SSG 2014

  1. AMT
    • Intel® Active Management Technology is a component of our Digital Office
    • initiative and is one of our *T (Star T)
    • programs. This technology enables IT managers to remotely access and manage
    • every networked computing system — even those that lack a working operating
    • system or hard drive, or are turned off — as long as the platform is connected
    • to line power and to the network. Intel® AMT uses a separate management
    • processor that runs independently on the client machine and can be reached
    • through the wired or wireless network.
  2. AMT Instant Go
    • Management Console to detect the
    • AMT system in Connected Standby low power state, power up the system to full S0
    • state when required.

    • What are the benefits of this
    • feature:

    • AMT’s coexistence with platforms
    • supporting Microsoft Connected Standby feature provides the flexibility to end
    • user to leave the system in low power state and yet be manageable by IT when
    • needed. End users can now put the vPro systems in Connected stand by
    • state for extended battery life, instant on capability and
    • more.
  3. Cryptographic Performance
    • When connecting to the
    • internet or web applications, users want
    • the confidence that their communications and data are being secured. 
    • Securing the connection and the
    • data traveling across that connection
    • can be compute intensive and therefore impacting the users experience either
    • through visible performance degradation or in terms of shorter battery life.  By
    • optimizing key cryptographic ciphers using the above mentioned technology, the overhead of
    • establishing and maintaining a secure connection can be diminished resulting in
    • a smoother user experience and longer battery life. 

    • Symmetric
    • Encryption

    • Enhance AES cipher performance using
    • AES-NI

    • Optionally enhance the performance of AES-GCM
    • (Galois Counter Mode) using PCMULQDQ
    • instruction
  4. HD video conferencing optimization
    • Optimize HD video conferencing
    • solutions to provide smooth and clear video over typical, remote bandwidths with
    • minimal battery impact.


    1080p at <=1Mbps

    • 720p at
    • <=500kbps

    • Enable Region of Interest variable
    • quality to achieve <=300kbps

    10+ participants

    < 5W CPU power

    • < 20% CPU
    • utilization

    • Mean Opinion Score >= 4
    • (Good)

    • Showcase significant HD video
    • quality optimizations that can scale to other solutions and pave the way to
    • focus on enhanced user experiences.

    • Stretch goal to enable background
    • HD background segmentation.

    • stablish a deep technical engagement with at least one enterprise specific video
    • conferencing solution provider.  Identify and execute the optimizations
    • necessary to show smooth and clear HD video in typical environments such as
    • offsite, VPN, and cellular connections with multiple parties.

    • The key focus in 2014 is to better
    • understand the challenges and opportunities in the enterprise space, how they
    • align to the BKM's from consumer work, and how they differ from consumer. 
    • Develop the methodologies specific to enterprise solutions that we can scale to
    • a wider audience.
  5. Secure Key Technology
    • Strong encryption requires two things:  Robust cryptographic algorithms
    • and high quality keys (e.g. highly entropic random
    • numbers).  Intel Secure Key provides highly
    • entropic random numbers and PRNG seed material in
    • order to provide the highest quality crypto keys, nonces, and initialization vectors
    • possible.

    • ISV integration or
    • usage of RDSEED processor instruction for seeding
    • ISV Pseudo Random Number Generator
    • (PRNG)


    • ISV integration or usage
    • of  RDRAND processor instruction for direct consumption
    • of random bytes or mixing with
    • PRNG entropy pool
  6. IPT w/ PKI, NFC Tap & Auth
    • ISV PV release of their software that implements IPT with PKI for the
    • following use cases: * No Password VPN * S/MIME – email signing/encryption *
    • Document signing * Certificate-base authentication to WiFi networks * SSL Client
    • authentication Or ISV PV release of their software that implements the NFC Tap
    • to Authenticate use case.
  7. MFA
    • Multifactor Authentication - Provide MFA Applet and Add capabilities to ISV client and/or cloud components
    • to provision a PKI certificate that uses the Intel Cryptographic Service
    • Provider (CSP). 
    • * MFA provides a secure and satisfying user experience with immediate access
    • to their stuff using many factors of authentication (Bluetooth leash, wearables,
    • proximity sensors, voice, facial recognition, gait, NFC, IPT with PKI, Protected
    • Transaction Display, etc.).   Biometrics, Built in NFC reader added to PCs
    • allows for simple and secure user authentication with Intel IPT by tapping an
    • NFC card or device on an Intel vPro system with IPT.   * User does not need to
    • enter a password.  The user becomes the password.
  8. Digital Fence
    • SCS is available with the ability
    • to configure the platform with network identities associated with "safe zones"
    • so that IT can enforce platforms to hibernate (S4) when leaving these areas in a
    • sleep (S3) state or Connected Standby (S0ix) which will force drive encryption
    • to lock.  The SCS will also be required to configure Intel Smart Connect
    • Technology parameters where applicable.


    • Configure system with "safe"
    • corporate network identities through the SCS

    • Configure ISCT (when applicable)
    • and set the associated wake interval

    • Optionally - Once settings are
    • applied to the Digital Fence service through the SCS, changes may be applied
    • through Active Directory Group Policies.


    • User unlocks the system / drive
    • for normal use

    • User suspends the system (S3 or
    • S0ix) and leaves the office

    • The system detects the absence of
    • a "safe" corporate network

    • The system briefly wakes and goes
    • immediately into a hibernation state (S4)

    • When entering S4, the drive is
    • locked, protecting the data

    • NOTE: A Connected Standby solution
    • is not yet available and may not be available in the Broadwell timeframe
  9. ProSSD – Secure Containers
    • The driving concept behind “Secure Containers” is the notion that IT can
    • provision a Secure Enterprise partition on a BYOD device that supports Intel
    • ProSSD.  ProSSD supports the OPAL standard v1.0 Rev3 which allows for the
    • definition and management of multiple encrypted LBA ranges on the SSD.  Once
    • this Enterprise range and associated OS partition has been created, it can be
    • managed (meaning it can be locked, cryptographically erased, keys rotated,
    • policy managed, etc.) at which point the enterprise would feel comfortable
    • allowing Enterprise data to reside on it.  This way, the end-user is able to use
    • their personal device in the enterprise but the enterprise IT dept. has a level
    • of control regarding what enterprise data  goes on the system, where it is
    • stored (in the Secure Container), and how its secured. 
    • Enablement of one of the following solutions supporting the use of an Intel
    • ProSSD 1500 or 2500 SSD: * Good o A single encrypted LBA Range (two OS
    • partitions, one encrypted, the other not) created and policy managed via OPAL.
    • The encrypted LBA range/partition would then host the enterprise data and is
    • called the “Secure Container”. This means that all other user data would be
    • unencrypted on disk.  This case is for those consoles that can only
    • support/manage one encrypted LBA range. * Better o Two discrete encrypted LBA
    • Ranges (two OS partitions created for each range) created via OPAL.  One
    • encrypted LBA range/partition managed by IT to host Enterprise data.  The other
    • managed by the end-user to host personal (non-enterprise data).  The benefit
    • here allows the end-user to have full disk encryption, but control over the
    • decryption key. * Best o Same as ‘better’ solution, but with a Data Loss
    • Prevention solution activated which would attempt to prevent Enterprise data on
    • the managed partition moving to some other place (thumb drive, user partition,
    • etc.).
  10. Enhanced Enterprise Rights Management With Geo-Fencing  (LBS)
    • Location Base Services - One or more location tracking servers must add support for EPID and HMAC
    • signature validation of location data transmitted by vPro platforms and make the
    • resulting, attested location data available to 3rd party applications through an
    • API.  The location tracking servers must also implement the RESTful API required
    • for configuration and communication between the vPro platform and location
    • tracking server. One or more ERM solutions must consume the attested location
    • data and compare it against configurable geo-fence boundaries to control
    • document access based on physical location. 

    • IT Perspective: * A location tracking server and associated infrastructure is
    • deployed and configured for tracking physical location of WiFi devices. * vPro
    • platforms are deployed to supported corporate users. * IT enables secure
    • location based services through the PROSet administrator tool by pushing
    • appropriately configured wireless profiles to each client system.  An additional
    • tool, such as the SCS, is used to configure the LBS DAL applet with the
    • necessary certificates for EPID signature creation (the "Secure" in Secure LBS).
    • * Additional configuration is performed by IT through the location tracking
    • service communicating to the vPro endpoint through the secure and authenticated
    • channel configured by the SCS. * Geo-fence boundaries are configured in the
    • corporate ERM solution.  Each boundary is assigned an associated set of document
    • access policies. 
    • * The user accesses corporate documents after authenticating with the ERM
    • solution configured on their vPro platform.
    • * As the user moves from one area of the corporate campus to another (e.g.
    • from cubicle to café, or office to home) access to sensitive documents is
    • changed to comply with corporate document access policies.
  11. VMCS Shadowing
    • A logical processor uses
    • virtual-machine control data
    • structures (VMCSs) while it is in VMX operation.
    • These new structures manage transitions into and out of
    • VMX non-root operation (VM entries and VM exits) as well as processor
    • behavior in VMX non-root operation. This
    • structure is manipulated by the new instructions VMCLEAR, VMPTRLD,
    • VMREAD, and VMWRITE.
  12. XenGT
    • Graphics Virtualization - The Graphics Processing Unit (GPU) has become a fundamental building block in
    • today’s computing environment, accelerating tasks from entertainment
    • applications (gaming, video playback, etc.) to general purpose windowing
    • (Windows* Aero*, Compiz Fusion, etc.) and high performance computing (medical
    • image processing, weather broadcast, computer aided designs, etc.).
    • Today, we see a trend toward moving GPU-accelerated tasks to virtual machines
    • (VMs). Desktop virtualization simplifies the IT management infrastructure by
    • moving a worker's desktop to the VM. In the meantime, there is also demand for
    • buying GPU computing resources from the cloud. Efficient GPU virtualization is
    • required to address the increasing demands.
    • Enterprise applications (mail, browser, office, etc.) usually demand a
    • moderate level of GPU acceleration capability. When they are moved to a virtual
    • desktop, our integrated GPU can easily accommodate the acceleration requirements
    • of multiple instances
  13. IPT
    Intel® Identity Protection Technology 

    An Added Layer of Hardware-based Security

    • Protecting your identity and business data stored in the cloud requires
    • strong authentication that's ideally rooted in hardware. Hardware-based
    • authentication is widely regarded by security experts as a more effective
    • approach than software-only authentication.
    • Select PCs and other devices feature tamper-resistant, two-factor
    • authentication built right into new
    • Intel® Core™ vPro™ processors. Intel® Identity Protection Technology (Intel®
    • IPT)1 helps prevent unauthorized access to your important personal
    • and business accounts while reducing the cost of traditional hardware solutions.
    • It also provides a simple way for web sites and businesses to validate that a
    • user is logging in from a trusted PC.
    • How Does Intel® Identity Protection Technology Work?

    Intel IPT with one-time password (OTP)

    • ntel IPT protects network and web site access points by providing enterprises
    • with several ways to validate that a legitimate user—not malware—is logging in
    • from a trusted platform. One option utilizes a one-time password (OTP), a
    • unique, one-time-use, six-digit number generated every 30 seconds from an
    • embedded processor. This tamper-proof solution operates in isolation from the
    • operating system.1 Moreover, because the credential is protected
    • inside the chipset, it cannot be compromised by malware or removed from the
    • PC.
  14. AES-NI
    • Intel® AES-NI is a new encryption instruction set that improves on the
    • Advanced Encryption Standard (AES) algorithm and accelerates the encryption of
    • data in the Intel®
    • Xeon® processor family and the Intel® Core™
    • processor family.
    • Comprised of seven new instructions, Intel® AES-NI gives your IT environment
    • faster, more affordable data protection and greater security, making pervasive
    • encryption feasible in areas where previously it was not.

    • Encryption is frequently recommended as the best way to secure
    • business-critical data, and AES is the most widely used standard when protecting
    • network traffic, personal data, and corporate IT infrastructures.With
    • recent advancements in cloud
    • computing, where personal or business-critical information leaves the
    • traditional IT environment, a more widely usable and secure encryption standard
    • such as AES and acceleration mechanism like Intel® AES-NI are essential.
    • Thankfully, AES is a widely-deployed encryption standard when protecting
    • network traffic, personal data, and corporate IT infrastructures; and Intel®
    • AES-NI can be used to accelerate the AES encryption. With such robust,
    • affordable, and flexible options, Intel® AES-NI can help your business stay
    • ahead of growing threats.
  15. PKI
    Public Key Infracturcre -Intel® IPT with PKI uses the Intel® Management Engine (Intel® ME) and 3rdGeneration Intel®Core™ i5 or i7 vPro™ processor-powered systems to provide a hardware based security solution. This solution provides enhanced protection of RSA cryptographic keys. The Intel® IPT with PKI software is exposed as a CSP via the Microsoft CryptoAPI software layer. Software that supports the use of cryptographic features through CryptoAPI can use Intel® IPT with PKI to:
  16. DPT
    Device Protection Technology 

    • intel DPT with Security Extensions: 
    • Dynamic Whitelisting, Power Effiecient Scans, URL Filtering, Intent Filering, Contextual Permisiion
    • Intel DPT with Manageability Extensions (MDM)
    • •Remote
    • Configuration

    • •Application
    • Management

    • •HW/SW
    • Control

    • •Inventory
    • Monitoring

    • •Kiosk
    • Mode

    • •Security
    • Restrictions

    • •Expense
    • Mgmt

    • Intel DPT with Manageability
    • Extensions  (Containers)
    • •Containerize any app, from any
    • store

    •“No Wrapping” or specialized apps

    •Uncompromised native experience

    •Selective mgmt. of corp data
Card Set
SSG 2014