Skip navigation

A few weeks ago, I told you our Energy Use in the Office Proof of Concept had finally started.  It’s been almost three weeks so I thought I’d give you a quick status update.


As a quick overview, the PoC includes all employees in a single office building across three floors.  It’s about 1000 people.  Physical electrical metering was installed on each floor covering only office power.  An internally developed web based user interface displays energy use via charts in total and by floor.  Each floor also has a kWh per employee score.  The charts are displayed in an hourly view for the current day as well as a daily view for the past two weeks.  Pre-PoC Baselines are also provided for both the total and floor kWh charts and kWH per employee score.  This interface also displays a different energy savings tip every 30 seconds.  This interface is displayed in the building’s lobby and café on 37” LCD screens.  An email announcing and explaining PoC, as well as listing several energy saving tips and tricks, was emailed to all participants.


Unfortunately, the results so far have not been what we were expecting, which was a reduction of energy use.  One floor’s energy use remains the same and the other two of the floors have actually increased their energy use.  We are sending a status update email to all PoC participants today and hope this reminder will spur voluntary action that results in energy savings.


I’ll provide another update in a couple of weeks as we wrap up the PoC.


By the way, I hope to release an external paper fully covering the project and results in early Q3.


-Mike Breton
IT Technology Evangelist

Today, this article discussed how IT organizations around the world have, through Green IT projects reduced costs, reduced pollution creating value for both the business and the environment.  Collectively this is an impressive amount and shows the continued commitment and benefit of Green IT projects.


Intel was a founding member of Climate Savers and Intel IT is doing projects to under our IT Sustainability Program to do our fair share. Inside Intel IT, we are innovating to deliver IT solutions that reduce Intel’s footprint. Since 2008, Intel IT’s long-term sustainability strategy has saved over $4M and reduced power consumption by 49M KWh through data center innovation, virtual collaboration tools and managed mobile clients.  The environmental impact of these projects totals an estimated 26,000 metric tons.


We have captured our projects in this fun video - check it out.


I'm curious to know what other IT organizations are doing.  Share your projects and results with us by adding comments and links below.


This is a joint accomplishment worth celebrating!!


Chris Peters, Intel IT

On Twitter I watch the #CIO stream and often find good, interesting dialogue and content.


The other day I found a good, active IT Management discussion thread led by Michael Krigsman on site.  The topic is alignment or often mis-alignment on Business and IT.


I have blogged on the Strategic Partnership between IT and Business as being a key CIO initiative inside Intel IT (blogs below) and wanted to share what I found to be a good discussion led by Michael.




IT Management Skills: What is Most Important?


Silos and Server Huggers. Are They Holding Your IT Organization Back?

I like Win7 gadgets.  Although I don’t use many of them, I am attracted to the idea of their potential.  Specifically how they could be used to improve information security within an organization.  I am not a coder, but do have a few ideas for Win7 Gadgets which could empower users to wield security to protect their system and information.  Here is my list:


  1. System Login Tracker.  Applet showing which systems are currently logged in with the users credentials.  Purpose: Inform user which systems are being controlled under their identity and authorization.  Users can intercede suspicious access as well as logout from unneeded systems

  2. Login History Tracker.  Applet showing the last time a system (or application) was logged-in by the users credentials.  Purpose: Inform the users when their credentials were last used, to identify situations where their login/password have been stolen or inappropriately cached and are accessing systems without the users knowledge

  3. Password Countdown.  A countdown applet showing the number of days until their passwords expire.  As the expiration date approaches, the color changes from green, to yellow and eventually red.  Links to corporate password policy rules and instructions on how to change and synchronize passwords aid the user experience.  Purpose: Awareness of those pesky password expirations.  No surprises and links to help the process

  4. System Security Confidence.  An applet which shows the current state of security confidence for the client.  Show outstanding application/OS patches and AV/firewall/proxy status.  Purpose: An easy way to know if your system is current with security controls, therefore how confident your work is secure

  5. Network Connections Tracker.  A novice friendly applet to show active network connections to shared drives and servers.  Ability to click unwanted connections to disconnect them.  Purpose: User awareness of the systems the client is connecting to.  Removal of unneeded connections can improve client performance and reduce security risks

  6. Secure Document Manager.  Applet to flag sensitive or controlled documents (example: top secret) and the provide a list of those files on the system.  Secondary function integrates with encryption solutions to enable the user to secure identified files.  Purpose: Empower users to flag their sensitive data and track which exist on the system.  Also is a convenient way to implement encryption of specific files at the discretion of the user

  7. Encrypted File Explorer.  Applet to show a list of encrypted files on the system, across email, on secondary drives etc. within a file explorer window.  Purpose: Convenient way to identify, track, and manage encrypted files on the system

  8. Legacy File Manager.  Applet to identify files which likely exceed the corporate retention guidelines and the ability to mark them for future deletion.  Purpose: Assist users in complying with challenging corporate retention guidelines and clean the system for better performance

  9. Privacy Data Finder.  Client query search with Personal Identifiable Information (PII) parameters to locate files on the system likely to contain sensitive personal data.  Functions to secure (encrypt or delete) is a bonus.  Link to the corporate privacy site is convenient for user training and FAQ's.  Purpose: User awareness to know what privacy data is likely on the system and give them the tools to secure the information

Who will be the enterprising software engineers to develop these helpful security gadgets?

Data security is a hotbed of activity and stands to be a huge growth area in the next decade.  The world is rapidly changing and with the explosion of social media, data is becoming more at risk than ever before.  Users and organizations are beginning to realize the need for new, comprehensive, flexible and robust data security.  Sadly, such solutions are just not available yet.  In fact, in industry is still trying to define the end-game of capabilities which should be part of future data security services.


I have been blogging about the shortcomings of data security and provided some thought on how the industry must evolve.  In that spirit, here is my future wish-list of functions the data security industry must embrace and combine, in order to fully realize the value proposition of data security.


  1. Solution must seamlessly integrate with how users work and help them to classify and characterize their data

  2. Extend security services to platform and endpoints where data is consumed, created, and managed.  This includes servers, clients, smart phones and handhelds, portable storage devices, cloud services, and virtual machines

  3. Enable data owners to search for their sensitive data across the enterprise

  4. Educate and reinforce good security behaviors and corporate policies with the user community in timely and relevant situations

  5. Allows users to make some risk decisions for their data while providing guidance and tracking accountability

  6. Help users comply with data retention timeline policies

  7. Facilitate users ability to securely destroy data

  8. Provide mechanisms to easily share and send data securely outside of the organization

  9. Provide the structure for users to easily understand and manage who has rights and permissions to access and possess their data.  Including the ability for revocation, replacement with current versions, or destruction of their protected data on other users systems within the enterprise

  10. Provide tagging and cluster functions for users to easily find all their data related to a topic, keyword, project, or person and then manage the security functions for that collection or group

  11. Secure the data from unauthorized exposure in transit, storage, and while in use<

  12. Protect data from unauthorized editing, tampering, or destruction while in transit, storage and during use

  13. System must trigger and report when corporate policies are being violated and be able to interdict at the time and place of incursion with the flexibility to either block actions or engage the user for override authorization (tracked with acknowledgement of policy)

  14. Support electronic discovery actions to locate and copy data required by legal request

  15. Learn and remember nuances of specific users to better reduce false positives for the previously stated capabilities

In all fairness, some of these capabilities are currently available in a piecemeal manner.  Most of those lack maturity, scalability, or efficiency.  To satisfy future needs, we require a comprehensive solution which properly combines all these critical areas.  Such a package is necessary to empower users and organizations to easily manage and protect their data and aid them in complying with corporate policies and evolving regulatory requirements, in a cost effective and sustainable manner.

With well over 1 million pieces of malware discovered each month, security Spartans are fighting in the shade.  Borrowing a timeless quote from the brave warrior Dienekes, it appropriately conveys how modern information security professionals are committed to an enormous ongoing battle that may not be as pointless and depressing as the sheer numbers suggest.


Today’s modern electronic battlefield is strewn with weak operating systems, buggy software, and users who don’t act in their best interest to maintain security.  An army of attackers are constantly on the prowl for new ways to exploit systems, users, and data.  Every day they uncover a wealth of potentially new weaknesses and in turn develop thousands of ways to tap these opportunities for their crooked benefit.  These arrows of malware come raining down in the millions and can seem overwhelming to the security defenders manning the front lines.


History teaches us a lesson.  In Dienkes time, foot soldiers did not need to fear all arrows in a barrage, only those few which would land near or on them.  Knowing they would stand in harm’s way, they came prepared with well chosen equipment, training, and a good strategy.  In this way the Spartans earned the reputation of a highly efficient and effective fighting force, regardless of the opposition’s size.  Those principles resonate with today's battle against computer malware and the vulnerabilities they exploit.  Information security organizations must apply the same basic thinking to find a balance between applicable controls and the risks of likely attacks, in order to maintain an optimal level of security.


Although millions of malware samples are discovered every year, many represent a low or negligible risk to even a modestly secure environment.  Here are some recommendations to tighten up your battle ranks:

  • Minimize your exposure footprint by keeping up with the best common security practices

  • Place emphasis on security controls which will interdict those threats likely to adversely affect your environment and cause unacceptable loss

  • Apply a defense in depth structure to predict those methods which likely would succeed in your environment and then invest in preventative controls to close those vulnerabilities

  • Depth of the structure must also provide a detection and response capability as eventually some arrows will penetrate the first lines of defense.  Being able to quickly identify problems and restore services is imperative

  • Avoid the inefficient treadmill of trying to protect from every arrow.  It will divert resources and prove to be an unavoidable distraction


Facing endless waves of malware may seem insufferable.  But being armed with well chosen controls, veteran experience, and a good security strategy, will make fighting in the shade a little easier.
Other Related Blogs: The hard truth of anti-virus

Intel® Anti-Theft Technology: LIVE CHAT 7/29 @ 11:00am ET/8:00am PT


Please join Intel experts for a discussion of your PC client security concerns. On July 29th, the Ask an Expert community will be hosting a live chat on Intel® Anti-Theft Technology. You can find the live chat at the top of the Ask An Expert sub-community. This new chat format will allow you to discuss your security concerns, exchange ideas and ask questions. Intel content experts will include Mike Schulien, Intel Solution Architect, and Maurcio Cuervo, Intel Product Manager.

Intel® Anti-Theft Technology is a new technology that provides an added level of hardware-based security to protect a laptop and its data if it is lost or stolen.  With physical security being a leading cause of data breaches, new technologies built into end point devices form a critical piece of your IT security strategy.


Designed to work as a service “ingredient” to data encryption and theft management solutions, Intel® Anti-Theft Technology provides hardware-strong client-side intelligence to help secure sensitive data, regardless of the state of the OS, hard drive, boot order, or network connectivity.



Background Documentation:

At Christmas last year, I made a What I want for my work PC in 2010?to bring my own PC to work and have only one single PC for work, home and travel. That wish hasn’t come true yet. However, on the mobile device front, we do make progress.


Intel IT has been supporting a few models of smartphones to allow Intel employees accessing their emails with those gadgets. I have been using a smartphone to access work email for a few years. I've found it a great productivity tool, especially when I ride the subway to work. Previously, the number of models supported by Intel IT has been limited. With some models, employees can only get email content without attachments due to information security requirements.


In an IT newsletter to Intel employees I read last week, Intel IT announced that we are going to expand the support of smartphones by a large extent. Basically, many devices running the popular smartphone operating systems (OS) will now be supported with both email and attachments. And, it is not limited to the smartphone form factor. Tablets running those OS’s will be supported, too! I have been hearing my colleagues’ wishes that they want to access corporate email from their latest cool personal gadgets. This news certainly answers their wishes, and mine. I believe, in general, this improves employee productivity by enabling them to access corporate email with their device of choice and they can have this capability in multiple devices in their bag or at their home.


Are you accessing intranet and email from your smartphones or mobile devices? How is your IT organization supporting them? Please share your story with us at the comment field below.


If you’re interested in Intel IT’s view on Device Independent Mobility and Client Virtualization, check out our related Enabling Device-Independent Mobility with Dynamic Virtual Clients.

In my late April post, I announced the start of our Energy Use in the Office proof of concept.  We had deployed a third party tool that collects PC energy usage information to about 1000 systems in one of our office buildings and had begun a 30 day baseline period.  Unfortunately, we ran in to some technical issues and had to uninstall the agent and redesign the PoC a bit.


I’m happy to announce the PoC was restarted again this Monday!




In the new design, two kiosks displays have been installed in one of our office buildings that display energy use in the office charts in total and by floor.  Each floor also has a kWh per employee score.  The charts are displayed in an hourly view for the current day as well as a daily view for the past two weeks.  Pre-PoC Baselines are also provided for both the total and floor kWh charts and kWH per employee score.




It’s too early to share any potential change in energy use with you but I can tell you people are looking at the screens.  Stay tuned for another update with some initial results in a couple of weeks.




By the way, I hope to release an external paper fully covering the project and results in early Q3.




-Mike Breton

IT Technology Evangelist

Platform as a Service (PaaS) is the delivery of a cloud computing platform on which developers create and deploy web applications and cloud services.  Industry analysts claim that PaaS is already a compelling alternative to traditional application development due to high availability, low cost of entry, elimination of infrastructure management, and ease of application deployment and support.


In the external cloud, PaaS has unique advantages for applications which service many users outside the enterprise, require extensive integration with outside services, and/or are a temporary or highly elastic capability. On the market today, there are more than a dozen PaaS providers, each offering cloud development environments which lock-in to a particular development methodology.  We’re exploring some of the options with an eye toward enterprise scale, security models and programming methodologies. Each environment has different capabilities and limitations to develop and deploy applications. 


As our enterprise environment evolves into a single internal cloud which scales based on demand, application developers will construct applications structured for virtualized, web-based environments and mesh seamlessly between internal and external clouds.   Internally hosted PaaS is an opportunity to provide an integrated approach to the Cloud application and services layers.  With Services Oriented Architecture (SOA) as the foundation, developers could incorporate standard underlying services such as security and manageability, as well as encouraging the new applications to be designed as reusable services themselves. 

- Lessons Learned and Best Practices From Intel IT -


I have been a long-time advocate for proactive server refresh within IT organizations based on the experiences gained inside Intel IT.  Well, now I can say that PC refresh is equally beneficial and important. Some of my IT colleagues (Avi Zarfarty, Uri Cohen and John Mahvi ) in the IT Finance and PC Operations team have captured their IT Best Practices in a Laptop Refresh Estimator tool that helps organizations determine the optimal schedule and timing for PC refresh to maximize Employee Productivity and driving IT Efficiencies with lower costs.


As a consumer of technology, I always want a faster and more capable laptop. I'm not alone. How many times have you wished that you had a better laptop ... are frustrated that it is hindering you from getting your work done ... which is hindering you from getting on with your real life.  So our natural demand as employees back to IT is "Get me a faster / newer laptop!" or "Fix the one I have"


As an IT professional working in large enterprise (80,000 employees), I realize that we can't have every employee adopt the latest technology as soon as it is available - however desirable that may be.  With the pace of technology and the resources needed to do fork-lift upgrades of all PCs for all employees simultaneously is simply not practical for many businesses.


So the question is what is the right frequency that we should replace laptops to balance the needs and desires of employees with our responsibilities to be good financial stewards to the business. In this short video, John Mahviexplains the Intel IT approach and the decision criteria that affected our decision and model.  The Laptop Refresh Estimator captures our analysis and methodology along with the many factors like hard costs (acquisition, implementation, maintenance, ... ) and account for softer productivity cost estimates if desired.


The benefit of choosing the right PC refresh strategy enables an IT organization to get an improved return on IT investment while enabling business efficiency and productivity with a more effective workforce. Inside Intel IT, we adopted a proactive PC refresh strategy aimed at reducing operating costs and boosting productivity. Currently the average age of an Intel employee notebook is <24 months.


I invite you to learn more about our strategy by reading the IT@Intel whitepaper titled "Using TCO to Determine PC Upgrade Cycles")

I invite you to use the estimator to find out what PC Refresh rate is best for you?



Intel IT operates very large grid infrastructure for  internal R&D groups, with over 3 million jobs running per day.

This  major shared infrastructure is used by all design projects at Intel for  validation and many other activities.


In general, design engineers are  mostly interested in a good turn-around time for their jobs.

From the  other hand, IT is traditionally interested in a high and efficient  usage of the provided resources.

Such usage can't be measured just as a high CPU  utilization.


Sometimes,  jobs submitted to grid fail for various reasons - resulting in wasted  runtime hours.

Sometimes, jobs are submitted but have little to no  value to the submitter. Running very large amount of validation jobs may or  may not bring added value. Designers may have no time to triage and  address all bugs reported by such validation jobs until the next  validation cycle begins.


Customers should be able to terminate running jobs as  soon as they realize their results are not needed anymore.

To  ensure higher efficiency, we've started a joint effort with the design  teams.

This  effort includes extensive analysis of job waste patterns, including  automatic association of finished jobs with predefined "exit buckets"


There is  also an attempt to build several prediction models using data mining  techniques on top of the vast data warehouse of information regarding  previously completed jobs. Predicting memory consumption or job runtime  may allow us to impove sheduling decisions.

Predicting the overall execution  time or chances of job failure based on the specified parameters may  reduce waste of resources.

To achieve good results, extensive joint work between  IT and customer groups is neccessary.


Are you facing similar  challenges in your environment?

Would you be interested to learn more about our  experience in this area?


Till the next post,

      Gregory Touretsky

ERP applications tend to be mission-critical.  Accordingly, the server platform strategy for ERP environments must be approached carefully.    Centralized versus distributed, scale-up versus scale-out, how to size the servers correctly – are some of the key questions that have to be addressed.   A repeatable and disciplined platform selection and sizing methodology is called for.


Karl Mailman and I discuss these considerations and Intel IT’s approach in a couple of their papers with regard to Intel IT’s ERP environment, An ERP Platform Strategy Based on Industry-standard Servers and ‘Sizing Server Platforms To Meet ERP Requirements’



The questions covered in these papers are not exclusive to the ERP environment – concepts and considerations discussed in these papers may be applicable to other mission-critical environments as well.


What are your serve sizing challenges? How do you address those? I look forward to hearing your experiences and solutions. Please share them in comments below.

Service Oriented Architecture aka SOA, Cloud Computing, and Virtualization are commonly described in the IT industry as a new paradigm shift from legacy mainframe and client/server based architectures. From an information security perspective, there shouldn’t be much difference in the process for protecting information in these environments.


The basic premise should always be to have a process defined for security development for any solution. A business process like this allows for the creation of comprehensive and reasonable security requirements based on the type of information being handled by any system. These security requirements commonly result in functional requirements defining the need and strength of authentication, authorization, and encryption, and providing the necessary focus on the CIA triad.


With regard to SOA, there are great benefits to providing a service oriented approach to an architecture that include loosely coupled, event-driven business services across platforms with greater capability to evolve the application while supporting previous versions. But especially for applications that have been converted to a service oriented architecture with web service protocols, there should be updates to the risk profile in order to comprehend a new environment that may not have been considered in the initial threat model.

Any modification to an application’s architecture should provoke a new risk assessment to revise the initial security requirements. This approach could reduce the risk by addressing threats that may exist in the new protocols and communication channels being introduced through web services due to the possibility that the attack surface will increase.

SOA Expressway is an Intel provided software-appliance designed and used by Intel specifically for the purpose of proxying web service calls as an XML Gateway before they are passed on to the web service. Intel SOA Expressway provides a workflow like structure referred to as Business Process Execution Language BPEL allowing the capability to control the instantiation of many actions and even other web services in one transaction. The benefits include the ability to separate security from the web services code to simplify the development and allow a centralized policy for security and auditing. Intel SOA Expressway can help establish standards by supporting many disparate authentication, authorization, and encryption protocols for web services. More information about this technology can be found at

Authentication can be a big challenge for any SOA because platforms used to expose web services may have different authenticating protocols and may not interoperate well together. This is one reason why xml based security standards such as ws-security have been established (democratically) and published by the Organization for the Advancement of Structured Information Standards OASIS.

Furthermore, an identity in one web service may not be the same identity in another. There are different approaches to combining identity stores which is commonly referred to as a federated identity. An identity is usually presented to a web service from a consumer (calling application) and once a principle (user) is verified, authorization can be granted. SOA Expressway can communicate with different authenticating protocols based on what is expected from the web service allowing for greater standardization in authentication and authorization.

With regard to attack surface, Intel SOA Expressway can also be configured to protect against some common denial-of-service threats found in web service calls. A Content Attack Prevention (CAP) policy can be created within a workflow so that any violation to a CAP policy can provoke an action defined by the system based on policy characteristics. The CAP policy can inspect any XML message entering into the workflow in the following ways:

• XML schema validation: If schema validation fails, then the CAP policy drops the message before it reaches an endpoint.

• SQL injections, XPath injections, and DTDs: If found, then the CAP policy drops the message before it reaches an endpoint.

• Enforces XML limits: CAP policy scans the XML document’s size. If any XML limits are violated, then the CAP policy drops the message before it reaches an endpoint.

• Forbidden words and text patterns: If found, then the CAP policy drops the message before it reaches an endpoint.

• Required text patterns: If not found, then the CAP policy drops the message before it reaches an endpoint.

In addition to the ability to accelerate and secure XML messages throughout the network, Intel’s SOA Expressway is a software product providing the benefit of upgradeability that is not found in a proprietary hardware appliance. Intel SOA Expressway as a solution can be right-sized for the proper fit of performance according to the usage models which could significantly lower costs and reduce risk.

Intel IT’s Information Security team embraces new use models and emerging technologies to help protect and secure business and personal information and effectively manage risk to the enterprise. A new IT@Intel whitepaper discusses why Intel IT has deployed Full Disk Encryption to more than 75 percent of eligible corporate PCs.


The Intel IT team has also started deploying new Solid-State Drives (SSDs) as a corporate PC standard to boost employee productivity, improve reliability and lower costs. An added benefit of using SSDs is that the increased drive performance removes any performance overhead that can be experience with Full Disk Encryption – thereby helping our business be more secure and more productive.


Recently I had the opportunity to talk with Malcolm Harkins, Intel IT Chief Information Security Officer about assessing risk inside and Enterprise IT enviroment.  Malcolm shared that the biggest risk we face is the "Misperception of Risk".  Malcolm shares his thoughts on this topic at the 2009 Intel Security Conference in this video on the Misperception of Risk


Chris Peters, Intel IT

Filter Blog

By date: By tag: