In my last blog, New 4th Generation Intel® Processors Ring Up Big Retail Advantages, I looked at ways that the latest generation of Intel® Core™ processors (formerly codenamed “Haswell”) could enhance customer-engagement capabilities and mobile solutions for point-of-sale (POS) systems. In this blog, I want to look into the security and manageability enhancements that 4th generation Intel® Core™ processors bring to retail transactional technology, focusing on their advantages in:
- Protecting personal and transactional data
- Reducing IT costs
- Improving remote device uptime
I’m also going to look at how products from McAfee, a wholly owned subsidiary of Intel, take advantage of these enhancements to help developers incorporate game-changing security in their products. It’s important for me to point out that the new and enhanced platform technologies I describe here complement specific components of Intel® vPro™ technology and thus it must be activated.
Protecting Personal and Transactional Data
The sharing of high-value retail data used to perform financial transactions between in-store systems and a retailer’s data center is spawning sophisticated data and identify thefts. Attackers are using firmware to gain access to a device’s operating system and applications, in addition to creating viruses and malware that can disable a retail system or provide thieves with access to sensitive data.
The 4th generation Intel Core processors’ security capabilities address the full range of threats in retail devices—malware, content graffiti, identify theft, system compromise or theft, and data theft—with four hardware-based security technologies:
Intel Platform Protection Technology with BIOS Guard provides authentication and protection against BIOS recovery attacks. Since a device’s BIOS is contained in a privileged space invisible to anti-virus software, this is critical protection. In addition, malware infecting a BIOS remains persistent, even after a cold boot. With BIOS Guard, BIOS updates are cryptographically verified to ensure malware stays out of the BIOS.
Intel Platform Protection Technology with Intel® Platform Trust and Boot Guard are designed to work with Microsoft Windows. Available on the forthcoming U-Series processors, Intel Platform Trust supports Windows 8 secure and measured boot and supports all the Microsoft mandatory commands for Trusted Platform Module (TPM) 2.0. Boot Guard technology works in conjunction with it to reduce the complexity of the Windows 8 boot process and protect again boot block-level malware, providing an added level of hardware-based platform security to prevent repurposing the platform to run unauthorized software—such as keylogging applications.
Intel® Data Protection Technology with Intel AES-NI enables rapid and secure data encryption and decryption. Encryption is a PCI DSS compliance requirement for protecting data in transit across public networks. Equally important, encryption of the hard drive protects data in the event of device theft .
Intel® Identity Protection Technology (Intel® IPT) with NFC is a great addition for retailers making the move to enabling “Tap-and-Pay” sales through digital wallets via NFC-enabled smartphones or smartcards. A suite of four technologies—One Time Password, Protected Transaction Display, Embedded PKI, and NFC, Intel IPT introduces a “Tap and Interact” use case that enables secure interaction with interactive devices. An integrated chipset-based security feature, Intel IPT provides extra security by isolating the data received by NFC from the operating system. By not letting the OS “know” transaction data used in a transaction, Intel IPT prevents many forms of potential malware from gaining access to a customer’s identity information.
Working with McAfee to Secure Endpoint Devices
Intel works closely with McAfee, a wholly owned subsidiary of Intel and globally recognized for its proactive and proven security solutions, to develop hardware-enhanced software security (see Figure 1). By deploying solutions like McAfee solutions with 4th generation Intel Core processors, retailers can achieve a greater degree of security than by depending on one or the other. For example, a new processor feature called Beacon Pass when used with McAfee® Deep Defender—a product designed to protect systems against “below the operating system” malware attacks, a much more difficult threat to detect and recover from. Beacon Pass provides a new instruction for streamlining the efficiency of memory read/write scanning activity so overall system performance is not degraded by this protection.
Another McAfee solution for securing endpoint devices is McAfee® Embedded Control. This software automatically creates a dynamic whitelist of the authorized code on the device. Once the whitelist is created and enabled, the system is locked down to the known good baseline. No program or code outside the authorized set can run, and no unauthorized changes can be made. When untrusted software attempts to execute, an alert is sent to McAfee® ePolicy Orchestrator (ePO), an enterprise security management software product, to prompt potential corrective action.
Figure 2. How McAfee® Embedded Control uses application whitelisting to protect devices.
Intel vPro technology-enabled solutions provide hardware-based mechanisms that work with McAfee solutions to help protect against software-based attacks, and protect the confidentiality and integrity of data. They do this by enabling an environment where applications can run within their own space, protected from all other software on the system. These capabilities, enhanced by hardware-assisted Intel® Virtualization Technology (Intel® VT), provide the protection to mechanisms, rooted in hardware, that are necessary to provide trust in the application’s execution environment. In turn, this can help to protect vital data and processes from being compromised by malicious software running on the platform.
Reducing IT Costs and Improving Remote Device Uptime
Using integrated platform capabilities and popular third-party management and security applications, Intel® Active Management Technology (Intel® AMT) is a much written about technology in the community that allows IT or managed service providers to better discover, repair, and protect their networked computing assets. For embedded developers, this means that devices can be diagnosed and repaired remotely, ultimately lowering IT support costs. Intel AMT is a feature of Intel® Core™ processors with Intel® vPro™ technology and workstation platforms based on select Intel® Xeon® processors.
The 4th generation Intel Core processors include the latest Intel® Active Management Technology (Intel® AMT) features. Of particular interest is Embedded Host-Based Configuration. This new capability enables more simplified retail device provisioning. Using Embedded Host Based Configuration, a retailer’s IT staff can easily remotely provision unattended retail devices. This eliminates the need and cost for an IT person or employee to be present at the device location.
Also new are graceful shutdown enhancements (see Figure 3). If an incident occurs where IT staff using Intel AMT’s remote administration functions encounters a hung operating system, they can analyze the problem, and then initiate a graceful shutdown, rebooting the device and restoring it to normal operation. This helps keep POS systems and other devices up and running more of the time.
Move into a New Era of POS Security and Manageability
Through the Intel® Intelligent Systems Alliance Solutions Directory, it’s easy to find a wide range of different types of boards and solutions for retail applications using 4th generation Intel Core processors. To learn more about how 4th generation Intel Core processors can help secure POS devices, I highly recommend the white paper Intel® Hardware-based Security Technologies for Intelligent Retail Devices.
Contact Featured Alliance member:
Solutions in this blog:
· McAfee Deep Defender
· Security - Top Picks (blogs, white papers, and more)
· Manageability - Top Picks (blogs, white papers, and more)
· Intel Intelligent Systems Framework - Top Picks (blogs, white papers, and more)
· Retail - Top Picks (blogs, white papers, and more)
McAfee is an Associate member of the Intel® Intelligent Systems Alliance.
Roving Reporter (Intel Contractor), Intel® Intelligent Systems Alliance
Associate Editor,Embedded Innovator magazine