WHITE PAPER: INTEL AND PHOENIX TECHNOLOGIES Keep Data Secure with Intelligent Client-Side Protection for Lost or Stolen Laptops Phoenix Technologies Ltd. 1 and Intel Corporation have collaborated to deliver a robust solution for protecting laptops and their sensitive data through integrated hardware and software technologies. FailSafe from Phoenix allows businesses and consumers to take advantage of Intel Anti-Theft Technology (Intel AT), 2 which is available in system hardware. Through FailSafe, an authorized administrator or enterprise security officer can define hardware-based policies, including a poison pill (also known as a disable command) that remotely or locally commands the laptop to take specific actions intended to protect the laptop and the data, identify whether the intended user has the asset, and identify the asset s location. The next time the laptop checks with the FailSafe server over the Internet, it will block the boot process and lock the laptop, rendering the system unusable and the data safe. Since the FailSafe agent checks in every three minutes when connected to the network, the window of vulnerability for data breaches is reduced from hours even days to mere minutes. Additionally, FailSafe with Intel AT capabilities is a hardened solution. Key components of the solution remain in place even if the OS is inoperable, the laptop s BIOS is reflashed, or the hard drive is reformatted or replaced. Finally, if the system is recovered, reactivation is simple and rapid. Since the poison pill is not destructive, the administrator simply enters the passphrase to restore the system to normal operation. With FailSafe and Intel AT, administrators now have a more reliable, hardware-based approach to protecting assets and minimizing risk from lost or stolen laptops.
Table of Contents Executive Summary...3 Intelligent PC-disable protects resources on lost or stolen laptops...4 Data security on laptops remains a critical challenge...4 Massive exposure of corporate data...4 The real cost of a lost laptop is high...4 Always-on protection for data on lost or stolen laptops...5 Proactive full-spectrum assurance against threats...5 Easy-to-use interface for administrators...5 Hardware-based security easy to enroll and protect laptops...5 Tamper-resistant technology...6 Faster lock-down and quick recovery...6 Two options to protect data: Data delete or PC lock-down...6 Reducing the window of vulnerability...7 PC-disable is rapid and allows quick, full reactivation...7 FailSafe enables better self-reliance...7 Use case: Stolen laptop...8 Timer expiry allows for intelligent local response...8 Use case: Undetected theft, but missed check-in results in system lock-down...8 Use case: End-of-life disable...9 Easy reactivation and full system restore...10 Rapid reactivation mitigates the traditional burden of false positives...10 Easy deployment...10 Protect data more effectively and minimize risk...11 Learn more...11 2
Executive Summary Businesses and consumers are increasingly at risk for data breach and intellectual property loss. Financial and legal exposure causes additional problems and disruptions to business. Phoenix Technologies, one of the world s largest BIOS vendors, has collaborated closely with Intel to deliver a robust, intelligent, clientside solution to protect the laptop and sensitive data even after a laptop PC is lost or stolen. 1 Phoenix s implementation of FailSafe with Intel Anti-Theft Technology (Intel AT) 2 is inherently more secure than traditional solutions in that it leverages the hardened Intel technology that is designed into system hardware and firmware. FailSafe is built on top of Phoenix s long history of leadership in BIOS security. The FailSafe implementation of Intel AT now provides businesses and consumers with the ability to lock assets in a rapid, non-destructive manner. Enabled by Intel AT, FailSafe allows an administrator to remotely or locally and automatically lock down a lost or stolen laptop within seconds of its check-in with the central server, or after a local timer (defined by the administrator) expires. Reactivation is easy the lock down is not a destructive process. The administrator simply enters the laptop s passphrase to allow the system to complete its boot process and return to normal operation. FailSafe and Intel AT deliver a security solution that works regardless of the state of the OS, even if the BIOS is reflashed, and even if the hard drive is reformatted or replaced. Because local Intel AT timers are designed into the laptop s chipset, administrators also have hardened, always-on tamper-resistant protection for sensitive data, even if the laptop is disconnected from the network. The result is better protection for data, and greater assurance that security solutions remain in place even for lost or stolen systems. 3
Intelligent PC-disable protects resources on lost or stolen laptops Phoenix and Intel deliver a hardened, always-on intelligent, client-side solution to protect assets and sensitive data. Data security on laptops remains a critical challenge One of the greatest risks to businesses and consumers are data breaches and the exposure of data on a lost or stolen laptop. According to a recent Ponemon Institute study, 72% of employees are allowed to store sensitive and confidential information on their laptops in order to perform their jobs. 3 The ability to secure data on such systems even after the laptop is lost or stolen is key to improving enterprise data security and ensuring compliance with security standards. Massive exposure of corporate data Businesses are at risk today because their sensitive and confidential data is at risk. Most of the threat is not to financial data, but to intellectual property and other confidential corporate information, as well as to consumer information. As thieves grow more sophisticated, businesses find themselves dealing with an increasing number of threats and increasingly sophisticated attacks on that data. Recent studies have shown that: A laptop is stolen every 53 seconds. 4 More than 12,000 laptops disappear each week from U.S. airports. 4 In 2007, 81% of U.S. firms lost laptops with sensitive data. 4 Laptop theft doubles every year. 4 The real cost of a lost laptop is high When software-based solutions fail, the real cost of a lost or stolen laptop to business is high. Ponemon Institute studies show that the average cost of a lost or stolen laptop is $49,000 per laptop based on multiple factors such as intellectual property loss and data breach especially when a business must notify clients or the public of the breach. 3 Although most reported losses are under $200,000, costs can be as high as $975,000 almost $1 million. 3 The highest losses relate to data breach (80% of cost of loss) and intellectual property loss (17% of cost of loss). 3 These costly losses have resulted in three main business drivers for deploying anti-theft solutions on laptops: Avoiding requirements for notifying agencies and clients of data breaches (67%) 3 Improving the organization s security environment for corporate data (58%) 3 Ensuring compliance with data security standards, such as the Payment Card Industry (PCI) standard (42%) 3 4
Always-on protection for data on lost or stolen laptops Phoenix and Intel have been working closely to deliver a new, intelligent, client-side solution to secure data and assets: FailSafe with Intel AT a robust tool to protect, track, and manage laptops. This solution delivers hardware-based local and remote protection of data and assets even for laptops that are lost or stolen. Enabled by Intel AT, FailSafe lets administrators lock down the laptop at the level of the Intel Management Engine (Intel ME) 5 with either a remote poison pill or with local policies that will automatically shutdown the laptop when certain predefined conditions are met. This thwarts thieves by preventing the system from booting even if the hard drive is reformatted or replaced. Administrators can then rapidly reactivate the system when it is recovered. Administrators now have a powerful, policy-based tool to: Flag systems that are missing or might be lost or stolen. Send a data-destruct command to erase sensitive data files. Disable a laptop that does not check in within a defined period of time. Send a poison pill to lock down the laptop and prevent an OS from booting. Unlock a laptop once security is reestablished. Table 1. Advantages of client-side intelligence in theft-management FailSafe with Intel AT Hardware/BIOS/software-based Local and remote PC disable Works with and without network connectivity PC disable (via timer expiry) remains active even if OS is missing or reinstalled, hard drive is reimaged or replaced, or BIOS is reflashed Benefits of FailSafe with Intel AT Tamper-resistant hardware-based capabilities Allows a rapid response to loss or theft, even without a network connection Addresses compliance via flexible administratordefined policies Reduces corporate and consumer risk Proactive full-spectrum assurance against threats FailSafe with Intel AT uses administrator-based policies to determine the best software- or hardware-based mechanism(s) to disable sensitive information on a lost or stolen laptop via: Intel AT, a hardened solution which allows administrators to disable the laptop via the Intel ME in the chipset. FailSafe agent, which allows administrators to remotely retrieve and erase sensitive data from the hard drive of the missing computer. Easy-to-use interface for administrators FailSafe is easy to use. As a hosted solution, FailSafe offers a simple web client for administrators to remotely interact, track, monitor, set policies, and issue commands to laptops. FailSafe is optimized for Internet Explorer,* and supports a variety of operating systems, including Microsoft Windows Vista* 64, Windows Vista* 32, Microsoft Windows XP* 32-bit, and Microsoft Windows 7* 32-bit and 64-bit. Hardware-based security easy to enroll and protect laptops To use FailSafe, administrators simply enroll the laptops with the FailSafe server. In normal mode, FailSafe sends a periodic signal a rendezvous to the FailSafe server every few minutes. When a rendezvous is missed, the system can be flagged as lost or stolen. The administrator can then remotely erase specific files, and/or send a poison pill to the laptop through the FailSafe console. Because timers are local and designed into the chipset, a local time-out can also trigger a lock-down based on administrator-defined policies. 5
Tamper-resistant technology Phoenix is especially pleased to take advantage of Intel AT features because the capabilities are designed into a low level of the hardware stack. The lower in the stack such protection can be designed, the more secure it is. Because Intel AT is designed into the laptop s chipset, the new FailSafe anti-theft capabilities are more protected from tampering (see Figure 1). The Intel AT capabilities, which lie below the OS level, can remain in place even if the OS is inoperable, the BIOS is reflashed, or the hard drive is reformatted or replaced. Intel AT also works regardless of boot device: hard drive, USB key, CD, DVD, or other boot device. In addition, because local timer expiry is designed into the chipset, this client-side intelligence can disable the laptop even if the PC is not connected to the network, then continues to block the boot process. Figure 1. FailSafe architecture, as enabled by Intel Anti-Theft Technology. The host embedded controller interface (HECI) allows the host OS or BIOS to communicate directly with the Intel Management Engine (Intel ME) integrated into the chipset. FailSafe Client Applications Intel AT Client Module FailSafe Client FailSafe BIOS Communication FailSafe Communication Module FailSafe Architecture with Intel AT Internet Hosted FailSafe Solution FailSafe Server Application (Maintains administratordefined policies) Database Intel AT-enabled FailSafe Server Module Intel AT BIOS Module FailSafe BIOS Module Internet Intel Management Engine (Firmware in chipset) HECI Hardware (CPU, GPU, disk, and HDD-locking FDE if available) Intel AT Authentication Server (Validates license, stores keys) Faster lock-down and quick recovery FailSafe provides administrators with a fast, easy way to track laptops and erase sensitive data from systems that are lost or stolen. Enabled by Intel AT, FailSafe also delivers a fast, intelligent, client-side ability to lock down the laptop and prevent any OS from booting: hard drive, USB key, CD, DVD, or other boot devices. Timer expiry works even if theft/loss is not reported, and even if the laptop cannot communicate with the FailSafe server. For example, timer expiry works even if central server communication is disabled via port blocking, or the agent is prevented from running. Poison pill delivers a rapid PC disable. Reactivation is easy and fast via a strong passphrase. 6 Two options to protect data: Data delete or PC lock-down Enabled by Intel AT, FailSafe gives two options to manage a system that is reported lost or stolen (see Figure 2). IT can remotely delete critical files on the machine or send a poison pill to the laptop to disable the PC and turn it into a brick an unusable weight. The laptop can also lock itself down if it misses a check-in after its timer expires. Administrators can now respond quickly
Figure 2. Administrators can simply flag a system for a poison pill. FailSafe with Intel Anti- Theft Technology makes it easy to lock down the laptop, erase files, and restore files from a backup. in the face of a threat, or allow the always-on capabilities to lock down the laptop in suspicious circumstances. Because the lock-down is not destructive, administrators can also rapidly re-enable the laptop by entering the system s passphrase. Businesses and consumers can now be more assured that security is always in place, and that reactivation can be fast and easy. Reducing the window of vulnerability The FailSafe solution can reduce a business or consumer s window of vulnerability from hours sometimes even days to mere minutes. With FailSafe, the Intel AT rendezvous timer is set to check in with the server every three minutes when connected to the network. Once a system is flagged as missing or stolen, the FailSafe response is initiated as soon as the system next checks in. This allows for an extremely rapid response, with the poison pill initiated upon check-in. PC-disable is rapid and allows quick, full reactivation According to the Ponemon Institute, the most important anti-theft capability for IT and business is a poison pill that prevents access to the platform or its data. 3 The second most important capability: automatic recovery of information that does not require a system rebuild. 3 Enabled by Intel AT, FailSafe delivers both capabilities for administrative personnel. Administrators can now remotely and rapidly lock down a laptop as soon as the system connects to the Internet and checks in with the central server. If that system s theft flag has been set in the server database, FailSafe delivers the poison pill when the laptop checks in. The laptop then disables itself and prevents the OS from rebooting. Even if the BIOS is reflashed or the hard drive is reformatted or replaced, the laptop will not boot. Only the reactivation screen is available. This solution lets administrators remotely turn a lost or stolen system into a brick that is useless to a thief. Administrators also have the option to lock down with a custom message or a sound alarm. Custom message disable allows for the sending of a custom text message that will be displayed on the lock screen. Sound alarm disable locks the computer and provides an audible alarm noise and message on the screen of the computer. FailSafe enables better self-reliance One of the key differentiators of FailSafe with Intel AT is that administrators do not have to rely on a third party to track down a laptop in order to secure its data. Administrators simply flag the system in the FailSafe console, and send a poison pill upon its next check-in. Administrators can now manage their own network, secure systems, and erase sensitive data even on lost or stolen assets, without relying on outside agencies. 7
Use case: Stolen laptop In this case, Sue, a design engineer has traveled to an important design collaboration meeting with a partner company s research division. At the airport, Sue s bag is stolen while she goes through bag-check. Sue immediately calls the administrator who flags the laptop in the FailSafe console to put the system in theft mode and specify sensitive files that should be erased. As is typical, the airport-based thief does not wait long to power up the laptop and connect to the Internet. The thief wants to find out if the system is working and what kind of data is on it. However, protected by FailSafe with Intel AT, as soon as the laptop connects to the network, it checks in with the central FailSafe console. The laptop then receives the poison pill set in the server by IT, along with instructions to erase sensitive data. Triggered by the poison pill, the laptop erases sensitive files, and disables itself to prevent a reboot and thwart access to its data. To the thief, the rendezvous (check-in) process with the central server is invisible. All the thief sees is that the laptop has become inoperable and won t load the OS. Even if the thief tries to replace the hard drive, the poison pill remains in effect, blocking the boot process. Advanced Features for Tracking a Lost or Stolen Laptop Along with integrating the critical Intel PC-disable feature into FailSafe, Phoenix has incorporated mapping solutions to provide advanced features for tracking a lost or stolen laptop. With FailSafe, information about the laptop s location is collected using Internet Protocol (IP) trace data, Global Positioning Signal (GPS) coordinates, Wi-Fi triangulation, and image capture (through the laptop s webcam hardware). When the laptop is connected to the Internet, location information is uploaded to the FailSafe server and presented to the administrator as satellite or aerial images via interactive maps. IP Trace uses the external IP of the Internet service provider s router closest to the network, as well as public and local IP addresses and ISP names. The FailSafe GPS module acquires satellite-generated GPS coordinates from the PC chipset. Wi-Fi support collects information on wireless networks (detectable on the client side) such as network name, universal unique identifier (UUID), signal strength, and whether the network is secured (i.e., WEP enabled). Webcam can capture, encrypt, and send the user s photo for legal action if necessary. Timer expiry allows for intelligent local response Intel AT timers, which are designed into system hardware, establish rendezvous requirements. A rendezvous is an authorized check-in via the Internet, with the FailSafe Command Center. This check-in must occur within the administrator-defined time period. For example, a company accountant might be required to connect to the Internet daily, to ensure their laptop can check in with the FailSafe server and upload its asset and location information. Or a marketing consultant who works four days on and three days off each week might be required to connect to the Internet every four days, allowing the system to recognize a nonstandard work schedule. The rendezvous helps FailSafe determine whether or not the laptop is safe and under control of the intended user. Based on administrative policy, the FailSafe agent uses the check-in information to trigger a local response if necessary, such as locking down the system if the local timer expires. This is not a remote, reactive approach, but a proactive, always-on solution that helps protect a laptop s data at all times. 8 Use case: Undetected theft, but missed check-in results in local system lock-down In this type of case, a sales engineer (Jack) leaves his laptop in his car at home while taking his family on vacation. While he s gone, his laptop is stolen from the car. The thief does not immediately power up the laptop, but takes it to a safe, temporary place. Since Jack will be gone for a week, the theft is not immediately noticed.
However, because Jack works with high-profile clients, administrative policy is that the laptop must check in with the central server each day. When the laptop was stolen, the daily check-in was missed. As defined by administrative policy, the next time the laptop powers up, it enters Theft mode. The FailSafe agent then uses Intel AT to lock down the laptop. The laptop disables itself and blocks boot processes from all boot devices (hard drive, CD, DVD, USB key, and so on). Even if the thief tries to power up the system later, the OS will not boot, so access to the system and use of the laptop is denied. Use case: End-of-life disable Traditionally, as laptops are refreshed, administrators must manually access the system to erase sensitive data and disable the PC to prevent access to residual files. FailSafe with Intel AT helps administrators manage end-of-life processes more easily and remotely. Administrators can use FailSafe to send a poison pill to the laptop being discarded to erase sensitive data and lock down the computer. Only an authorized administrator can then unlock the system for reconfiguration or some other authorized use. Addressing consumer needs FailSafe with Intel Anti-Theft Technology (Intel AT) is also available to consumers, giving access to the same proactive and instant on protection that corporations use. For example, if a high-school or college student loses their laptop or the system is stolen, they can use the FailSafe console to have the PC locked down the next time it accesses the Internet. Since a thief can no longer boot the system after a lock-down, the laptop could be recovered more easily if it is discarded by the thief. The service provider can then unlock the system so the student can return to work. The combination of FailSafe and Intel AT provides consumers with enterprise-level protection, and service providers with the opportunity to offer new services and improve revenue streams. In the future... FailSafe with Intel AT for Ericsson 3G*-enabled Laptops Administrators can soon use FailSafe and Intel AT to take advantage of sending poison pill thru short messaging service (SMS) to secure lost or stolen laptops connected using Ericsson 3G modem virtually instantly. In addition, administrators can also send the reactivation code via SMS to rapidly unlock the laptop and return it to normal use. FailSafe with Intel AT for desktop PCs Phoenix is expected to add FailSafe for desktop PCs to its current support for laptops in the coming year. The intelligent, client-side protection solution is expected to be particularly useful to respond to theft and manage end-of-life security. 9
Easy reactivation and full system restore With FailSafe and Intel AT, reactivation is easy. The administrator simply enters the strong passphrase in the system s reactivation screen the only screen available after a lock-down. This resets the local timer and allows the system to boot to its normal working state. FailSafe delivers a rapid, simple way to restore a laptop without compromising corporate data or the system s other security features. Rapid reactivation mitigates the traditional burden of false positives One of the traditional costs of security management is a false positive. Not all laptops that seem to be missing are actually lost or stolen. For example, a missing system might simply be with a coworker or left at home while a corporate officer goes on vacation. FailSafe has traditionally allowed administrators to remotely manage missing laptops by erasing critical files when the laptop checks in with the central server. This helps secure sensitive data and prevent data breaches. When the laptop is recovered, FailSafe can retrieve important files from the FailSafe Data Center and restore them to the system. However, recovering files or rebuilding a system after a destructive data wipe can be time-consuming. Enabled by Intel AT, FailSafe allows IT to lock down a potentially missing system without a destructive data wipe. When a laptop is located, the administrator simply enters the laptop s strong passphrase to reactivate the system. This lets administrators rapidly secure systems that might be missing, yet still reactivate and recover quickly and fully when the laptop is actually located. Easy deployment FailSafe with Intel AT makes it easy to deploy the advanced, robust security capabilities of poison pill and timer expiry. The FailSafe client agent can be deployed like a typical patch or other software update, via existing deployment processes. Also, administrators do not need to purchase additional software for the FailSafe and Intel AT solution. The capabilities are enabled or ready as a preconfigured feature of select models of laptops. Intel Anti-Theft Technology (Intel AT): Independent of Trusted Platform Module (TPM) and Intel Active Management Technology (Intel AMT): Intel AT works independently of a TPM. You do not need TPM in order to take advantage of the Intel AT capabilities in FailSafe. Intel AT works independent of Intel AMT. You do not need to provision Intel AMT in order to enable or use Intel AT. 10
Protect data more effectively and minimize risk FailSafe and Intel AT deliver intelligent, client-side protection for laptops and sensitive data. With FailSafe, administrators can define policies that remotely or locally and automatically lock down a laptop, even if the system is disconnected from the network, and regardless of the state of the OS, hard drive, or boot device. Because the poison-pill lock-down is not destructive, administrators can secure the laptop without destroying it and recover more easily. Enabled by Intel AT, FailSafe can also reduce the window of vulnerability for data breaches from hours and days to mere minutes. Most importantly, this level of rapid, intelligent protection remains enabled even if a loss or theft is not immediately realized. Corporations and consumers can now reduce costly financial, personal, and legal liabilities, reduce data breaches and intellectual property loss, and minimize business risks. Learn more To learn more about Intel Anti-Theft technology, visit: www.intel.com/technology/anti-theft For more information about Phoenix products that support Intel AT and lists of laptops that are ready for FailSafe and Intel AT, visit: www.failsafe.com 11
1 All information about Phoenix Technologies was provided by Phoenix. 2 No computer system can provide absolute security under all conditions. Intel Anti-Theft Technology (Intel AT) for PC protection (also referred to as the poison pill in some documents) requires the computer system to have an Intel AT-enabled chipset, BIOS, firmware release, software and an Intel AT-capable Service Provider/ISV application and service subscription. Intel AT (PC Protection) performs the encrypted data access disable by preventing access to or deleting cryptographic material (e.g., encryption keys) required to access previously encrypted data. ISV-provided Intel-AT-capable encryption software may store this cryptographic material in the PC s chipset. In order to restore access to data when the system is recovered, this cryptographic material must be escrowed/backed up in advance in a separate device or server provided by the security ISV/service provider. The detection (triggers), response (actions), and recovery mechanisms only work after the Intel AT functionality has been activated and configured. The activation process requires an enrollment procedure in order to obtain a license from an authorized security vendor/service provider for each PC or batch of PCs. Activation also requires setup and configuration by the purchaser or service provider and may require scripting with the console. Certain functionality may not be offered by some ISVs or service providers. Certain functionality may not be available in all countries. Intel assumes no liability for lost or stolen data and/or systems or any other damages resulting thereof. 3 Source: The Cost of a Lost Laptop, The Ponemon Institute, LLC. April 2009. 4 Source: A Chronology of Data Breaches and National Hi-Tech Crime Unit, Privacy Rights Clearinghouse, 2008. 5 The Intel Management Engine (Intel ME) is built into PCs with Intel Active Management Technology. Intel AMT requires the computer system to have an Intel AMT-enabled chipset, network hardware and software, as well as connection with a power source and a corporate network connection. Setup requires configuration by the purchaser and may require scripting with the management console or further integration into existing security frameworks to enable certain functionality. It may also require modifications of implementation of new business processes. With regard to laptops, Intel AMT may not be available or certain capabilities may be limited over a host OS-based VPN or when connecting wirelessly, on battery power, sleeping, hibernating or powered off. For more information, see www.intel.com/technology/ platform-technology/intel-amt/. INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. Copyright 2009 Intel Corporation. All rights reserved. Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and other countries. Copyright 2009. Phoenix Technologies, FailSafe, and the FailSafe logo are trademarks or registered trademarks of Phoenix Technologies, Ltd. in the U.S. and other countries. *Other names and brands may be claimed as the property of others. 1009/RM/OCG/XX/PDF Please Recycle Order Number: 322785-001US