Intel I5, I7 Hardware-basedacceleration for encryption, Push updates down the wire — regardless of PC power state

•Recovery token, which is generated by IT or the user’s service provider via the theft management console (upon request by the end user). The one-time recovery token is provided to the user via phone or other means. The user then enters the passcode in a special pre-OS login screen in order to reactivate the system.

Both methods return the PC to full functionality, and both offer a simple, inexpensive way to recover the laptop without compromising sensitive data or the system’s security features.

Intel AT must be enabled (on) in order for IT to take advantage of these intelligent security features.

Industry support and software development

Intel AT integrates with existing theft-management solutions. ISVs who support Intel AT include Absolute Software Corporation and PGP, and additional security ISVs are planning to offer solutions in 2010.

In order to deploy an Intel AT solution, a service provider or ISV with Intel AT capabilities is required. A new 2010 Intel Core vPro processor includes an SDK and documentation for ISVs and service providers to help test and validate their designs for Intel-AT-capable products.

One of the performance burdens of higher security is the encryption and decryption of the hard drive upon every access. This has become a bottleneck to performance, and many IT departments have not used encryption protection because of the performance trade-off.

One of the encryption standards adopted by the U.S. Government is AES (Advanced Encryption Standard)24. A new Intel Core vPro processor now includes new hardware-based CPU instructions (AES-NI, or Advanced Encryption Standard New Instructions) for AES.8 These instructions are designed to consolidate the AES mathematical operations, off-loading them from the processor to improve security (harden cryptography soft- ware) and help speed up applications that use the AES algorithm. For example, software developers can write to these AES-NI instructions to off-load encryption processing – such as AES rounds and schedules for key generation – into hardware. This not only improves performance, but improves protection against advanced forms of cryptanalysis.

•Recent benchmarks compared a new 2010 Intel Core i5 processor- based PC to an installed-base with a 3-year-old Intel® Core™2 Duo processor E6400∆-based PC. The benchmarks showed that protection of sensitive data can be up to 3.5x faster on a new Intel Core i5 processor-based PC.11

A new 2010 Intel Core i5 vPro processor with AES-NI support can be used to improve performance for systems that use whole-disk encryption and file storage encryption. ISVs already planning support for AES-NI include PGP, McAfee, Microsoft (as part of BitLocker* in Windows 7), and WinZip.

There are several methods in use today to wake a PC in order to push out an update, but those methods are not usually secure or reliable, or they work only when the OS is running properly. In contrast, a new Intel Core vPro processor includes a secure, encrypted power-up capability that helps technicians ready systems for updates. This helps IT organizations substantially speed up patching and ensure greater saturation for critical updates and patches.

With Intel vPro technology, technicians can:

•Remotely power up laptop and desktop PCs from the IT console, so updates can be pushed even to machines that were powered off at the start of the maintenance cycle.

•Deploy more updates and critical patches off-hours or when it won’t interrupt the user.

•Check a PC’s software version information, .DAT file information, and other data stored in nonvolatile memory, and find out if anything needs updating without having to wake or power up a PC.

•Help lower power consumption for businesses, by powering PCs off when not in use, and remotely and securely powering them up off- hours only for the update or patch (or other service).

These capabilities allow IT administrators to automate more security processes. In turn, this can help IT administrators establish a more secure, better managed environment.

Greater automation for compliance with corporate policies

With the ability to remotely access PCs regardless of power state

or OS state, IT administrators can automate more processes, including update, remediation, and management processes. For example, if a polling agent discovers software that is out of date, the third-party management application can automatically take a software inventory, port-isolate the system temporarily, and then update the system. The management application can then remotely return the system to its previous power state: on, off, hibernating, or sleeping. This can help administrators eliminate many of the deskside visits and service depot calls traditionally required for updates, critical patches, and remediation, and help reduce risks to the network.