Portable security through firmware

 

Connecting state and local government leaders

Intel's vPro softly hardens mobile PCs and handhelds.

For security-conscious agencies and departments, the greatest strength of portable devices is also their greatest vulnerability: portability. A device that can be carried around is more likely to be lost or stolen.Vendors have come up with an array of tools to help protect portable devices ' from wire cables to keep thieves from walking off with unattended computers to encryption for drives that requires authentication to access the data.There are a variety of other strategies to protect portable devices.Absolute Software, for example, has a service called Computrace that helps owners track lost computers via the Internet. Some management programs allow systems administrators to inventory software to ensure that security software is installed and enabled on all devices connected to the network. And some vendors have software, either in operating systems or as an add-on programs, that lets administrators set policies regarding things such as whether users can attach peripherals to a computer.The major drawback to all of these solutions ' with the exception of the wire cable ' is that they involve software. Hackers and thieves are often able to find ways to defeat the security measures by accessing the system before or during the boot-up process, before the security software kicks in.And many of the security measures require the participation and cooperation of users, which can be a problem.'Eighty-five percent of the issues related to laptops and data theft are there predominantly because of ignorant users who don't know how to manage data, who don't know what they need to do with their machines, who assume that things are naturally safe and secure,' said Mark Margevicius, an analyst at the Gartner Group. 'Good education programs and policies about when and where you should be using these devices would really help in eliminating much of the risk associated with portable data.'The next major step in securing portable devices is to move these protective measures into firmware ' software embedded in the hardware ' where it is more difficult to circumvent and where IT staff can more easily manage them without requiring user attention.Although some cell phones ' most notably, the BlackBerry family ' have been designed for centralized remote management and security, most portable computers have not. Indeed, the management and security tools for portable computers have generally been carried over from desktop PC systems that are always connected to the network and aren't likely to be left behind in taxi cabs.Intel's vPro technology is the first major effort to provide central management and security tools in the firmware of portable computers. The technology was originally implemented on desktop computers in November 2006 and was introduced in chipsets for portable computers beginning in May 2007.If you have the right hardware, you can use vPro for a variety of management chores that will enhance security, including remote diagnosis and repair of computers, network traffic monitoring, software inventories, and policy enforcement.As long as the PC is plugged into a power source and connected to the network, administrators can access the computer, collect information, and push updates and patches, even if the computer is initially powered down, reconfigured or inoperative.And most of those capabilities, though not all, are supported even if the network connection is outside the firewall and via the Internet.Many of those capabilities ' including software inventories and policy enforcement ' are available by adding on a variety of software applications. And therein lies a potential problem.'Whether it's disk encryption or agents, when it sits above the operating system in software, it's inherently more vulnerable than it is if you can bring it down the stack, bring it down into the silicon and protect it deep down in the guts of the computer,' said Brian Tucker, an Intel marketing manager for mobile applications.One of the more interesting new features supported by vPro is Trusted Execution Technology, or TXT.'How do I trust that the information coming from the keyboard or the video or the mouse is truly what it is supposed to be?' Tucker said. Using vPro, 'we can establish that route of trust, and then we can validate that we trust that input.'TXT can also be used to validate applications. 'We worked with several virtualization providers, and we can basically launch their code. We measure it so we know exactly what we're launching, and we go back and check whether it was what it was when we launched,' Tucker said.'Then we protect all of the memory and the [input/output] from anyone coming in and doing, say, a screen scrape, or any other capability that could be trying to compromise the data that is out there,' he added. 'We protect the launch of the application, the running of the application, and then when it shuts down, we wipe it clean so no one can tell what was there.'The same tools can be used to create virtual clients ' locked down configurations of trusted applications and peripherals ' on portable devices.'IT at larger enterprises is starting to catch on to this idea and play around with it,' Tucker said. 'I think over the next several years [we] will kind of see what ultimately sticks.Intel has another feature in the works for vPro called Intel Anti-theft Technology. Essentially, the company plans to bring the capabilities of Absolute Software's Computrace product into the firmware.If a computer is lost or stolen and is subsequently connected to the Internet, the owner can locate it. Also, the owner can send a poison pill to lock down the missing device. Developed in partnership with Absolute Software, Intel expects the feature to be available by the end of this year.The downside of all this power, of course, is that there are as yet no standards for this kind of firmware. Using vPro limits your choice of hardware because it requires specific chipsets that support Intel's Active Management Technology (AMT) and processors that support Intel's Virtualization Technology.That doesn't mean that you're limited to Intel software. Third-party software can be developed to take advantage of Intel's firmware. Already, several third-party software vendors, including Symantec, Altiris and Lenovo, are using vPro's built-in virtualization capabilities to develop virtual appliances ' self-contained operating environments dedicated to a particular function, such as manageability or security.'The vPro technology adds an extra layer of security and manageability via an out-of-band method that allows greater control and flexibility when managing a large enterprise,' said Charles de Sanno, executive director of enterprise technology and infrastructure engineering at the Veterans Affairs Department.A key consideration in implementing vPro is that until all of your agency's or department's computers have the appropriate hardware they'll be outside the management scheme.Only after VA had a sufficient number of computers that supported vPro did the agency begin to realize the benefits, and de Sanno said he expects the benefits to grow as the numbers of vPro-enabled devices increase. VA has 40,000 devices enabled with vPro technology, he said.'The technology has promise to allow VA to run security updates, manage patches, OS updates and other types of management/security practices, to be done via an out-of-band state,' he said.'Having the ability to wake devices up, run updates via a standard technology, and bring down energy costs will only enhance the security posture that the VA has been working to meet, and allow VA to realize other energy saving and cost reduction goals.'Finally, although firmware implementations such as vPro might lighten the security burden on individual users, some experts caution against relying solely on implementing security technologies.'Anytime you implement new levels of security on any device, you are going to implement some kind of impediment to use,' Margevicius said. 'You can make a device as tight as Fort Knox, but it may require six levels of authentication and two key fob devices to get in. Is it really reasonable to have a user go through that?' The best answer, he said, is 'a combination of technology, plus best practices and education.'

Mobile applications:
A 360-degree report

This package is part of an 1105 Government Information Group 360-degree report on mobile applications. For full coverage, click here.



In its May 19 issue, Federal Computer Week focuses on the challenges of complying with the government's policy on safeguarding data on mobile computing devices and, in a separate story, explores the question of how smart leaders should use smart phones.



In its May 26 issue, Washington Technology examines the robust opportunities for systems integrators and technology companies in the realms of public safety, homeland security and defense, and it provides specific examples in key areas.










Getting there first











Desktops to portables



















Leave no trace















Critical mass














NEXT STORY: Dynamic and static analysis

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.