Portable security through firmware
Intel's vPro softly hardens mobile PCs and handhelds
- By Patrick Marshall
- May 22, 2008
For security-conscious agencies and departments, the greatest strength of portable devices is also their greatest vulnerability: portability. A device that can be carried around is more likely to be lost or stolen.
Vendors have come up with an array of tools to help protect portable devices ' from wire cables to keep thieves from walking off with unattended computers to encryption for drives that requires authentication to access the data.
There are a variety of other strategies to protect portable devices.
Absolute Software, for example, has a service called Computrace that helps owners track lost computers via the Internet. Some management programs allow systems administrators to inventory software to ensure that security software is installed and enabled on all devices connected to the network. And some vendors have software, either in operating systems or as an add-on programs, that lets administrators set policies regarding things such as whether users can attach peripherals to a computer.Getting there first
The major drawback to all of these solutions ' with the exception of the wire cable ' is that they involve software. Hackers and thieves are often able to find ways to defeat the security measures by accessing the system before or during the boot-up process, before the security software kicks in.
And many of the security measures require the participation and cooperation of users, which can be a problem.
'Eighty-five percent of the issues related to laptops and data theft are there predominantly because of ignorant users who don't know how to manage data, who don't know what they need to do with their machines, who assume that things are naturally safe and secure,' said Mark Margevicius, an analyst at the Gartner Group. 'Good education programs and policies about when and where you should be using these devices would really help in eliminating much of the risk associated with portable data.'
The next major step in securing portable devices is to move these protective measures into firmware ' software embedded in the hardware ' where it is more difficult to circumvent and where IT staff can more easily manage them without requiring user attention.
Although some cell phones ' most notably, the BlackBerry family ' have been designed for centralized remote management and security, most portable computers have not. Indeed, the management and security tools for portable computers have generally been carried over from desktop PC systems that are always connected to the network and aren't likely to be left behind in taxi cabs.Desktops to portables
Intel's vPro technology is the first major effort to provide central management and security tools in the firmware of portable computers. The technology was originally implemented on desktop computers in November 2006 and was introduced in chipsets for portable computers beginning in May 2007.
If you have the right hardware, you can use vPro for a variety of management chores that will enhance security, including remote diagnosis and repair of computers, network traffic monitoring, software inventories, and policy enforcement.
As long as the PC is plugged into a power source and connected to the network, administrators can access the computer, collect information, and push updates and patches, even if the computer is initially powered down, reconfigured or inoperative.
And most of those capabilities, though not all, are supported even if the network connection is outside the firewall and via the Internet.
Many of those capabilities ' including software inventories and policy enforcement ' are available by adding on a variety of software applications. And therein lies a potential problem.
'Whether it's disk encryption or agents, when it sits above the operating system in software, it's inherently more vulnerable than it is if you can bring it down the stack, bring it down into the silicon and protect it deep down in the guts of the computer,' said Brian Tucker, an Intel marketing manager for mobile applications.
One of the more interesting new features supported by vPro is Trusted Execution Technology, or TXT.
'How do I trust that the information coming from the keyboard or the video or the mouse is truly what it is supposed to be?' Tucker said. Using vPro, 'we can establish that route of trust, and then we can validate that we trust that input.'
TXT can also be used to validate applications. 'We worked with several virtualization providers, and we can basically launch their code. We measure it so we know exactly what we're launching, and we go back and check whether it was what it was when we launched,' Tucker said.Leave no trace
'Then we protect all of the memory and the [input/output] from anyone coming in and doing, say, a screen scrape, or any other capability that could be trying to compromise the data that is out there,' he added. 'We protect the launch of the application, the running of the application, and then when it shuts down, we wipe it clean so no one can tell what was there.'
The same tools can be used to create virtual clients ' locked down configurations of trusted applications and peripherals ' on portable devices.
'IT at larger enterprises is starting to catch on to this idea and play around with it,' Tucker said. 'I think over the next several years [we] will kind of see what ultimately sticks.
Intel has another feature in the works for vPro called Intel Anti-theft Technology. Essentially, the company plans to bring the capabilities of Absolute Software's Computrace product into the firmware.
If a computer is lost or stolen and is subsequently connected to the Internet, the owner can locate it. Also, the owner can send a poison pill to lock down the missing device. Developed in partnership with Absolute Software, Intel expects the feature to be available by the end of this year.
The downside of all this power, of course, is that there are as yet no standards for this kind of firmware. Using vPro limits your choice of hardware because it requires specific chipsets that support Intel's Active Management Technology (AMT) and processors that support Intel's Virtualization Technology.
That doesn't mean that you're limited to Intel software. Third-party software can be developed to take advantage of Intel's firmware. Already, several third-party software vendors, including Symantec, Altiris and Lenovo, are using vPro's built-in virtualization capabilities to develop virtual appliances ' self-contained operating environments dedicated to a particular function, such as manageability or security.Critical mass
'The vPro technology adds an extra layer of security and manageability via an out-of-band method that allows greater control and flexibility when managing a large enterprise,' said Charles de Sanno, executive director of enterprise technology and infrastructure engineering at the Veterans Affairs Department.
A key consideration in implementing vPro is that until all of your agency's or department's computers have the appropriate hardware they'll be outside the management scheme.
Only after VA had a sufficient number of computers that supported vPro did the agency begin to realize the benefits, and de Sanno said he expects the benefits to grow as the numbers of vPro-enabled devices increase. VA has 40,000 devices enabled with vPro technology, he said.
'The technology has promise to allow VA to run security updates, manage patches, OS updates and other types of management/security practices, to be done via an out-of-band state,' he said.
'Having the ability to wake devices up, run updates via a standard technology, and bring down energy costs will only enhance the security posture that the VA has been working to meet, and allow VA to realize other energy saving and cost reduction goals.'
Finally, although firmware implementations such as vPro might lighten the security burden on individual users, some experts caution against relying solely on implementing security technologies.
'Anytime you implement new levels of security on any device, you are going to implement some kind of impediment to use,' Margevicius said. 'You can make a device as tight as Fort Knox, but it may require six levels of authentication and two key fob devices to get in. Is it really reasonable to have a user go through that?' The best answer, he said, is 'a combination of technology, plus best practices and education.'