Why zero trust security needs strong hardware foundations

Intel vPro platform provides hardware level of trust

Sponsored Sometimes it feels like the hackers and malware creators are in an arms race with the teams tasked with protecting systems and data. New tools and technologies are being deployed on both sides all the time.

Criminals are no longer just stealing sensitive data, they are also commandeering resources and subverting them for their own ends, such as cryptocurrency mining or using systems as botnets to attack other targets. Hackers have even started to target the firmware by infiltrating code into the system BIOS where it can loiter undetected by security tools running at the operating system level.

For hard-pressed IT departments, this means there are several priorities that need to be addressed when securing end-user devices. These are the ability to detect and protect against threats; keeping user identity and credentials secure to prevent these being misused; securing data against unauthorised access; and the ability to recover from breaches.

Unfortunately, the traditional model of security based around locking down the network perimeter is no longer sufficient in the era of enterprise mobility. Endpoints such as laptops are routinely used outside of the firewall and applications and data may sit on a public cloud. The secure perimeter effectively ceases to exist in these scenarios.

One answer to this is to move to a tighter security model where no entity in the corporate domain is assumed to be secure, whether they are on the internal network or connecting from outside. This zero trust security model requires entities to be continually verified before being allowed access, and calls for the entire software stack to be monitored and protected top to bottom.

Building the foundations of trust

Protecting systems with a zero trust model requires a multi-layered approach that extends all the way down to the silicon level.

A hardware-enhanced “root of trust” is an essential foundation], as it is difficult for attackers to alter or bypass. This chain of trust is so-called because it is built up from this root using the measure-and-verify security model, with each layer in the stack building on the secure foundations below. Without such secure foundations rooted in silicon, it is possible for attackers to infiltrate malicious code such as rootkits into the firmware, from where it reloads every time the system starts and can hijack the operating system and any applications and data running atop it.

This is where the Intel vPro® platform comes in. The Intel vPro® platform is a set of capabilities embedded into the hardware of endpoint systems aimed at businesses and large organisations, covering areas such as security and remote management.

The latest updates to the Intel vPro® platform includes a new security technology called Intel® Hardware Shield. This is designed to protect against attacks that target the firmware layer of the system as well as other system critical resources, and thus provides the secure foundation for zero trust. It can be used by organisations to strengthen device security without the need for additional IT infrastructure.

Intel Hardware Shield helps minimise the risk that some vulnerability in the firmware could be used to inject malicious code into the platform at runtime. It achieves this by launching the operating system and hypervisor into a hardware–secured code environment that is inaccessible to the firmware, thus enabling a secure boot and allowing systems to launch into a trusted state.This hardens OS security and integrity features and makes systems more robust against cyber attacks that try to exploit zero-day vulnerabilities.

Intel Hardware Shield also provides the operating system visibility of the system resources that firmware can access and reduces the attack surface of the BIOS by locking down its dedicated memory area during runtime.

Ensuring systems are tamper-free from the start

But with the hardware serving as the root of trust, the problem shifts to how organisations can ensure the integrity of the hardware out-of-the-box. According to Intel, there are growing concerns among corporate security officers about the risks posed by the supply chain, especially as buyers tend to have limited visibility into the complex web of companies that supply all the component parts that go into a finished computer system. The increased use of collaboration tools and remote work environments due to covid-19 is another risk factor.

To help manage these risks in the end-to-end supply chain, Intel® Transparent Supply Chain is available in select Intel vPro® platform-based devices. This involves “build” data generated by every component that goes into a system, including the BIOS, and each piece gets a unique certificate identifier, which is cryptographically linked to the device and uploaded to secure Intel servers.

The end result is system level traceability backed by signed platform certificates linked to the Trusted Platform Module (TPM) that is a part of each Intel vPro® platform-based system, in addition to component-level traceability provided by the build data.

A customer can then take the system serial number, look it up on the Intel or device manufacturer cloud, and check that it has a valid certificate of trust authorised by Intel or the device manufacturer. With this, an organisation can be assured of the authenticity of the PC components and identify any unauthorised additions or hardware changes.

Moreover, the Intel vPro® platform gives IT departments the ability to respond to attacks and recover from security breaches, thanks to a feature built into the platform from the beginning: Intel® Active Management Technology (Intel® AMT).

Intel® AMT is a combination of hardware and firmware embedded in the silicon of the Intel vPro® platform that provides an out-of-band connection for remote management below the level of the operating system. It includes full keyboard, video, and mouse (KVM) access, plus the ability to reboot the system to a safe environment delivered from a remote server. Intel AMT thus provides a way to remotely patch low-level software and to gain back control of devices from malware.

More recently, Intel has updated the capabilities of Intel AMT with the release of the Intel® Endpoint Management Assistant (Intel® EMA), providing an updated way for IT support staff to connect with and manage endpoints for the cloud era.

Intel EMA is designed to make Intel AMT easy to configure and use so the IT department can manage devices without disrupting workflow, which in turn simplifies client management and can help reduce management costs. Intel EMA can also be used to integrate Intel AMT access into custom or third-party consoles via RESTful APIs.

Defending against threats

Data protection in the Intel vPro® platform is provided through security features baked into the processor. This comprises support for cryptographic acceleration via an advanced encryption instruction set, AES New Instructions (Intel® AES-NI), in the Intel® Xeon® and the Intel® Core™ vPro® processor families. AES-NI consists of seven new instructions which accelerate the performance of applications performing encryption and decryption using the AES algorithm. Added to this is Intel® Secure Key, which implements Digital Random Number Generator (DRNG) circuitry. This is a vital feature for security applications, since cryptographic protocols rely on the ability to generate high-quality random numbers for stronger encryption keys.

With industry leading hardware virtualization capabilities, identity and access protection is covered on Intel vPro® platform. This secure foundation helps protect MFA log-in credentials & OS security features from direct memory access attacks.

Intel® Hardware Shield also provides the ability to detect and protect against threats through a new set of hardware acceleration capabilities aimed at boosting the ability of security tools to detect cyber attacks and malware.

It enables a system to offload the burden of scanning memory for tell-tale malware signatures to the GPU, which is often sitting largely idle when users are running everyday productivity applications. Offloading the processing this way frees the CPU for other tasks, allowing the users to carry on with their work unimpeded by the scanning process. It also improves the battery life of devices. Support for this capability is already incorporated into some third-party security suites such as Microsoft Defender Advanced Threat Protection (ATP).

Intel Hardware Shield also uses machine learning heuristics to deliver an adaptive capability that can learn over time, reducing the likelihood of false positives, for example. According to Intel, such use of machine learning is likely to expand in future, to add further value to the Intel vPro® platform.

In summary, corporations can no longer rely on fortifying the network perimeter to keep their IT infrastructure secure in today’s highly connected, high-threat world. Instead, every device, every endpoint has to be secure and zero-trust policies need to be applied to all users, devices, and applications.

From an endpoint perspective, zero-trust means that security enforcement has to be built upon secure foundations rooted in the hardware itself, as malware and attackers are adept at finding ways of evading software-based solutions. The Intel vPro® platform provides that hardware level of trust, as well as additional capabilities that build upon this foundation to provide a layered approach to keeping devices and their data secure.

Sponsored by Intel®

Biting the hand that feeds IT © 1998–2021