13
White Paper: The All New 2010 Intel® Core™ vPro™ Processor Family: Intelligence that Adapts to Your Needs
• Recovery token, which is generated by IT or the user’s service provider
via the theft management console (upon request by the end user).
The one-time recovery token is provided to the user via phone or other
means. The user then enters the passcode in a special pre-OS login
screen in order to reactivate the system.
Both methods return the PC to full functionality, and both offer a
simple, inexpensive way to recover the laptop without compromising
sensitive data or the system’s security features.
Intel AT must be enabled (on) in order for IT to take advantage of these
intelligent security features.
Industry support and software development
Intel AT integrates with existing theft-management solutions. ISVs
who support Intel AT include Absolute Software Corporation and PGP,
and additional security ISVs are planning to offer solutions in 2010.
In order to deploy an Intel AT solution, a service provider or ISV with
Intel AT capabilities is required. A new 2010 Intel Core vPro processor
includes an SDK and documentation for ISVs and service providers to
help test and validate their designs for Intel-AT-capable products.
Hardware-based acceleration for encryption
One of the performance burdens of higher security is the encryption
and decryption of the hard drive upon every access. This has become
a bottleneck to performance, and many IT departments have not used
encryption protection because of the performance trade-off.
One of the encryption standards adopted by the U.S. Government is AES
(Advanced Encryption Standard).
24
A new Intel Core vPro processor now
includes new hardware-based CPU instructions (AES-NI, or Advanced
Encryption Standard New Instructions) for AES.
8
These instructions are
designed to consolidate the AES mathematical operations, off-loading
them from the processor to improve security (harden cryptography soft-
ware) and help speed up applications that use the AES algorithm. For
example, software developers can write to these AES-NI instructions
to off-load encryption processing – such as AES rounds and schedules
for key generation – into hardware. This not only improves performance,
but improves protection against advanced forms of cryptanalysis.
• Recent benchmarks compared a new 2010 Intel Core i5 processor-
based PC to an installed-base with a 3-year-old Intel® Core™2 Duo
processor E6400
∆
-based PC. The benchmarks showed that
protection of sensitive data can be up to 3.5x faster on a new
Intel Core i5 processor-based PC.
11
A new 2010 Intel Core i5 vPro processor with AES-NI support can
be used to improve performance for systems that use whole-disk
encryption and file storage encryption. ISVs already planning support
for AES-NI include PGP, McAfee, Microsoft (as part of BitLocker* in
Windows 7), and WinZip.
Push updates down the wire —
regardless of PC power state
There are several methods in use today to wake a PC in order to push
out an update, but those methods are not usually secure or reliable, or
they work only when the OS is running properly. In contrast, a new Intel
Core vPro processor includes a secure, encrypted power-up capability
that helps technicians ready systems for updates. This helps IT organi-
zations substantially speed up patching and ensure greater saturation
for critical updates and patches.
With Intel vPro technology, technicians can:
• Remotely power up laptop and desktop PCs from the IT console, so
updates can be pushed even to machines that were powered off at
the start of the maintenance cycle.
• Deploy more updates and critical patches off-hours or when it won’t
interrupt the user.
• Check a PC’s software version information, .DAT file information, and
other data stored in nonvolatile memory, and find out if anything
needs updating without having to wake or power up a PC.
• Help lower power consumption for businesses, by powering PCs off
when not in use, and remotely and securely powering them up off-
hours only for the update or patch (or other service).
These capabilities allow IT administrators to automate more security
processes. In turn, this can help IT administrators establish a more
secure, better managed environment.
Greater automation for compliance with corporate policies
With the ability to remotely access PCs regardless of power state
or OS state, IT administrators can automate more processes, including
update, remediation, and management processes. For example, if a
polling agent discovers software that is out of date, the third-party
management application can automatically take a software inventory,
port-isolate the system temporarily, and then update the system. The
management application can then remotely return the system to its
previous power state: on, off, hibernating, or sleeping. This can help
administrators eliminate many of the deskside visits and service depot
calls traditionally required for updates, critical patches, and remediation,
and help reduce risks to the network.