Intel® vPro™ Technology

Storage Protection with Intel® Anti-Theft Technology - Data Protection (Intel® AT-d)

Intel® AT-d Support Services

Well maintained systems are subject to periodic updating and reconfiguration by manageability personnel. The Intel® Management Engine (Intel® ME) supports remote administration of Intel® AT-d by using an embedded network stack that includes TLS and the Kerberos authentication protocol, originally developed by the Massachusetts Institute of Technology (MIT).

Among the enterprise services needed to support DAR protection are these:

• Audit and compliance management.
• Key recovery management.
• User identity management.
• Platform configuration management.

The audit and compliance management service responds to audit log threshold events generated by the platform. The service archives client audit log files and resets the high water mark so that auditing con continue.

Before Intel AT-d encryption can begin, a copy of the DEK is stored in a key recovery service. Should the DEK on the drive become corrupted or lost, the key recovery service can restore it. Another copy of the DEK can be made by using a portable USB storage device. It allows data to be recovered when a key recovery service is not available.

There are many enterprise-class, user-identity management frameworks in use today. Common frameworks include Microsoft Active Directory, MIT-Kerberos, Public Key Infrastructure (PKI), Novell* Directory Services (NDS), and a variety of Web-based solutions. Intel AT-d maintains user account information for one local administrator and up to five users. The user accounts can be integrated with virtually any identity-management framework that supports the Intel AT-d programming interface. The WS-Man protocol is used to transport DHCI over a network to manageability consoles or gateway servers.

Manageability frameworks are used to perform a variety of management and administration duties remotely. Intel AT-d encryption introduces a dependency on management consoles that requires disks be unlocked before actions that involve access to storage media can be performed. Remote disk unlock is achieved by obtaining an unlock token from the key management service or other administrative service. The unlock token is used by the Intel ME to unwrap the DEK keys used to decrypt each drive. Following a drive unlock operation, the remote manageability processes can function normally.

Remote access poses a challenge for computers in satellite offices or in remote locations outside a corporate firewall. The Intel ME can traverse a corporate firewall with remote presence server technology that establishes a TLS Virtual Private Network (VPN) between the Intel ME and corporate Intranets (see Figure 20).

The computer, enabled with Intel® vPro™ technology, contacts the Management Presence Server (MPS) by using pre-configured network domain information. TLS-VPN credentials, embedded in the client, support mutual authentication. Client-manageability traffic is forwarded to corporate Intranet servers over TCP/IP. Enterprises that support Kerberos Key Distribution Center (KDC) services can negotiate server tickets for the Intel ME, thereby allowing the management console to interact with computers containing Intel vPro technology, by using IT-managed privileges.

The MPS can proxy client credentials so that “Kerberized” services in the corporate network can be accessed with privileges appropriate for computers operating outside the corporate firewall.

The use of Kerberos tickets for service access is important, because authorization information can pass through the MPS. The auditing service can present domain credentials to the Intel ME, authorizing the administration of Intel AT-d audit logs, with the knowledge that other servers would be denied access by the Intel ME.

Figure 20: Intel® ME client-initiated remote access architecture
click image for larger view

Occasional connection to DAR support services is necessary for enterprise-class operation of Intel AT-d. When not connected, however, operation continues normally by relying on the cached state maintained in the Intel ME data area of SPI flash memory. Cached values include the following:

• Audit logs
• User ACLs
• Remote access credentials
• Disk unlock token (optional)

As network connectivity options continue to improve, there are scenarios where connectivity cannot be achieved. In these scenarios, platform original equipment manufacturers (OEMs) can trade connectivity for cache size.

Consolidation of DAR services can reduce TCO by eliminating standalone or incompatible vender proprietary services (see Figure 21). Further cost reductions are achieved by eliminating overlapping functionality. For example, multiple user identities for the same person can be replaced by a single integrated identity management system.

Back to Top