Why You Need Double Protection Now: Hardware and Software
Theft-prone laptops and Web authentication concerns have inspired some developers to double up on data protection, combining software and hardware to bolster security.
The approach lets security software and services vendors leverage security features built into the latest generation of processors. Independent software vendors (ISVs) are already tapping hardware resources to improve encryption. The basic concept holds that harnessing the best attributes of software and hardware provides a more in-depth defense.
Mauricio Cuervo, product manager at Intel, noted that software has greater flexibility than hardware -- new features can be added more quickly -- but it is more susceptible to attacks. Hardware, in contrast, is generally more robust and difficult to penetrate. Bringing the two together unites the richness of software and the tamper-resistant nature of hardware, he added.
“The ultimate objective is to drive that synergy,” says Cuervo.
With that combination in mind, ISVs can now tap Intel’s Anti-Theft Technology to tighten laptop security. That technology, also referred to as Intel AT, is equipped on second-generation Intel Core and Core vPro processors. It allows ISVs to bring theft deterrence into their solutions, while improving data protection with hardware assistance, says Cuervo.
Cuervo, who focuses on Intel AT, said Absolute Software, PlumChoice, Symantec and WinMagic are partnering with Intel on Intel AT to improve their security solutions. He said other partnerships are in the pipeline.
Garry McCracken, vice president of technology partnerships at WinMagic Inc., says the company has been able to add value to its full-disk encryption software by enabling an Intel AT feature called data encryption disable. The company is able to take part of its key -- for decrypting and accessing data -- and place it inside Intel’s AT chip.
“If the Intel chip receives a kill pill or goes into a stolen state, the platform goes into a platform disable state and the computer is of no use to the thief,” says McCracken.
“Even the actual hard drive is no longer accessible -- even to users that still have their credentials -- because part of the key is locked up into the hardware,” he adds. “That is a key synergy between full-disk encryption and how we can leverage the capability of the hardware. It is worth noting that if the computer is recovered, an authorized administrator can re-enable the computer and regain access to the data.”
PlumChoice Inc., meanwhile, will incorporate Intel AT in its SAFElink Anti-Theft service. The software-based solution locks down a customer’s laptop when a theft or loss trigger is detected. Josh Goldlust, vice president, product management for PlumChoice, says Intel AT support means that lockdown can occur before a laptop’s operating system boots. PlumChoise recently demoed this technology at an Intel Developer conference.
Intel integration will let PlumChoice enable an enhanced version of SAFElink Anti-Theft, which will test customers to assure they are the proper user of the device and have them provide the correct credentials, explains Goldlust. The PlumChoice solution performs a similar function without Intel AT, but the security measure takes place once the operating system has booted.
With Intel AT, Cuervo said Intel works with ISVs that concentrate on asset tracking, asset retrieval, or data protection of PCs. Developers who are interested in Intel AT can visit Anti-Theft.Intel.com for an overview, he noted. Intel provides an Intel AT SDK for developers, but only after the company has interviewed a potential ISV partner.
“It involves a deep level of integration with our product,” says Cuervo. “We have to first analyze if it is a good fit for them and for Intel -- we do a discovery session.”
Developers can also leverage Intel’s Identity Protection Technology (Intel IPT) to boost security. Intel IPT comes built into second-generation Intel Core-based PCs and laptops, providing hardware-based, two-factor authentication. The technology aims to secure access to online accounts, virtual private networks, and applications.
Two-factor authentication generally involves username/password and something the user possesses -- a security token, for example. The token generates a number that serves as a one-time password. An Intel IPT-equipped computer, however, serves as the security token. Intel IPT generates the one-time password from an embedded processor on a computer’s motherboard.
Soren Knudsen, product marketing engineer at Intel, said the company worked directly with large ISVs on Intel IPT. Currently, Symantec Corp. and VASCO Data Security International are security ISVs for Intel IPT. He said most security software companies looking to add a level of authentication and trust to their solutions would work with an Intel security ISV.
“They would use the partner’s SDK, or services, or calls and implement that into their software solution,” explains Knudsen.
Knudsen says developers can implement Intel IPT into a piece of Windows software or a website. He said most developers are using the technology to do authentication on the Web.
Cryptographic acceleration represents another area where software and hardware security meet.
WinMagic, for example, has started making use of Intel’s Advanced Encryption Standard New Instructions (AES-NI). Those instructions, built into many recent Intel CPUs, accelerate the speed of encryption.
Thi Nguyen-Huu, president and CEO, WinMagic, says AES-NI deployment has a positive impact on solid state drives (SSDs). He said SSDs are 10 times faster than traditional rotating-disk hard drives.
Without the boost from AES-NI, “software encryption would be the bottleneck and negate the advance of the SSD,” says Nguyen-Huu.
“We implemented AES-NI on the software side and found we have a greatly improved overall solution,” adds McCracken.