire, regardless of PC power state.

–Remotely and securely power up PCs from the IT console to prepare them for patching.

–Automatically deploy more updates and critical patches off-hours or when it won’t interrupt the user.

–Check a PC’s software version information, .DAT file information, and other data stored in nonvolatile memory, and find out if anything needs updating without waking up a PC.

–Reduce power consumption and lower energy bills by powering down PCs during off-hours, while still maintaining remote access for security updates.

•Intel Anti-Theft Technology (Intel AT), which includes programmable triggers and “poison pill” features for identifying and responding – locally or remotely – to loss or theft of the system. Intel AT allows IT to disable access to data encryption keys and the PC at a hardware- level, while still allowing rapid and remote reactivation. Intel AT must be enabled (on) in order for IT to take advantage of these intelligent security features.

•Programmable filtering of inbound and outbound network traffic.

•Isolation of systems that are suspected of being compromised – even if they are out of band or outside the corporate firewall.

•Agent presence checking, with continuous, intelligent polling for the presence of software agents, to help make sure security remains in place. IT can also use this capability to reduce unauthorized applica- tion usage by up to 100%.23

•Alerting from inside and outside the corporate network, such as for agent presence checking and inbound/outbound filtering of threats even if the OS is inoperable, software agents are missing, or a hard drive has failed or been removed.

•Dedicated memory, which better protects critical system information (such as hardware-based encryption keys) from viruses, worms, and other threats. An authorized IT technician can remotely access this protected memory to identify system ID, firmware version number, and other system information – even if PC power is off, the OS is unavailable, or hardware (such as a hard drive) has failed.

•Manageability of PCs with encrypted hard drives, to remotely unlock encrypted drives that require pre-boot authentication, even when the OS is unavailable (for example, if the OS is inoperable

or software agents are missing). Remotely manage data security settings even when PC is powered down.

•Out-of-band management even in secure environments, such as

802.1x, PXE, Cisco SDN*, and Microsoft NAP* environments.

•Hardware acceleration for AES-NI encryption, to off-load some of the performance burden of encryption from the processor.8

•Intel® Trusted Execution Technology19 (Intel® TXT), which uses

a hardware-rooted process to establish a root of trust, allowing soft- ware to build a chain of trust from the “bare-metal” hardware

to a fully functional VMM. Intel TXT also protects secrets (security credentials) during power transitions. For more information about Intel TXT, visit www.intel.com/technology/security.

•Hardware-assisted virtualization to help secure PCs and support emerging use models, including multiple images, shared PCs, legacy OS support (such as for Windows XP mode in Windows 7), application and OS streaming, and virtual “containers.”

Note: IT can take advantage of hardware-assisted Intel® Virtualization Technology (Intel® VT) to improve performance for users running a legacy OS (for example, Windows* XP) in Windows 7.