Crimeware Protection White Paper
Intel® Core™ vPro™ processors
Identity and Access
Enterprises have seen a growing number of targeted attacks through identity breaches. To mitigate these, they use secure credentials requiring authentication to access them. Software-only credentials are stored in view of the OS and applications, where they are vulnerable to theft and corruption by sophisticated, stealthy crimeware. Many organizations have deployed hardware tokens, smartcards, or USB keys to reduce this risk. But provisioning, management and support of these solutions can be costly.
Intel® Identity Protection Technology1 (Intel® IPT) is a suite of products offering built-in hardware-level security to protect against identity theft, without the need for discreet tokens or smartcards. Intel Identity Protection technology offers the security of discreet tokens with the ease of maintenance and fast response capabilities to security breaches provided by software-based solutions.
Intel® Identity Protection Technology
Security experts agree—single-factor authentication, such as a fixed password, is not enough. Many enterprises have chosen to protect access points, such as VPN logins and web portals, or secure e-mail and document encryption, with strong, two-factor authentication. The two most common forms are one-time-password (OTP) tokens and public key infrastructure (PKI) certificates, often deployed on discreet tokens or smartcards, respectively.
This hardware-based identity protection helps significantly reduce or eliminate fraud and limits access to protected networks and accounts to only valid users. However, enterprise experiences and recent events have highlighted the challenges with these2:
- Lost or forgotten credentials overburden help desk departments.
- Tokens, smartcards, and additional management software can be costly.
- Recent breaches on token stores have highlighted the cost of replacing physical tokens and the lost productivity while users wait for replacement tokens. And, while smartcards are not as difficult to replace, they are still vulnerable to attacks.
To reduce costs associated with hardware security maintenance, some solutions store tokens and PKI certificates on the PC. They can be easily revoked and re-provisioned when needed. However, software-based solutions are typically stored in view of the OS and applications, where they face increased risks from targeted attacks.
Hardware-based Security with Software-based Convenience
Intel IPT stores OTP tokens and PKI certificates in the silicon, out of view and access of the OS and applications. Yet Intel IPT still enables easy revocation, re-provisioning, and management. The issues with lost hardware devices are eliminated. Keys are released only when appropriate authentication is provided, such as a password or PIN.
Intel IPT combines the security of hardware-based solutions with the flexibility and cost savings of software by providing the following capabilities:
- Protects PKI certificates or OTP credentials in silicon out of reach of malware, below the software and operating system.
- Prevents access to keys without proper authentication only an actual user could enter.
- Hides the user’s data entry from the OS and applications, such as key loggers and screen scrapers.
Protection for User Input
As seen in some recent attacks, authentication passwords and PINs can be captured by a key logger to access sensitive data. Intel IPT with Protected Transaction Display helps eliminate identity theft through key logging and screen scraping by capturing and displaying user input out of sight of the OS and device drivers. Key logger and frame buffer reader codes are blinded to the user’s activity.
Easily Deploy Intel IPT with OTP
Many enterprises have chosen one of the popular authentication providers to implement their OTP solutions. Intel IPT with OTP is supported by many of these leading vendors. Using Intel IPT with OTP requires only minimal changes to current implementations, while providing hardware-based security with software-based convenience. As enterprises migrate their fleet of business clients to PCs based on Intel Core vPro processors, they can use the same authentication provider to provision hardware-based OTP credentials to these machines and phase out their physical tokens.
Quickly Migrate to Intel IPT with PKI
For enterprises that implement PKI certificate-based solutions, Intel IPT with PKI simplifies certificate management while providing hardware-based security. Intel IPT with PKI is compatible with Symantec Managed PKI Solution.* It needs only minimal changes to an enterprise’s current implementation. As companies replace their PCs with Intel Core vPro processors-based clients, they can provision hardware-based PKI certificates to these machines using the same authentication provider and phase out physical smartcards.
1. No system can provide absolute security under all conditions. Requires an Intel® Identity Protection Technology-enabled system, including an Intel® Core™ processor, enabled chipset, firmware and software, and participating website. Consult your system manufacturer. Intel assumes no liability for lost or stolen data and/or systems or any resulting damages. For more information, visit http://ipt.intel.com.
2. “Chinese hackers target smart cards to grab US defense data;” by Techspot. http://www.techspot.com/news/47053-chinese-hackers-target-smart-cards-to-grab-us-defense-data.html