I'm sitting in an airplane seat, 38,000 feet high heading to Portland International airport. I'm due to attend an Intel Technical Leadership conference to deliver a session on our most recent project with vPro AMT managing hardware based encryption.
In between channel surfing on this nice VOD touchscreen on the back of the seat in front of me, I thought of sharing this concept with you.
Many of the companies I know, that are using Intel(R) AMT, are mostly using it for power control, PC alarm clock, or waking up their vPro clients for patching and installations. These use cases are great introductions to AMT, but I would encourage IT admins running vPro to not stop there.
Let me share the story of Self Encrypting Drive management, as an example. We explained the solution in details in this white paper, but in this post, I’ll use this to illustrate my point.
A while back, I was approached by the client security service manager in Intel IT, who asked me to come up with a solution to manage self-encrypting drives. At the time, we were already deploying these types of drives at Intel IT, but without utilizing their encryption capabilities. In fact, since we did not have a management solution, we were forced to add another software-based encryption application on top of the hardware-based encryption, a redundant and more costly approach. Since Opal compliant solutions are not yet widely available, we needed to be creative.
First, we needed to find a way to secure the encryption key on the drive. We decided to use the ATA password, interfaced through the BIOS for this. Secondly, we had to automate the process of sending this password into the BIOS, and create a randomly created master password for each encrypted device. Then we had to provide remote management capabilities to our Service Desk, to support cases when the user forgets the password, and also to ensure we have zero data loss across the enterprise.
We gathered some smart engineers from IT and the AMT engineering teams, and came up with our solution.
Using manageability web services as the heart of the solution, we can interact with the client PC's Manageability Engine using the SOL protocol and automatically configure the BIOS with the passwords. A simple password management application installed locally on the client PC provides the end user with a GUI while a centralized secured database stores all master passwords for the encrypted devices. All communication channels are SSL encrypted, as well.
During our work on this project, we gained additional benefits that we didn't even think of before we started. Specifically, we created tools that enable our IT Operations folks to better control and maintain our vPro fleet, and we also improved our data and reporting capabilities for the clients’ hardware inventory and encryption status. This is, of course, in addition to the obvious gain of providing a hardware-based encryption solution, make this new solution very compelling for Intel and Intel IT.
This was a unique project because it didn’t just implement one of the obvious and most common AMT usages. In fact, using SOL for most of the activity might be considered antiquated by some, but we decided to use SOL as it allowed us to support all generations of vPro clients and not just the newer KVM models.
AMT is a powerful technology. It can be used for many reasons and through many methods. When you look at enabling AMT in your organization, don't just look to implement the obvious, try to think of other possibilities it could provide you as well. If you are already using AMT, I encourage you to consider how else you can benefit from it. As in many other IT domains, the key to getting the added value is to think out-of-the box.