- Intel® Active Management Technology is a component of our Digital Office
- initiative and is one of our *T (Star T)
- programs. This technology enables IT managers to remotely access and manage
- every networked computing system — even those that lack a working operating
- system or hard drive, or are turned off — as long as the platform is connected
- to line power and to the network. Intel® AMT uses a separate management
- processor that runs independently on the client machine and can be reached
- through the wired or wireless network.
AMT Instant Go
- Management Console to detect the
- AMT system in Connected Standby low power state, power up the system to full S0
- state when required.
- What are the benefits of this
- AMT’s coexistence with platforms
- supporting Microsoft Connected Standby feature provides the flexibility to end
- user to leave the system in low power state and yet be manageable by IT when
- needed. End users can now put the vPro systems in Connected stand by
- state for extended battery life, instant on capability and
- When connecting to the
- internet or web applications, users want
- the confidence that their communications and data are being secured.
- Securing the connection and the
- data traveling across that connection
- can be compute intensive and therefore impacting the users experience either
- through visible performance degradation or in terms of shorter battery life. By
- optimizing key cryptographic ciphers using the above mentioned technology, the overhead of
- establishing and maintaining a secure connection can be diminished resulting in
- a smoother user experience and longer battery life.
- Enhance AES cipher performance using
- Optionally enhance the performance of AES-GCM
- (Galois Counter Mode) using PCMULQDQ
HD video conferencing optimization
- Optimize HD video conferencing
- solutions to provide smooth and clear video over typical, remote bandwidths with
- minimal battery impact.
1080p at <=1Mbps
- Enable Region of Interest variable
- quality to achieve <=300kbps
< 5W CPU power
- Mean Opinion Score >= 4
- Showcase significant HD video
- quality optimizations that can scale to other solutions and pave the way to
- focus on enhanced user experiences.
- Stretch goal to enable background
- HD background segmentation.
- stablish a deep technical engagement with at least one enterprise specific video
- conferencing solution provider. Identify and execute the optimizations
- necessary to show smooth and clear HD video in typical environments such as
- offsite, VPN, and cellular connections with multiple parties.
- The key focus in 2014 is to better
- understand the challenges and opportunities in the enterprise space, how they
- align to the BKM's from consumer work, and how they differ from consumer.
- Develop the methodologies specific to enterprise solutions that we can scale to
- a wider audience.
Secure Key Technology
- Strong encryption requires two things: Robust cryptographic algorithms
- and high quality keys (e.g. highly entropic random
- numbers). Intel Secure Key provides highly
- entropic random numbers and PRNG seed material in
- order to provide the highest quality crypto keys, nonces, and initialization vectors
- ISV integration or
- usage of RDSEED processor instruction for seeding
- ISV Pseudo Random Number Generator
- ISV integration or usage
- of RDRAND processor instruction for direct consumption
- of random bytes or mixing with
- PRNG entropy pool
IPT w/ PKI, NFC Tap & Auth
- ISV PV release of their software that implements IPT with PKI for the
- following use cases: * No Password VPN * S/MIME – email signing/encryption *
- Document signing * Certificate-base authentication to WiFi networks * SSL Client
- authentication Or ISV PV release of their software that implements the NFC Tap
- to Authenticate use case.
- Multifactor Authentication - Provide MFA Applet and Add capabilities to ISV client and/or cloud components
- to provision a PKI certificate that uses the Intel Cryptographic Service
- Provider (CSP).
- * MFA provides a secure and satisfying user experience with immediate access
- to their stuff using many factors of authentication (Bluetooth leash, wearables,
- proximity sensors, voice, facial recognition, gait, NFC, IPT with PKI, Protected
- Transaction Display, etc.). Biometrics, Built in NFC reader added to PCs
- allows for simple and secure user authentication with Intel IPT by tapping an
- NFC card or device on an Intel vPro system with IPT. * User does not need to
- enter a password. The user becomes the password.
- SCS is available with the ability
- to configure the platform with network identities associated with "safe zones"
- so that IT can enforce platforms to hibernate (S4) when leaving these areas in a
- sleep (S3) state or Connected Standby (S0ix) which will force drive encryption
- to lock. The SCS will also be required to configure Intel Smart Connect
- Technology parameters where applicable.
- Configure system with "safe"
- corporate network identities through the SCS
- Configure ISCT (when applicable)
- and set the associated wake interval
- Optionally - Once settings are
- applied to the Digital Fence service through the SCS, changes may be applied
- through Active Directory Group Policies.
- User unlocks the system / drive
- for normal use
- User suspends the system (S3 or
- S0ix) and leaves the office
- The system detects the absence of
- a "safe" corporate network
- The system briefly wakes and goes
- immediately into a hibernation state (S4)
- When entering S4, the drive is
- locked, protecting the data
- NOTE: A Connected Standby solution
- is not yet available and may not be available in the Broadwell timeframe
ProSSD – Secure Containers
- The driving concept behind “Secure Containers” is the notion that IT can
- provision a Secure Enterprise partition on a BYOD device that supports Intel
- ProSSD. ProSSD supports the OPAL standard v1.0 Rev3 which allows for the
- definition and management of multiple encrypted LBA ranges on the SSD. Once
- this Enterprise range and associated OS partition has been created, it can be
- managed (meaning it can be locked, cryptographically erased, keys rotated,
- policy managed, etc.) at which point the enterprise would feel comfortable
- allowing Enterprise data to reside on it. This way, the end-user is able to use
- their personal device in the enterprise but the enterprise IT dept. has a level
- of control regarding what enterprise data goes on the system, where it is
- stored (in the Secure Container), and how its secured.
- Enablement of one of the following solutions supporting the use of an Intel
- ProSSD 1500 or 2500 SSD: * Good o A single encrypted LBA Range (two OS
- partitions, one encrypted, the other not) created and policy managed via OPAL.
- The encrypted LBA range/partition would then host the enterprise data and is
- called the “Secure Container”. This means that all other user data would be
- unencrypted on disk. This case is for those consoles that can only
- support/manage one encrypted LBA range. * Better o Two discrete encrypted LBA
- Ranges (two OS partitions created for each range) created via OPAL. One
- encrypted LBA range/partition managed by IT to host Enterprise data. The other
- managed by the end-user to host personal (non-enterprise data). The benefit
- here allows the end-user to have full disk encryption, but control over the
- decryption key. * Best o Same as ‘better’ solution, but with a Data Loss
- Prevention solution activated which would attempt to prevent Enterprise data on
- the managed partition moving to some other place (thumb drive, user partition,
Enhanced Enterprise Rights Management With Geo-Fencing (LBS)
- Location Base Services - One or more location tracking servers must add support for EPID and HMAC
- signature validation of location data transmitted by vPro platforms and make the
- resulting, attested location data available to 3rd party applications through an
- API. The location tracking servers must also implement the RESTful API required
- for configuration and communication between the vPro platform and location
- tracking server. One or more ERM solutions must consume the attested location
- data and compare it against configurable geo-fence boundaries to control
- document access based on physical location.
- IT Perspective: * A location tracking server and associated infrastructure is
- deployed and configured for tracking physical location of WiFi devices. * vPro
- platforms are deployed to supported corporate users. * IT enables secure
- location based services through the PROSet administrator tool by pushing
- appropriately configured wireless profiles to each client system. An additional
- tool, such as the SCS, is used to configure the LBS DAL applet with the
- necessary certificates for EPID signature creation (the "Secure" in Secure LBS).
- * Additional configuration is performed by IT through the location tracking
- service communicating to the vPro endpoint through the secure and authenticated
- channel configured by the SCS. * Geo-fence boundaries are configured in the
- corporate ERM solution. Each boundary is assigned an associated set of document
- access policies.
- * The user accesses corporate documents after authenticating with the ERM
- solution configured on their vPro platform.
- * As the user moves from one area of the corporate campus to another (e.g.
- from cubicle to café, or office to home) access to sensitive documents is
- changed to comply with corporate document access policies.
- A logical processor uses
- virtual-machine control data
- structures (VMCSs) while it is in VMX operation.
- These new structures manage transitions into and out of
- VMX non-root operation (VM entries and VM exits) as well as processor
- behavior in VMX non-root operation. This
- structure is manipulated by the new instructions VMCLEAR, VMPTRLD,
- VMREAD, and VMWRITE.
- Graphics Virtualization - The Graphics Processing Unit (GPU) has become a fundamental building block in
- today’s computing environment, accelerating tasks from entertainment
- applications (gaming, video playback, etc.) to general purpose windowing
- (Windows* Aero*, Compiz Fusion, etc.) and high performance computing (medical
- image processing, weather broadcast, computer aided designs, etc.).
- Today, we see a trend toward moving GPU-accelerated tasks to virtual machines
- (VMs). Desktop virtualization simplifies the IT management infrastructure by
- moving a worker's desktop to the VM. In the meantime, there is also demand for
- buying GPU computing resources from the cloud. Efficient GPU virtualization is
- required to address the increasing demands.
- Enterprise applications (mail, browser, office, etc.) usually demand a
- moderate level of GPU acceleration capability. When they are moved to a virtual
- desktop, our integrated GPU can easily accommodate the acceleration requirements
- of multiple instances
Intel® Identity Protection Technology
An Added Layer of Hardware-based Security
- Protecting your identity and business data stored in the cloud requires
- strong authentication that's ideally rooted in hardware. Hardware-based
- authentication is widely regarded by security experts as a more effective
- approach than software-only authentication.
- Select PCs and other devices feature tamper-resistant, two-factor
- authentication built right into new
- Intel® Core™ vPro™ processors. Intel® Identity Protection Technology (Intel®
- IPT)1 helps prevent unauthorized access to your important personal
- and business accounts while reducing the cost of traditional hardware solutions.
- It also provides a simple way for web sites and businesses to validate that a
- user is logging in from a trusted PC.
- How Does Intel® Identity Protection Technology Work?
Intel IPT with one-time password (OTP)
- ntel IPT protects network and web site access points by providing enterprises
- with several ways to validate that a legitimate user—not malware—is logging in
- from a trusted platform. One option utilizes a one-time password (OTP), a
- unique, one-time-use, six-digit number generated every 30 seconds from an
- embedded processor. This tamper-proof solution operates in isolation from the
- operating system.1 Moreover, because the credential is protected
- inside the chipset, it cannot be compromised by malware or removed from the
- Intel® AES-NI is a new encryption instruction set that improves on the
- Advanced Encryption Standard (AES) algorithm and accelerates the encryption of
- data in the Intel®
- Xeon® processor family and the Intel® Core™
- processor family.
- Comprised of seven new instructions, Intel® AES-NI gives your IT environment
- faster, more affordable data protection and greater security, making pervasive
- encryption feasible in areas where previously it was not.
- Encryption is frequently recommended as the best way to secure
- business-critical data, and AES is the most widely used standard when protecting
- network traffic, personal data, and corporate IT infrastructures.With
- recent advancements in cloud
- computing, where personal or business-critical information leaves the
- traditional IT environment, a more widely usable and secure encryption standard
- such as AES and acceleration mechanism like Intel® AES-NI are essential.
- Thankfully, AES is a widely-deployed encryption standard when protecting
- network traffic, personal data, and corporate IT infrastructures; and Intel®
- AES-NI can be used to accelerate the AES encryption. With such robust,
- affordable, and flexible options, Intel® AES-NI can help your business stay
- ahead of growing threats.
Public Key Infracturcre -Intel® IPT with PKI uses the Intel® Management Engine (Intel® ME) and 3rdGeneration Intel®Core™ i5 or i7 vPro™ processor-powered systems to provide a hardware based security solution. This solution provides enhanced protection of RSA cryptographic keys. The Intel® IPT with PKI software is exposed as a CSP via the Microsoft CryptoAPI software layer. Software that supports the use of cryptographic features through CryptoAPI can use Intel® IPT with PKI to:
Device Protection Technology
- intel DPT with Security Extensions:
- Dynamic Whitelisting, Power Effiecient Scans, URL Filtering, Intent Filering, Contextual Permisiion
- Intel DPT with Manageability Extensions (MDM)
- Intel DPT with Manageability
- Extensions (Containers)
- •Containerize any app, from any
•“No Wrapping” or specialized apps
•Uncompromised native experience
•Selective mgmt. of corp data