White Paper 4th Generation ® Core™ Processors and Intel® ™ Processors Intel and Windows 8.1* Mobility Stronger Endpoint Security Starts with a Hardware-Based Foundation

Whether you use traditional management or mobile management solutions, keep your enterprise safer with devices built on a framework of hardware-assisted security

Mobile Devices Need Stronger Protections When it comes to convenience and access in the enterprise, this is a golden age. Users can access corporate resources and data from their smartphones, tablets, or PCs from almost anywhere at any time. Of course, what’s convenient and productive for your users can be a security and management headache for your IT administrators as they strive to take advantage of increased mobility and the bring-your-own-device (BYOD) trend while securing corporate data. The personal nature and associated usage patterns of mobile devices make them prime targets for attacks. Users are not known for their security awareness. They install all sorts of apps on their mobile devices without regard for the security of those apps. Users allow apps to have all the device permissions the apps ask for even when the permissions are overreaching. Mobile devices are often shared between family members with little oversight over how they’re used or what websites and data they access. The devices also might frequent wireless networks that have dubious levels of security. Users then use these devices to access both personal and corporate data. These usage patterns put mobile devices and their users at higher risk from identity theft, malware, and other stealthy threats that can infiltrate systems at deeper levels to steal data or even take control of a device. Windows 8.1* now makes mobile management of PCs possible by adding more granularity for control of non-domain-joined mobile devices and support for mobile device management (MDM) products. By supporting the Open Mobile Alliance Device Management (OMA DM) API, Windows 8.1 enables you to manage devices through a low-overhead agent without needing to deploy a full management client on each device. But MDM products don’t offer the same level of control as traditional domain-joined management solutions. To strengthen endpoint security, you need a solution that builds from the silicon up to better ensure the integrity of the system even before the starts. By using tablets, Ultrabook™ devices, 2 in 1 devices, and laptops powered by 4th generation Intel® Core™ processors and Intel® Atom™ processors running Windows 8.1, you can complement your MDM solution with strong, hardware-assisted security and with more comprehensive management, speed, and efficiency.1 Stronger Endpoint Security Starts with a Hardware-Based Foundation

Table of Contents Strong Security Starts before the Each time the device is started, these Operating System combined technologies help ensure Mobile Devices Need that the deepest levels of the system Hardware-assisted security adds layers Stronger Protections...... 1 are not tampered with. But hardware- of protection that stay with the device enhanced security doesn’t end with the Strong Security Starts before regardless of how it is used or managed. boot process. Intel Platform Protection the Operating System...... 2 Even before the operating system starts, Technology with Intel® OS Guard helps deeper layers of security are working Block Stealthy Malware...... 2 protect the deepest levels of your to help prevent stealth malware, like a Provide Safer Authentication. . . . 3 system, even if an application has been rootkit, from injecting itself and taking compromised.2 This unique Intel feature Secure Your Company’s Data. . . . . 3 over a system. For example, during the helps prevent hackers from remotely initial Windows 8.1 boot process, Intel® Strengthen Encryption taking over a user’s PC by preventing Platform Protection Technology with with True Random Numbers . . . . 4 malicious code in compromised application BIOS Guard and Boot Guard helps prevent Meet the Mobile Device memory from launching low-level, privilege unauthorized software and malware from Security Challenge...... 5 escalation attacks. taking over boot blocks that are critical to a system’s function.1 Unified Extensible Block Stealthy Malware Firmware Interface (UEFI) Secure Boot continues early protections by ensuring Once stealthy malware infects the system, only a properly signed operating system it stays invisible to antivirus software. loader is used during startup. That gives the threat an opportunity to take control of the system, steal Windows 8.1 Trusted Boot provides confidential information, and spread to additional startup protections by using the other systems. Mobile device users need UEFI root of trust to ensure that the rest run-time protections to help block stealthy of the boot components are secure and threats—malware that can infect deeper have integrity. At the same time, Windows levels of the system and go undetected by 8.1 Measured Boot takes measurements software-only solutions. of each component—from firmware up through the boot start drivers and even The strongest protection from malware anti-malware drivers—and securely comes from solutions that don’t rely on locks away the measurements in a knowledge of existing threats. By pairing built-in protections from Windows 8.1 2 million trusted platform module (TPM), such as Intel® Platform Trust Technology. The devices powered by processors Stealthy rootkit malware samples measurements collected by Measured with McAfee Deep Defender* software, documented by McAfee Labs in 2012, Boot can be securely accessed from Intel you can detect and block advanced, hidden compared to 42 samples in 2007.3 Platform Trust Technology by third-party attacks in real time before they cause security software in order to compare the damage. McAfee Deep Defender relies on current state of the system against the McAfee DeepSAFE* technology, a solution known-good state established by Secure jointly developed by Intel and McAfee that Boot. By establishing and verifying a delivers real-time, kernel-level monitoring trusted state, you can better ensure the of memory. This unique connection to integrity of the system and help identify hardware with behavioral-based detection and block malware before it takes root. makes McAfee Deep Defender more

2 Stronger Endpoint Security Starts with a Hardware-Based Foundation

effective than software-based solutions. or fumble with a physical token, while the wrong hands. With mobile devices In fact, in testing against top competitors still benefiting from the stronger security off the company network and outside of by AV-TEST labs, McAfee Deep Defender offered by two-factor authentication. domain control, this can be a challenging was the only product to detect 100 For devices powered by proposition; but several Intel hardware- percent of stealthy rootkits.4 processors or Intel Core processors with assisted technologies can help you keep Intel® vPro™ technology,7 Intel IPT with PKI your data away from prying eyes. With strong, proactive protections from offers an alternative to physical smart Intel OS Guard and McAfee Deep Defender, cards that is easier to deploy and less you can stop more kernel-level attacks expensive. Intel IPT with PKI has built- before they have a chance to propagate in hardware capabilities to store digital and threaten mobile devices based on Intel certificates in firmware for secure VPN processors, even when the devices are or Secure Sockets Layer (SSL) web site 17, 317,18 4 non-domain-joined or are inaccessible from authentication, to authenticate a user and your corporate network. Identities exposed in 447 reported a server to each other, and to encrypt and breaches in 2012.6 digitally sign e-mail and documents. Even if Provide Safer Authentication you already have a PKI implementation in Providing secure access to resources has your organization, Intel IPT with PKI could Encryption is one of the best ways to always been a challenge for organizations. save you money by eliminating the need keep your data safer, but organizations That challenge has grown recently, due to purchase and support traditional smart are often reluctant to widely deploy to the expanding landscape of mobile cards or other token storage options. In encryption because of the overhead it devices, applications, and busy employees addition, on devices powered by Intel entails. Intel helps you remove the barriers on the go. To better protect your assets Core processors, Intel IPT with PKI can be to deployment with Intel® Advanced and users, you need to provide something used with Protected Transaction Display Encryption Standard New Instructions stronger than a simple user name and (PTD) technology, which lets you create (Intel® AES-NI),8 a cryptographic password scheme for authentication and secure PIN pads to protect passwords and instruction set that accelerates AES data VPN access. With Intel® Identity Protection numeric key entries from screen-scraping encryption and decryption on devices Technology (Intel® IPT),5 Intel provides a and key-logging malware. powered by Intel Core processors and hardware root of trust that can be used by Intel Atom processors. Because of the multi-factor authentication solutions on Secure Your Company’s Data enhanced cryptographic performance of devices powered by Intel Core processors Data is your company’s most valuable Intel AES-NI, IT can reap the benefits of and Intel Atom processors. asset. From customer information to encryption for stronger security without For example, with Intel IPT with Public Key employee identities to your intellectual imposing any significant performance hit Infrastructure (PKI), users can log on to a property—if a device is lost or stolen, you on users. VPN without having to enter a password need to keep those assets out of

Figure 1: Unified Extensible Firmware Interface (UEFI) Secure Boot and Measured Boot technologies in Windows 8.1* help verify and secure the system at startup

3 Stronger Endpoint Security Starts with a Hardware-Based Foundation

Table 1: Hardware-assisted technologies strengthen security on devices powered by Intel® Core™ processors and Intel® Atom™ processors running Windows 8.1* TECHNOLOGY BENEFIT INTEL® CORE™ INTEL® ATOM™ PROCESSORS PROCESSORS UEFI Secure Boot Provides a secure root of trust and prevents execution of an X X unverified bootloader Intel® Platform Protection Technology with Protects the BIOS flash from modification without platform X BIOS Guard1 manufacturer authorization Intel® Platform Protection Technology with Helps maintain boot integrity by preventing execution of X X Boot Guard1 unauthorized software and malware in the boot blocks Intel® Platform Trust Technology Provides a standards-based TPM solution for securely storing X X measurements used to verify integrity of the system Intel® OS Guard2 Helps prevent privilege-escalation attacks that allow attackers to X X take control of the OS Intel® Secure Key9 True digital random number generator with keys created more X X securely in the hardware Intel® Virtualization Technology (Intel® VT-x)10 Provides hardware-assisted foundation for McAfee DeepSAFE* X X11 and McAfee Deep Defender* security Intel® Advanced Encryption Standard New More efficient encryption; used with McAfee Complete Data X X Instructions (Intel® AES-NI)8 Protection Suites* to help keep data safer without any noticeable impact on performance Intel® Identity Protection Technology (Intel® Provides strong two-factor authentication without the need for X X12 IPT) with Public Key Infrastructure (PKI)5 physical tokens Intel IPT with Protected Transaction Helps verify human presence at PC and prevent screen-scraping X Display (PTD)5 and key-logging of passwords

Intel AES-NI also accelerates the encryption AES engine that can seamlessly encrypt Strengthen Encryption with True used by McAfee Complete Data Protection and decrypt data without compromising Random Numbers Suites*, which include protection from performance. When coupled with systems Typically, encryption keys are generated stealth attacks, real-time memory and CPU powered by Intel® Core™ vPro™ processors, from software-based, pseudo-random monitoring and, of course, strong, efficient the Intel SSD Pro 1500 Series also gives number generators. Pseudo-random encryption of data. you extensive remote management numbers offer complexity that seems capabilities, including remote password Encryption is even simpler when you secure, but in reality can be replicated by reset. If a user forgets the password deploy client devices built with the sophisticated hackers who determine the to their SSD, IT can reset the password Intel® Solid-State Drive (SSD) Pro 1500 procedure used to generate the numbers. quickly and remotely so the user can get Series. These advanced SSDs include an Intel® Secure Key responds to this back to work more quickly. integrated hardware-based 256-bit

4 Stronger Endpoint Security Starts with a Hardware-Based Foundation

challenge with a hardware-based solution Meet the Mobile Device For more information on Intel hardware- that creates high quality, true digital Security Challenge assisted security features, visit: random numbers on the processor chip.9 Today’s modern workforce expects full www .intel .com/technology/security Random numbers generated by Intel access to resources from a wide range of Secure Key can be used across a variety For more information on tablets and devices tailored to their needs. To better of cryptographic operations to create Ultrabook devices powered by Intel Core protect your devices, data, and users, stronger encryption keys that help keep processors and Intel Atom processors, visit: complement your management solutions data secure anywhere that encryption is with strong, hardware-assisted protections www .intel .com/tabletforbusiness used on the device, such as virtual private available on devices powered by Intel Core networks or with McAfee Complete Data www .intel .com/ultrabookforbusiness processors and Intel Atom processors Protection Suites. and running Windows 8.1. With enhanced It’s nearly impossible to limit where security rooted in hardware, Intel integrated employees take their mobile devices or technologies help keep your systems safer how those devices are used. With strong, with the speed and efficiency to meet the efficient, hardware-enhanced encryption requirements of modern devices running technologies, you can keep the data on Windows 8.1 and to satisfy the needs of those devices better protected. your demanding workers.

1 No computer system can provide absolute security under all conditions. Built-in security features available on select Intel® processors may require additional software, hardware, services and/or an Internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details. For more information, see https://security-center.intel.com/. 2 No system can provide absolute security. Requires an Intel® OS Guard-enabled platform, available on select Intel processors, and an enabled operating system. Consult your system manufacturer for more information. 3 McAfee Labs, “The New Reality of Stealth Crimeware,” June 2011. http://www.mcafee.com/stealthcrimeware. 4 AV-TEST GmbH. “Proactive Rootkit Protection Comparison Test.” February 2013. http://www.mcafee.com/us/independent-reports/av-test.aspx. 5 No system can provide absolute security under all conditions. Requires an Intel® Identity Protection Technology-enabled system, including a 2nd gen or higher Intel® Core™ processor enabled chipset, firmware and software, and participating website. Consult your system manufacturer. Intel assumes no liability for lost or stolen data and/or systems or any resulting damages. For more information, visit http://ipt.intel.com/. 6 Identity Theft Research Center, “2012 ITRC Breach Report,” December 2012. http://www.idtheftcenter.org/images/breach/Breach_Report_2012.pdf. 7 Intel® vPro™ Technology is sophisticated and requires setup and activation. Availability of features and results will depend upon the setup and configuration of your hardware, software and IT environment. To learn more visit: http://www.intel.com/technology/vpro. 8 Intel® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. AES-NI is available on select Intel® processors. For availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni/. 9 No system can provide absolute security. Requires an Intel® Secure Key-enabled platform, available on select Intel processors, and software optimized to support Intel Secure Key. Consult your system manufacturer for more information. 10 Intel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, and virtual machine monitor (VMM). Functionality, performance or other benefits will vary depending on hardware and software configurations. Software applications may not be compatible with all operating systems. Consult your PC manufacturer. For more information, visit http://www.intel.com/go/virtualization. 11 Not all Intel® Atom™ processors feature Intel® Virtualization Technology (Intel® VT). For a full featuring Intel VT, visit http://ark.intel.com/products/virtualizationtechnology. 12 Intel® Identity Protection Technology (Intel® IPT) is scheduled for availability on select Intel® Atom™ processors in the near future. INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. A “Mission Critical Application” is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL’S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS’ FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked “reserved” or “undefined”. Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm. Intel, the Intel logo, Intel Core, Atom, and Ultrabook are trademarks of Intel Corporation in the U.S. and/or other countries. Copyright © 2013 Intel Corporation. All rights reserved. * Other names and brands may be claimed as the property of others. Printed in USA 1213/JG/PRW/PDF Please Recycle 329442-001US