Intel is preparing to introduce new security features in its next-generation vPro microprocessors which will improve encryption support while making systems easier to install and manage.
Built under the code-name 'Danbury', the embedded security features - planned to be introduced in early 2008 - promise to improve the efficacy of commercial encryption tools via onboard integration hooks for the programs, and by adding a new layer of hard drive protection when vPro-powered computers are asleep or otherwise powered-down.
According to Intel officials, the addition of the Danbury technology will also make it far easier for organisations to put encryption applications into place by directly addressing the common headache of key management within the new embedded security tools.
Many companies that have already installed encryption software on their computers are still struggling with key management, and, even worse, most fail to realise that the applications do not protect hard drives unless the machines are fully powered-up - creating an attractive vector for attackers and giving those organisations a false sense of security - said Steve Grobman, director of business client architecture at Intel.
Even those computers carrying today's full-disk encryption tools remain vulnerable to attack when they are in hibernation and stand-by mode, he said.
That fact proves even more troublesome as so many companies are using encryption software as a means to safeguard sensitive data on their machines and meet compliance regulations, especially in the case of computers that have been stolen and had their authentication systems bypassed.
"Companies want to utilise full disk encryption to better protect their data, but commercial software products are hard to deploy and still leave many ways for machines to be attacked," Grobman said. "By putting certain aspects of encryption into the hardware, versus using only software-based systems, we believe we can make encryption easier to deploy and manage, while addressing those remaining vulnerabilities."
Rather than pitching the Danbury tools as an alternative to commercial encryption applications, the features will serve to augment software products made by companies including Credant, PGP, Pointsec, Safeboot and Utimaco, according to the Intel product engineering leader.
All of those firms have already partnered directly with the CPU manufacturer around the upcoming release to build hooks in the chips to integrate with their own encryption software systems and allow customers to take advantage of the Danbury capabilities, he said.
"By taking certain sensitive operations and putting them directly into the hardware, such as by moving the keys into the chipset, we are making these encryption systems easier and more practical to get up-and-running," Grobman said. "This isn't an effort to compete with encryption software makers but rather to help customers see better implementations of their tools; we believe that these new features should actually have a positive effect on the entire encryption space."
The addition of the Danbury tools represents only the latest in a string of security and management technologies embedded directly into the vPro lineup by Intel, including the company's Active Management Technology (AMT), which is aimed at making it easier for administrators to do remote updates on corporate machines, such as for installing anti-virus (AV) updates or operating system (OS) security patches.
Earlier this year, Intel also announced new features that extend malware behavior-detection further onto the CPU level and wall off virtualised software systems from attack, along with new tools meant to help desktops communicate directly with so-called network access control (NAC) systems, which are used for device configuration monitoring and network authentication.
In another nod to extended management capabilities, the Danbury features will also provide IT organizations with the option to gain remote access to encrypted machines to patch them - without any interaction on the part of end users, Grobman said, and give administrators the ability to set parameters for implementation of encryption applications using Microsoft Active Directory.