The advantages of using encryption to protect data are well known. Typically all full disk encryption solutions require users to authenticate in a pre-boot environment (PBA – Pre-Boot Authentication). After the successful authentication, the encryption keys are unlocked and disk is unencrypted. The machine then goes on to boot the OS and require users to authenticate in Windows* by providing login/password credentials.
In our fast paced lives, we all hate the inconvenience of first entering the encryption credentials in PBA then Windows credentials at Windows login screen. Few may realize that while it’s inconvenient to enter credentials in PBA, it’s an important step in ensuring security of the data on a laptop. When a laptop is starting up (from shutdown state) or resuming from hibernation state (hibernation state – memory contents are dumped to a hibernation file on the disk), user is asked to authenticate in PBA. If the laptop is resuming from the sleep state (also known as S3 state), the user doesn’t have to go through the authentication step in PBA. In S3 state, the memory of the laptop is still active. OS, Applications, data including the encryption keys are loaded in the memory. That’s where the vulnerability creeps in.
In a typical usage scenario, a user just close the lid of the laptop after work, let the laptop go to sleep state, open the lid and resume quickly when need to work again. It sounds convenient but is data secure while the laptop is in sleep state? As I mentioned above, the memory is still active in the sleep state and encryption keys are in the memory. If a laptop is stolen while in sleep state, the data on the laptop is susceptible to breach.
Intel® Anti-Theft Technology (Intel® AT) addresses this vulnerability and allows IT administrator to strike a balance between convenience and security. Intel AT includes a hardware based S3 timer which kicks-in as a laptop enters the S3 state and transition the laptop to hibernation state after the expiry. The timer value is defined by an IT administrator. It allows users to keep their laptop in sleep state for quick resume say, when moving between meetings, but it secures the data when the laptop has been in sleep state for longer duration. Since the timer is implemented in hardware and value defined by IT administrator, users won’t be able to sacrifice security over convenience.
SecureDisable* is an Intel AT solution offered by Softex Inc. The SecureDisable solution offers the asset and data protection features of Intel AT and it also provides other capabilities such as seamless plug-ins to existing enterprise IT consoles (Microsoft SCCM* and BMC Remedy*) for easier deployment and management, flexible service delivery model allowing enterprises to host the solution themselves, service providers (ITOs/MSPs) to host it either as standalone service or part of security service portfolio, or the service to be hosted in cloud.
SecureDisable release 2.5 is now available and contains the following new features -
- Support for 3rd Generation Intel® Core™ and Intel Core™ vPro™ Processors
- Close the data encryption vulnerability in S3 state. If Windows* login is not completed before S3 timer expires, the laptop will gracefully enter S4 (hibernate) state. When resuming from S4, the users will be asked to provide encryption passphrase credential in PBA.
- Enhanced multi-tenancy support for ITO hosted anti-theft service. A new user class for help-desk has been created that can be attached and thus gain administrative rights to multiple hosted organizations.
- License management features - ability to allocate licenses on a per-organization level, and license tracking.
- Various UI and usability changes in the administrative web pages.