AI
Tuesday, December 16, 2008 4:05:00 PM
Trying to understand Danbury
I had thought that Danbury’s encryption functionality would COMPETE with BOTH the software-based systems and the hard drive-based systems such as Seagate/Wave. And that Wave would be one of the enablers of Danbury-based encryption solutions and thus receive revenue from customers who adopted the Danbury-based solution. As I look into it, though,
1. It appears that Danbury is not meant to compete with the software-based systems. In fact, it actively encourages the use of software-based encryption products by working with them and alleviating some of the problems we’ve heard about like keys being insecure and difficulty in deploying software patches. And by putting the actual encryption function in hardware, Danbury may also improve the performance hit we’ve heard about, although neither of the pieces below mentions speed.
2. I’m not sure that Danbury is the basis of a complete encryption solution that Wave could “enable.”
3. I’m not at all clear about what Wave’s function may be in relation to Danbury, and whether any function that Wave might have would produce any meaningful revenue. Does Wave in any way provide functionality between Danbury and the software-based encryption products?
I haven’t posted about this before, but the Intel whitepaper that JKIRK found brought it to the front burner, as Danbury might explain why Intel would be perfectly happy to deploy software-based encryption. 1) With incorporation of the Danbury functionality going forward, software-based encryption might be an attractive encryption solution. 2) Intel could use themselves as a business case for their Danbury product.
MY UNDERSTANDING IS FAR FROM COMPLETE. I HOPE ONE OF THE TECH EXPERTS MIGHT BE ABLE TO CLARIFY SOME OF THIS, ESPECIALLY IF I AM OFF BASE HERE.
The first piece below is a transcription of a December 2007 interview with Steve Grobman, Intel’s Director of Business Client Architecture. I included the whole thing because it not only talks about Danbury, but gives a nice rundown of the progress of vPro and the philosophy behind it.
The second piece is an article from infoworld, also from December 2007.
http://www.podtech.net/home/4797/vpro-encryption-at-the-hardware-level
JL: It’s Friday, December 28, 2007. This is Jason Lopez of podtech.net. One of the biggest debates in the IT worlds is how much of an impact software has on a company’s profitability. Experts know there is one, but measuring ROI can be nearly impossible in many cases. Over the past five years there has been new thinking about the role of hardware, which has a real presence physically and can be measured in terms of real costs. Formerly just a dumb device in which the smarter software lived, microprocessors are being enabled with embedded software that can act on its own or help operating systems and applications run more efficiently.
I talked with Intel’s Steve Grobman, who heads up Business Client Architecture at Intel.
SG: What we’re really trying to do is incorporate technology into the platform that solves business problems so that the problems that the IT guys have that are fundamentally difficult to solve with software-only solutions. So every year we’re incorporating new features into the platform that are targeting different sets of problems, and we’ve started this in 2006 and will release new capabilities every year.
JL: What are some of the major updates that have occurred since 2006?
SG: So if you look at our initial launch in 2006, we came out of the chute with really two sets of technologies in vPro. We had our Active Management Technology, which was all about enhancing manageability. So there’s been software manageability forever, but what we found is about 20% of the problems that really weren’t able to be solved with software manageability, we could solve by putting new management solutions in hardware. And that’s what AMT is all about. So for those 20% of situations where you just couldn’t solve the problem in software and traditionally would need to send somebody physically out to the desk to fix the problem, we can now resolve a very large portion of those with this Active Management Technology and actually save IT in general about half their cost of management from what they had prior to having the vPro solution.
Additionally in 2006 the other big technology that we came out with was putting our virtualization technology into our CPU. This is the thing that changed the underlying x86 architecture to make it very clean, very efficient, to virtualize software on top of the PC.
And then what we did is on 2007 we built on both of those technologies, so we did things such things as in Active Management Technology we made deployment easier by introducing some new deployment scenarios and technology that helps with the deployment of AMT. We also moved to some new standard protocols such as what’s called WS Management. This allows industry standard protocols to be used to interact with this AMT environment. And then on the virtualization side we added our Trusted Execution Technology that allows the secure launch of a VMM as well as what we call our VTD technology, which allows things such as device assignment.
JL: Well now in 2008, another codeword from Intel, Danbury. What does that mean?
SG: We are super excited about what we’re going to be doing in 2008. It’s a technology that right now is codenamed Danbury. And it’s an integrated encryption solution that’s taking storage encryption technology and integrating it into the vPro platform, but we’re doing it in such a way that it not only enhances encryption solutions that exist by making them more secure, but even more important is making these solutions manageable such that IT is able to have an easier time of deploying encrypted solutions into the environment, managing encrypted solutions when they’re actually deployed, and in some cases giving end users a better experience when they need to interact with these encrypted systems. And I’d be happy to walk you through some examples of all three of those key aspects of the Danbury technology.
JL: Well let’s go through Danbury, lets find out more about this technology and how it will impact the IT administrators’ life.
4:57
SG. Sure. So the first kind of core thing with Danbury is we do move the actual encryption operations into hardware. And this does a few interesting things. Number one, it makes it such that those sensitive operations are no longer running in software so various forms of software attacks can’t access those critical operations. So this is something that resonates very well with IT, and one of the reasons that IT has been looking at hardware-based encryption for a very long time. The other thing that it does is it makes the solution, the operating system, and virtualization agnostic. Since the actual crypto operations are happening below all of the hardware, if there are things like operating system updates or service pack updates, or you want to run all sorts of interesting operating systems, you can do that. And because it doesn’t require device drivers to interact with the encryption system, it all just kind of magically works. So that’s the first big thing that’s part of the Danbury technology is we get some inherent benefits by just where we do the crypto, and doing it in hardware is really the best place to do it.
JL: Steve I have a question for you that is around this idea of the nature of software and hardware over the past ten years because it seemed a while ago hardware was on its way to becoming a very cheap commodity, and it was the software that was going to be the thing that people were really seeking. I remember someone saying, “Yes, there’ll come a day when you buy almost any program and you get a free computer with it.” But we’ve seen over the past three or four years how some pieces of software kind of run their course or at least have come to a point where people are saying, “How much more power can you put in that spreadsheet program. Or how much more power can you put in that document program.” The power’s now coming from the hardware side. And something that we hardly predicted in the IT world ten years ago. I wonder if you could comment on this.
GB: Sure. It’s a great question. And I think part of it is at Intel we’re fundamentally looking at the role of hardware differently. In the past I think traditionally it’s been about how can you simply make the hardware go faster. And what we did with things like vPro is we took a step back and we said, what software’s really doing is it’s requesting the hardware to perform functions on its behalf. And there’s certain types of operations that are inherently difficult or impossible to do in software only, but by providing some of those building blocks and _____ services in the hardware we can not only make the hardware more valuable but also enable the software to have a richer set of functionality. So you’ll see this in situations both with manageability with what we did with AMT as well as things with Danbury.
So in the case of Active Management Technology, you’ve been able to use software-only capabilities to do things like allow an IT guy to remote control a user with software-based remote control. But what if that user has a problem with their BIOS? Right? Because you can’t get software up and running when the BIOS is executing, the BIOS screen STREAM? configuration is running, IT would be out of luck in that scenario. What we’re been able to do with AMT is put functionality such that even if software’s not running you now can still remote-control that machine in various scenarios such as when they’re using the BIOS. Or in a situation where the machine is completely broken, it’s just in a continuous state of blue screen and IT has made the decision that they just want to rebuild the machine, we have technology in Active Management Technology where they can remotely boot the machine to a network image and get the user back up and running without trying to walk the user through a complex set of installation steps.
10:00
Very similarly with Danbury, it s a very similar paradigm where there are tons of great full disc encryption products on the market today, and we see the opportunity to make those products better. Right? So make it easier for IT to deploy those products by allowing them to patch these machines, by giving their end users a better experience. A good example is with many of the products on the market today that do encryption if a user forgets their password and needs it to get back on line, they’ll go through a little skit with the IT guy where they’ll say my mother’s maiden name, and my first car, my pet. And they’ll answer all these questions to prove to the IT guy that they really are who they say they are. And the IT guy will at some point figure out all right it really is Josh on the other end of the line and they’ll read you over the phone a very long sequence of numbers or letters that you go ahead an physically type in. But you could be in a noisy environment, in an airport. There might be language barriers or accent barriers between Help Desks in different regions and the end user. And by having an ISV utilize our Danbury technology, it would let their IT guy go through the same verbal set of confirmations to prove that it really is the right person on the other end of the line but then instead of reading them this very long string of numbers and letters, they could simply right click in the ISV’s console on the machine and say, Allow Unlock. And so to the end user it’s an infinitely better experience than what they have today. But it’s simply making those products better, not trying to replace the software products that are on the market. And that’s really the philosophy that my team uses is, “What can we do in hardware that fundamentally gives the software guys new opportunities to have better products than what they can do with the facilities software has access to today.”
JL: What are some other things that Danbury promises for the IT staff?
GB: So one of the big things that I talked a little about is the out-of band unlock feature. It’s interesting from a few aspects. Number one, it does allow IT to perform that unlock operation to do things like patching, but it also can make it such that multiple authorized software entities are able to perform that operation. So if IT chooses an encryption software package from one of the full disc encryption vendors but it’s using a manageability solution from one of our Active Management Technology manageability partners, you know Altiris, or SMS, CA, HP Open View, you know, just as examples, there’s a big long list of partners that we’re working with on the AMT side. Any of those manageability ISVs can execute this out-of-band unlock operation for scenarios where they need to get that machine on the network, but the actual core crypto capability can still be managed by a different vendor. So we make it such that all of the crypto vendors of the world don’t need to work with every single one of the manageability vendors and we solve this n x m complexity matrix that would exist otherwise.
The other really interesting thing about this is we can make it such that different classes of users are able to perform operations that need to happen fairly frequently, such as unlocking a machine in order to patch it, without giving those users the full access to recovery keys that would generally only need to be used only in very rare disaster scenarios such as if the motherboard or chipset itself was damaged and you needed to pull the drive out and recover it on a different machine. So the way that we can facilitate this is part of the Active management Technology and Danbury architecture can utilize enterprise authentication and authorization protocols like Kerberos and specifically the Active Directory security paradigm around Active Directory group membership. So if there’s a specific group in Active Directory that IT wants to use to grant a certain set of users privilege to perform this operation – so if there’s a Intel Remote Drive Unlock Operators and somebody should be a member of that group today because that’s part of their job. If they go and get another job tomorrow where they no longer need that privilege, they can simply be removed from that group in Active Directory and no longer have access to unlock those drives, and IT hasn’t needed to touch all of the machines in the enterprise in order to make that happen.
JL: Steve Grobman is the Director of Business Client Architecture at Intel. This is podtech.net. I’m Jason Lopez.
http://www.infoworld.com/article/07/12/10/Intel-adds-encryption-to-VPro_1.html
Intel adds encryption to vPro
Embedded security features, code-named Danbury, make application encryption easier, add new layer of hard drive protection
By Matt Hines
December 10, 2007
Intel is preparing to introduce a new set of security features in its next-generation vPro microprocessors that have been designed to extend the reach of encryption applications and make the systems easier to install and manage.
Built under the code-name Danbury, the embedded security features -- planned to be introduced in the second half of 2008 – promise to improve the efficacy of commercial encryption tools via onboard integration hooks for the programs, and by adding a new layer of hard drive protection when vPro-powered computers are asleep or otherwise powered-down.
According to Intel officials, the addition of the Danbury technology will also make it far easier for organizations to put encryption applications into place by directly addressing the common headache of key management within the new embedded security tools.
Many companies that have already installed encryption software on their computers are still struggling with key management, and, even worse, most fail to realize that the applications do not protect hard drives unless the machines are fully powered-up -- creating an attractive vector for attackers and giving those organizations a false sense of security -- said Steve Grobman, director of business client architecture at Intel.
Even those computers carrying today's full-disk encryption tools remain vulnerable to attack when they are in hibernation and stand-by mode, he said.
That fact proves even more troublesome as so many companies are using encryption software as a means to safeguard sensitive data on their machines and meet compliance regulations, especially in the case of computers that have been stolen and had their authentication systems bypassed.
"Companies want to utilize full disk encryption to better protect their data, but commercial software products are hard to deploy and still leave many ways for machines to be attacked," Grobman said. "By putting certain aspects of encryption into the hardware, versus using only software-based systems, we believe we can make encryption easier to deploy and manage, while addressing those remaining vulnerabilities."
Rather than pitching the Danbury tools as an alternative to commercial encryption applications, the features will serve to augment software products made by companies including Credant, PGP, Pointsec, Safeboot and Utimaco, according to the Intel product engineering leader.
All of those firms have already partnered directly with the CPU manufacturer around the upcoming release to build hooks in the chips to integrate with their own encryption software systems and allow customers to take advantage of the Danbury capabilities, he said.
"By taking certain sensitive operations and putting them directly into the hardware, such as by moving the keys into the chipset, we are making these encryption systems easier and more practical to get up-and-running," Grobman said. "This isn't an effort to compete with encryption software makers but rather to help customers see better implementations of their tools; we believe that these new features should actually have a positive effect on the entire encryption space."
The addition of the Danbury tools represents only the latest in a string of security and management technologies embedded directly into the vPro lineup by Intel, including the company's Active Management Technology (AMT), which is aimed at making it easier for administrators to do remote updates on corporate machines, such as for installing anti-virus (AV) updates or operating system (OS) security patches.
Earlier this year, Intel also announced new features that extend malware behavior-detection further onto the CPU level and wall off virtualized software systems from attack, along with new tools meant to help desktops communicate directly with so-called network access control (NAC) systems, which are used for device configuration monitoring and network authentication.
In another nod to extended management capabilities, the Danbury features will also provide IT organizations with the option to gain remote access to encrypted machines to patch them -- without any interaction on the part of end users, Grobman said, and give administrators the ability to set parameters for implementation of encryption applications using Microsoft Active Directory.
Companies that have already installed encryption programs often find it a time-consuming process to help users who forget their computer passwords regain access to their machines, Intel executives claim.
And whereas administrators of encrypted machines are often forced to decrypt entire disk drives to perform tasks including operating system updates today, the new vPro features will eliminate complex software processes that make for such arduous work, they promised.
With a growing number of regulatory mandates requiring companies to encrypt the data stored on their computers, and large numbers of high-profile corporate data breaches splashed across the headlines, many companies have moved to deploy the systems and subsequently found them too unwieldy to employ on a broad basis, said Malcolm Harkins, general manager of Intel's Information Risk and Security Group.
The fact that today's encryption systems don't provide full-time disk protection, as many users think they do, has even led Intel itself to delay broad use of the technology, he said.
"We have not moved to deploy full disk encryption simply because we didn't feel it was worth it to spend millions of dollars to add technologies that wouldn't provide sufficient levels of defense," Harkins said. "I don't think that many companies that have already installed encryption software realize the shortcomings, and that by putting their faith in these tools they may actually be increasing their overall risk."
Harkins pointed out that companies using existing encryption tools may also run afoul of e-discovery regulations if users have data stored on machines that cannot be accessed centrally by administrators, such as in the case of a lost or forgotten password.
"When you start looking at the legal implications with these regulations, you realize that there are also some additional risks that these companies may not be aware of," he said. "People are adopting encryption as a solution to some of these problems, but they may be creating additional problems for themselves in the long-term."
Matt Hines is a senior writer at InfoWorld.
I had thought that Danbury’s encryption functionality would COMPETE with BOTH the software-based systems and the hard drive-based systems such as Seagate/Wave. And that Wave would be one of the enablers of Danbury-based encryption solutions and thus receive revenue from customers who adopted the Danbury-based solution. As I look into it, though,
1. It appears that Danbury is not meant to compete with the software-based systems. In fact, it actively encourages the use of software-based encryption products by working with them and alleviating some of the problems we’ve heard about like keys being insecure and difficulty in deploying software patches. And by putting the actual encryption function in hardware, Danbury may also improve the performance hit we’ve heard about, although neither of the pieces below mentions speed.
2. I’m not sure that Danbury is the basis of a complete encryption solution that Wave could “enable.”
3. I’m not at all clear about what Wave’s function may be in relation to Danbury, and whether any function that Wave might have would produce any meaningful revenue. Does Wave in any way provide functionality between Danbury and the software-based encryption products?
I haven’t posted about this before, but the Intel whitepaper that JKIRK found brought it to the front burner, as Danbury might explain why Intel would be perfectly happy to deploy software-based encryption. 1) With incorporation of the Danbury functionality going forward, software-based encryption might be an attractive encryption solution. 2) Intel could use themselves as a business case for their Danbury product.
MY UNDERSTANDING IS FAR FROM COMPLETE. I HOPE ONE OF THE TECH EXPERTS MIGHT BE ABLE TO CLARIFY SOME OF THIS, ESPECIALLY IF I AM OFF BASE HERE.
The first piece below is a transcription of a December 2007 interview with Steve Grobman, Intel’s Director of Business Client Architecture. I included the whole thing because it not only talks about Danbury, but gives a nice rundown of the progress of vPro and the philosophy behind it.
The second piece is an article from infoworld, also from December 2007.
http://www.podtech.net/home/4797/vpro-encryption-at-the-hardware-level
JL: It’s Friday, December 28, 2007. This is Jason Lopez of podtech.net. One of the biggest debates in the IT worlds is how much of an impact software has on a company’s profitability. Experts know there is one, but measuring ROI can be nearly impossible in many cases. Over the past five years there has been new thinking about the role of hardware, which has a real presence physically and can be measured in terms of real costs. Formerly just a dumb device in which the smarter software lived, microprocessors are being enabled with embedded software that can act on its own or help operating systems and applications run more efficiently.
I talked with Intel’s Steve Grobman, who heads up Business Client Architecture at Intel.
SG: What we’re really trying to do is incorporate technology into the platform that solves business problems so that the problems that the IT guys have that are fundamentally difficult to solve with software-only solutions. So every year we’re incorporating new features into the platform that are targeting different sets of problems, and we’ve started this in 2006 and will release new capabilities every year.
JL: What are some of the major updates that have occurred since 2006?
SG: So if you look at our initial launch in 2006, we came out of the chute with really two sets of technologies in vPro. We had our Active Management Technology, which was all about enhancing manageability. So there’s been software manageability forever, but what we found is about 20% of the problems that really weren’t able to be solved with software manageability, we could solve by putting new management solutions in hardware. And that’s what AMT is all about. So for those 20% of situations where you just couldn’t solve the problem in software and traditionally would need to send somebody physically out to the desk to fix the problem, we can now resolve a very large portion of those with this Active Management Technology and actually save IT in general about half their cost of management from what they had prior to having the vPro solution.
Additionally in 2006 the other big technology that we came out with was putting our virtualization technology into our CPU. This is the thing that changed the underlying x86 architecture to make it very clean, very efficient, to virtualize software on top of the PC.
And then what we did is on 2007 we built on both of those technologies, so we did things such things as in Active Management Technology we made deployment easier by introducing some new deployment scenarios and technology that helps with the deployment of AMT. We also moved to some new standard protocols such as what’s called WS Management. This allows industry standard protocols to be used to interact with this AMT environment. And then on the virtualization side we added our Trusted Execution Technology that allows the secure launch of a VMM as well as what we call our VTD technology, which allows things such as device assignment.
JL: Well now in 2008, another codeword from Intel, Danbury. What does that mean?
SG: We are super excited about what we’re going to be doing in 2008. It’s a technology that right now is codenamed Danbury. And it’s an integrated encryption solution that’s taking storage encryption technology and integrating it into the vPro platform, but we’re doing it in such a way that it not only enhances encryption solutions that exist by making them more secure, but even more important is making these solutions manageable such that IT is able to have an easier time of deploying encrypted solutions into the environment, managing encrypted solutions when they’re actually deployed, and in some cases giving end users a better experience when they need to interact with these encrypted systems. And I’d be happy to walk you through some examples of all three of those key aspects of the Danbury technology.
JL: Well let’s go through Danbury, lets find out more about this technology and how it will impact the IT administrators’ life.
4:57
SG. Sure. So the first kind of core thing with Danbury is we do move the actual encryption operations into hardware. And this does a few interesting things. Number one, it makes it such that those sensitive operations are no longer running in software so various forms of software attacks can’t access those critical operations. So this is something that resonates very well with IT, and one of the reasons that IT has been looking at hardware-based encryption for a very long time. The other thing that it does is it makes the solution, the operating system, and virtualization agnostic. Since the actual crypto operations are happening below all of the hardware, if there are things like operating system updates or service pack updates, or you want to run all sorts of interesting operating systems, you can do that. And because it doesn’t require device drivers to interact with the encryption system, it all just kind of magically works. So that’s the first big thing that’s part of the Danbury technology is we get some inherent benefits by just where we do the crypto, and doing it in hardware is really the best place to do it.
JL: Steve I have a question for you that is around this idea of the nature of software and hardware over the past ten years because it seemed a while ago hardware was on its way to becoming a very cheap commodity, and it was the software that was going to be the thing that people were really seeking. I remember someone saying, “Yes, there’ll come a day when you buy almost any program and you get a free computer with it.” But we’ve seen over the past three or four years how some pieces of software kind of run their course or at least have come to a point where people are saying, “How much more power can you put in that spreadsheet program. Or how much more power can you put in that document program.” The power’s now coming from the hardware side. And something that we hardly predicted in the IT world ten years ago. I wonder if you could comment on this.
GB: Sure. It’s a great question. And I think part of it is at Intel we’re fundamentally looking at the role of hardware differently. In the past I think traditionally it’s been about how can you simply make the hardware go faster. And what we did with things like vPro is we took a step back and we said, what software’s really doing is it’s requesting the hardware to perform functions on its behalf. And there’s certain types of operations that are inherently difficult or impossible to do in software only, but by providing some of those building blocks and _____ services in the hardware we can not only make the hardware more valuable but also enable the software to have a richer set of functionality. So you’ll see this in situations both with manageability with what we did with AMT as well as things with Danbury.
So in the case of Active Management Technology, you’ve been able to use software-only capabilities to do things like allow an IT guy to remote control a user with software-based remote control. But what if that user has a problem with their BIOS? Right? Because you can’t get software up and running when the BIOS is executing, the BIOS screen STREAM? configuration is running, IT would be out of luck in that scenario. What we’re been able to do with AMT is put functionality such that even if software’s not running you now can still remote-control that machine in various scenarios such as when they’re using the BIOS. Or in a situation where the machine is completely broken, it’s just in a continuous state of blue screen and IT has made the decision that they just want to rebuild the machine, we have technology in Active Management Technology where they can remotely boot the machine to a network image and get the user back up and running without trying to walk the user through a complex set of installation steps.
10:00
Very similarly with Danbury, it s a very similar paradigm where there are tons of great full disc encryption products on the market today, and we see the opportunity to make those products better. Right? So make it easier for IT to deploy those products by allowing them to patch these machines, by giving their end users a better experience. A good example is with many of the products on the market today that do encryption if a user forgets their password and needs it to get back on line, they’ll go through a little skit with the IT guy where they’ll say my mother’s maiden name, and my first car, my pet. And they’ll answer all these questions to prove to the IT guy that they really are who they say they are. And the IT guy will at some point figure out all right it really is Josh on the other end of the line and they’ll read you over the phone a very long sequence of numbers or letters that you go ahead an physically type in. But you could be in a noisy environment, in an airport. There might be language barriers or accent barriers between Help Desks in different regions and the end user. And by having an ISV utilize our Danbury technology, it would let their IT guy go through the same verbal set of confirmations to prove that it really is the right person on the other end of the line but then instead of reading them this very long string of numbers and letters, they could simply right click in the ISV’s console on the machine and say, Allow Unlock. And so to the end user it’s an infinitely better experience than what they have today. But it’s simply making those products better, not trying to replace the software products that are on the market. And that’s really the philosophy that my team uses is, “What can we do in hardware that fundamentally gives the software guys new opportunities to have better products than what they can do with the facilities software has access to today.”
JL: What are some other things that Danbury promises for the IT staff?
GB: So one of the big things that I talked a little about is the out-of band unlock feature. It’s interesting from a few aspects. Number one, it does allow IT to perform that unlock operation to do things like patching, but it also can make it such that multiple authorized software entities are able to perform that operation. So if IT chooses an encryption software package from one of the full disc encryption vendors but it’s using a manageability solution from one of our Active Management Technology manageability partners, you know Altiris, or SMS, CA, HP Open View, you know, just as examples, there’s a big long list of partners that we’re working with on the AMT side. Any of those manageability ISVs can execute this out-of-band unlock operation for scenarios where they need to get that machine on the network, but the actual core crypto capability can still be managed by a different vendor. So we make it such that all of the crypto vendors of the world don’t need to work with every single one of the manageability vendors and we solve this n x m complexity matrix that would exist otherwise.
The other really interesting thing about this is we can make it such that different classes of users are able to perform operations that need to happen fairly frequently, such as unlocking a machine in order to patch it, without giving those users the full access to recovery keys that would generally only need to be used only in very rare disaster scenarios such as if the motherboard or chipset itself was damaged and you needed to pull the drive out and recover it on a different machine. So the way that we can facilitate this is part of the Active management Technology and Danbury architecture can utilize enterprise authentication and authorization protocols like Kerberos and specifically the Active Directory security paradigm around Active Directory group membership. So if there’s a specific group in Active Directory that IT wants to use to grant a certain set of users privilege to perform this operation – so if there’s a Intel Remote Drive Unlock Operators and somebody should be a member of that group today because that’s part of their job. If they go and get another job tomorrow where they no longer need that privilege, they can simply be removed from that group in Active Directory and no longer have access to unlock those drives, and IT hasn’t needed to touch all of the machines in the enterprise in order to make that happen.
JL: Steve Grobman is the Director of Business Client Architecture at Intel. This is podtech.net. I’m Jason Lopez.
http://www.infoworld.com/article/07/12/10/Intel-adds-encryption-to-VPro_1.html
Intel adds encryption to vPro
Embedded security features, code-named Danbury, make application encryption easier, add new layer of hard drive protection
By Matt Hines
December 10, 2007
Intel is preparing to introduce a new set of security features in its next-generation vPro microprocessors that have been designed to extend the reach of encryption applications and make the systems easier to install and manage.
Built under the code-name Danbury, the embedded security features -- planned to be introduced in the second half of 2008 – promise to improve the efficacy of commercial encryption tools via onboard integration hooks for the programs, and by adding a new layer of hard drive protection when vPro-powered computers are asleep or otherwise powered-down.
According to Intel officials, the addition of the Danbury technology will also make it far easier for organizations to put encryption applications into place by directly addressing the common headache of key management within the new embedded security tools.
Many companies that have already installed encryption software on their computers are still struggling with key management, and, even worse, most fail to realize that the applications do not protect hard drives unless the machines are fully powered-up -- creating an attractive vector for attackers and giving those organizations a false sense of security -- said Steve Grobman, director of business client architecture at Intel.
Even those computers carrying today's full-disk encryption tools remain vulnerable to attack when they are in hibernation and stand-by mode, he said.
That fact proves even more troublesome as so many companies are using encryption software as a means to safeguard sensitive data on their machines and meet compliance regulations, especially in the case of computers that have been stolen and had their authentication systems bypassed.
"Companies want to utilize full disk encryption to better protect their data, but commercial software products are hard to deploy and still leave many ways for machines to be attacked," Grobman said. "By putting certain aspects of encryption into the hardware, versus using only software-based systems, we believe we can make encryption easier to deploy and manage, while addressing those remaining vulnerabilities."
Rather than pitching the Danbury tools as an alternative to commercial encryption applications, the features will serve to augment software products made by companies including Credant, PGP, Pointsec, Safeboot and Utimaco, according to the Intel product engineering leader.
All of those firms have already partnered directly with the CPU manufacturer around the upcoming release to build hooks in the chips to integrate with their own encryption software systems and allow customers to take advantage of the Danbury capabilities, he said.
"By taking certain sensitive operations and putting them directly into the hardware, such as by moving the keys into the chipset, we are making these encryption systems easier and more practical to get up-and-running," Grobman said. "This isn't an effort to compete with encryption software makers but rather to help customers see better implementations of their tools; we believe that these new features should actually have a positive effect on the entire encryption space."
The addition of the Danbury tools represents only the latest in a string of security and management technologies embedded directly into the vPro lineup by Intel, including the company's Active Management Technology (AMT), which is aimed at making it easier for administrators to do remote updates on corporate machines, such as for installing anti-virus (AV) updates or operating system (OS) security patches.
Earlier this year, Intel also announced new features that extend malware behavior-detection further onto the CPU level and wall off virtualized software systems from attack, along with new tools meant to help desktops communicate directly with so-called network access control (NAC) systems, which are used for device configuration monitoring and network authentication.
In another nod to extended management capabilities, the Danbury features will also provide IT organizations with the option to gain remote access to encrypted machines to patch them -- without any interaction on the part of end users, Grobman said, and give administrators the ability to set parameters for implementation of encryption applications using Microsoft Active Directory.
Companies that have already installed encryption programs often find it a time-consuming process to help users who forget their computer passwords regain access to their machines, Intel executives claim.
And whereas administrators of encrypted machines are often forced to decrypt entire disk drives to perform tasks including operating system updates today, the new vPro features will eliminate complex software processes that make for such arduous work, they promised.
With a growing number of regulatory mandates requiring companies to encrypt the data stored on their computers, and large numbers of high-profile corporate data breaches splashed across the headlines, many companies have moved to deploy the systems and subsequently found them too unwieldy to employ on a broad basis, said Malcolm Harkins, general manager of Intel's Information Risk and Security Group.
The fact that today's encryption systems don't provide full-time disk protection, as many users think they do, has even led Intel itself to delay broad use of the technology, he said.
"We have not moved to deploy full disk encryption simply because we didn't feel it was worth it to spend millions of dollars to add technologies that wouldn't provide sufficient levels of defense," Harkins said. "I don't think that many companies that have already installed encryption software realize the shortcomings, and that by putting their faith in these tools they may actually be increasing their overall risk."
Harkins pointed out that companies using existing encryption tools may also run afoul of e-discovery regulations if users have data stored on machines that cannot be accessed centrally by administrators, such as in the case of a lost or forgotten password.
"When you start looking at the legal implications with these regulations, you realize that there are also some additional risks that these companies may not be aware of," he said. "People are adopting encryption as a solution to some of these problems, but they may be creating additional problems for themselves in the long-term."
Matt Hines is a senior writer at InfoWorld.
Join the InvestorsHub Community
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
