sales brief windows* 8 and intel® vpro™ technology...
TRANSCRIPT
A comparison of Windows 8 on Intel® Architecture (including touch) and iOS* on iPad*
The tablet form factor enables a critical use case in the enterprise, simplifying many tasked-based activities
on an ultra-portable device with long battery life. But in the enterprise, an Information Technology (IT)
department looks beyond usability. And, until recently, truly enterprise-class tablets didn’t exist. This leaves
a large gap between capabilities offered by consumer-based tablets filling the niche, like the iPad*, and the
security, manageability, and flexibility enterprise IT needs to manage and secure devices in its infrastructure.
Enterprise IT has specific needs and requirements. Over the years an ecosystem of software and BIOS developers,
chip manufacturers, system builders, and operating system (OS) providers has evolved to meet them with a variety
of Microsoft* Windows*-based enterprise-class solutions. Intel has been a leader in this evolution. In contrast,
Apple’s iOS* is a newcomer to the enterprise, drawn in by the consumerization of IT, with limited enterprise
security and management support for iOS-based devices.
SAlES BrIEf
Windows* 8 and Intel® vPro™ Technology—Enterprise and Tablet ready
2
With the consumerization of IT, new solution providers, including iOS-focused independent
software vendors (ISVs), have emerged to help IT integrate mobile devices into the infrastruc-
ture. They help make the iPad a more manageable device and better meet IT’s needs. from
the user perspective, first-generation consumer devices, like the iPad, enabled new ways
to consume content, but lacked rich capabilities for content creation. With a new generation
of tablets, like convertibles, based on Intel® Architecture, Intel® vPro™ technology, and the
recently launched Windows* 8 operating system, users have more power in their hands to both
consume and create, while IT managers now have many more choices specifically designed to
meet their critical needs. These new Windows 8 devices illustrate the weaknesses of the iPad
for the enterprise.
This document looks at some of the key differences between iOS/iPad and enterprise-class
Windows 8 tablets running on Intel® Core™ vPro™ processors.
3
iPad and Windows 8 Security CapabilitiesWhen it comes to approaches to security, Windows 8 on Intel vPro
technology and Intel Core vPro processors differs considerably from
iOS on iPad. iOS supports Apple’s consumer tablet and phone devices
for specific use cases running only store-delivered applications. Using
a single OS, Windows 8 spans traditional desktop/notebook platforms
with its “desktop” mode and extends to enterprise and consumer
convertibles and tablets in “touch” mode.
Windows 8 enables new secure, store-delivered touch applications on
enterprise-class tablets, while maintaining traditional deployment and
availability of desktop applications users already know and trust. In
addition, Windows 8 on Intel Architecture (IA) maintains the flexibility
and fine-grained manageability IT needs for devices in its infrastruc-
ture, regardless of form factor. IT can continue to leverage existing
security and device management tools for Windows 8-based devices
without being forced to adopt new, third-party technologies to
support Mobile Device Management (MDM), as in the case of the iPad.
New Windows 8 tablets on IA give IT the flexibility to fit devices into
particular roles while maintaining a single security infrastructure.
Enterprise security technologies and practices are born out of years of
discovered threats and attacks—sometimes painfully so—on business
clients. Even while developers use stringent secure coding practices,
hackers continue to discover vulnerabilities in client software. And
they deliver their exploits in new and stealthy ways that are hard to
detect and stop by software alone. Even iOS, with Apple’s strongly
advertised secure application store and security technologies, has
suffered successful malware attacks.1 Hence, IT professionals have
learned that hardware and software working together better defend
against threats, protect identities, secure data, and enable fast, secure
remediation compared to software alone. Intel’s long-term security
enabling leadership is illustrated by continual integration of hardware-
assisted security technologies into the latest generation of Intel vPro
technology and Intel Core vPro processors. These hardware-assisted
technologies, such as Intel® Identity Protection technology (Intel® IPT)
and Intel® Trusted Execution technology (Intel® TXT), are not available
on iOS-based devices.
Understanding these key differences, with the help of some color
coding, can help you decipher iOS and Windows security as described
in the following table (see pages 4-5).
Same or nearly same
Moderate differences
Important differences
4
Enterprise Security Requirements
Windows* 8 on IA/Intel® vPro™ Technology iOS* on iPad*
IT flexibility, wide choice of solutions
Windows* 8 offers both a familiar desktop mode and convenient touch mode.
Desktop mode flexibility: • McAfee and other security ISVs can access Intel® platform
hardware-assisted security features through Windows 8 Application Programming Interfaces (APIs) to deliver advanced anti-malware and reputation-based filtering capabilities.
• Enterprise IT can configure security options to meet its individual needs.
• IT can readily implement standard consoles, security tools, and other security solutions they currently rely on.
Touch mode security:• Applications are expected to follow closed-architecture type
policies and restrictions.
A wide variety of tablet form factors and capabilities, from consumer to enterprise, are available to match solutions to user needs and IT requirements.
iOS’ closed architecture and lack of desktop mode inhibits flexibility and choice.
• Apple prohibits any loading of applications not provided through their store.
• Apple can remotely remove any applications, including enterprise-loaded applications, potentially limiting available solutions.
To maintain IT security requirements and services while supporting iPad,* IT may have to adopt new, third-party solutions designed around iOS* and the iPad.
Resident background processes
Many enterprise security solutions are designed to run continuously in the background. Some are required for regulatory compliance.
• IT can run proven, existing background processes in desktop mode to meets its requirements.
• In touch-mode devices, solutions will only be available from Microsoft’s store. Sandboxing may prevent back- ground processes.
iOS’ architecture prevents background processes from running and thereby limits some established enterprise security solu-tions. IT may have to adapt practices to iOS and potentially adopt new software to enforce current policies.
Supplementary enterprise security capabilities
Windows 8 x86-based devices allow applications to install and execute in the familiar “desktop” mode. Windows and the Windows ecosystem provide capabilities that supplement built-in OS security functions to help prevent malware invasion. Such supplemental capabilities include:
• Discovery and neutralization of malware by software methods, such as security suites.
• Hardware countermeasures, such as Intel® TXT, Intel® Execute Disable Bit (Intel® XD), and McAfee Deep Defender.*
Such solutions can continuously run in the background in Windows 8 desktop mode.
iOS is designed such that adding greater security controls is difficult, and, in some cases, impossible. iPads are protected against malware by enforcing permissions that are required to install and execute applications. Adding supplemental functions is not supported.
Applications run in an isolated sandbox without access to sensitive regions. However, a user “jailbreaking” the device can circumvent these protections, allowing side-loading of applications and potentially exposing the device to greater security risks, especially without access to supplemental security measures.
Enterprise-class identity protection
IA-based form factors enable choice of identity protection solutions.
• Software-based certificates.
• Hardware-assisted Intel IPT, enabling hardware-level security with software simplicity.
• External hardware tokens.
• Other Windows-based solutions.
Intel IPT with Protected Transaction Display (PTD) helps ensure user presence for authenticating to the enterprise network.
iOS offers less flexible enterprise authentication support with software-based Public Key Infrastructure (PKI) certificates and Bluetooth* card readers. iOS does not offer a PTD-like function.
Kerberos* support Windows 8 supports a very fine-grained set of policy definitions. iOS does not focus on Kerberos support.
TablE KEy
5
Enterprise Security Requirements
Windows* 8 on IA/Intel® vPro™ Technology iOS* on iPad*
Data protection and recovery
Intel hardware-assisted security technologies give IT greater confidence over data security online or offline.
• IT can set a timer, enabling Intel® Anti-Theft Technology (Intel® AT) to “time out” and lock the device down if it hasn’t contacted a security server.
• IT can remotely lock down a device over a network by sending it a “poison pill.”
• Both methods help prevent data and key theft.
• The device remains locked down even if hard drive or BIOS ROM is replaced.
• IT can remotely restore client data and restore access to the user.
• S3 resume, an Intel vPro technology feature, allows IT to set a standby timer to shut down the device after some standby period. Upon wake-up, pre-configured security functions, such as login, are activated.
iOS provides remote data wipe only when the device is con-nected to a network. Until the device connects to a network and receives the “poison pill,” it is vulnerable to attack. Once the user key is wiped the data is irretrievable.
a secure root and chain of trust
Windows 8 and Intel® technologies enable multiple types of secure bootup, depending on the system’s configuration. The OEM or IT must include and enable these capabilities,2 such as:
• UEFI 2.3.1.
• Signed BIOS/boot ROM.3
• Trusted Platform Module (TPM).
• Attested secure boot.
Windows 8 also enables application monitoring based on security policies to detect malware and protect against infection and attack.
iPad boots through a secure process rooted in boot code with a root certificate embedded in the processor. Every following step during bootup can be traced back to the root certificate, making it a very secure chain of trust.
A user jailbreaking the device can circumvent the chain of trust and allow unwanted code onto the device without background processes detecting an infection.
Data encryption
Intel hardware-assisted security technologies enable ubiquitous encryption of all data at rest and in transit without impacting user productivity.
• Hardware-assisted Intel® Advanced Encryption Standard-New Instruction (Intel® AES-NI) accelerates encryption tasks, en-abling IT to adopt full-disk encryption across the enterprise. Hardware acceleration minimizes the likelihood a user will cir-cumvent/turn off encryption due to productivity impact.
• Intel® SSD Pro Series provides built-in, on-disk accelerated en-cryption for data at rest protection.
All application code is encrypted at rest by the hardware. User data stored on the device can be encrypted, but is not forced.
Data leak preventionWindows 8 on IA, security ISVs, and manageability solution pro-viders enable policies that “nail-down” the system’s I/O and help prevent users from copying sensitive data off the device.
User data can be copied from the iOS device, provided passcodes are known.
address Space layout Randomization (aSlR)
Protects against malware running with elevated permission from finding useable data
Windows allows an ASlr methodology, using both the OS’ mem-ory allocation routine and the chipset’s capabilities, to randomize the mapping of physical-to-virtual memory. This feature must be activated in the system, and it is executed by software. Windows filesystem directories are known and predictable.
Apple provides a mechanism to ensure that successive runs of an application use different and unpredictable regions of mem-ory for all purposes. This prevents malware, which might become resident, or external probes from predicting the location and structure of valuable data.
E-mail securityWindows on IA supports fine-grained control of which e-mail re-quires special handling, such as signing.
iOS supports only comprehensive control of the inbox: all e-mail is processed in the same manner, e.g., signed or unsigned.
Some articles illustrating that the iTunes* store and iOS are not infallible.
“Mobile Pwn2Own: iPhone 4S hacked by Dutch team” www.zdnet.com/mobile-pwn2own-iphone-4s-hacked-by-dutch-team-7000004498/
“Apple provides 197 security reasons to upgrade to iOS 6” www.zdnet.com/apple-provides-197-security-reasons-to-upgrade-to-ios-6-7000004535/
6
What the Enterprise Needs
What Intel and Windows* 8 Provide What the iPad* Lacks
Manageability
Applications on a Windows* 8 device directly support MDM inter-faces, enabling fine-grained manageability across the full range of Windows 8 devices: touch/convertible, notebook, and desktop.
Due to Apple’s proprietary MDM interface, an Apple-approved MDM appliance must lie between the manageability console and the iOS device. This appliance provides coarse-grained manageability only.
agility
Enterprise IT typically employs an open, standards-based architecture for their computing environments. This enables the widest range of configurations, activities, and choices for users and the business.
With its closed architecture, iOS might lack the agility some companies demand.
Productivity
The majority of business clients, including portable devices, already run Windows and Windows-based applications that are essential to daily corporate workflows.
In spite of its impressive application store, because Apple controls the code deployable to the iPad*, an enterprise’s standard suite of applications, such as Microsoft Office*, may or may not be available for iPad. It can be costly for an enterprise to port their critical applications to the iPad and obtain Apple’s approval to deploy. The benefit might not justify the cost.
Enterprise-class capabilities
Intel has been a leader in business client manageability since 2006 with the introduction of Intel® vPro™ technology.
Intel vPro technology features include fine-grained manageability, domain control of IA-based devices, security management, and choice of functionality and form factors needed for enterprise users.
The iPad is a popular consumer device that is attractive to some enterprise users, but lacks typical and needed enterprise-class capabilities. The iPad helped illustrate the demand for the tab-let form factor in the enterprise. However, with Windows 8 on IA products now in the market, IT and users are realizing the iPad’s limited capabilities, fewer choices in form factors, and lack of enterprise-class features.
Trust, stability, and reliability
IT shops around the world have grown to trust Intel® hardware-based security technology solutions running Windows OS for their business clients.
The iPad is a relative newcomer to established policies and practices the iPad does not natively support.
Ready for cloud
Intel and McAfee offer secure authentication for the cloud with Intel® Expressway Cloud Access 360 based on Intel IPT with One Time Password (OTP). And cloud certificate manage-ment solutions support Intel® Identity Protection Technology with Public Key Infrastructure (Intel® IPT with PKI), simplifying certificate management.
Apple iCloud* clients use a secure token to authenticate access to iCloud. Data is encrypted via SSl during transit and is encrypted in storage.
Windows, the Enterprise, and the iPad With its closed architecture preventing IT from having full domain control, the iPad presents a challenge for fine-grained security and
manageability. IT organizations must often engage specialized external MDM experts and software to integrate the iPad into their
infrastructures, adding more cost, complexity, approval for yet another vendor, training for technicians, and ongoing support.
Windows 8 platforms built on Intel vPro technology maintain the familiar fine-grained manageability capabilities enterprise IT requires.
In addition, Windows 8 integrates flexibility for multiple types of clients, including touch, tablet, and traditional devices, in a single OS.
finally, Windows 8 offers stylish new and configurable user personalization features and IT security capabilities not available in iOS.
7
Application AvailabilityWhile cloud strategies evolve and enterprises implement them, the
daily activities of rich content creation and running the business still
rely on Windows-based client-side applications. The iPad lacks rich
support for local processing. Even if it can support powerful produc-
tivity applications, with its closed architecture and single application
source, some of these applications won’t be available on the iPad.
Windows 8 preserves the familiar desktop interface, usage, and
application availability for local processing and yet enables touch
computing with the same OS. In its desktop mode, users can remain
productive by working locally with the same applications they are
accustomed to. local processing remains available, even when a
network is not. And, there’s no costly porting path for the enterprise
while they continue to implement their cloud strategy.
Switching to the Windows 8 touch interface in a convertible device,
users enjoy the thin-client model features of a tablet. Even when
switching to a tablet, the Windows 8 user interface remains familiar
from desktop/notebook to tablet, with new stylish, rich features not
available on an iPad. It’s an all-in-one OS, and when combined with
Intel® vPro™ technology-based platforms, it just works—for IT, users,
and the enterprise.
Ready for the CloudThe “app store” delivery model adopted by many device vendors has
proven benefits for IT. So, it’s natural that Microsoft would launch such
a model for touch devices running the Windows 8 touch interface.
Microsoft thoroughly inspects and signs applications running under
Windows 8 touch interface; these applications can only be obtained
and installed through Microsoft’s application store. (However, tradi-
tional productivity tools users are familiar with can still be loaded onto
Windows 8 devices in desktop mode, preserving application availability
and user productivity.) Microsoft is aggressively building its store for
Windows 8.
ConclusionIT practices are built on trusted polices and technologies developed
over the years. Hardware, device, and Windows-based software solu-
tion providers have built an ecosystem to meet IT’s needs. The iPad
and consumerization of IT introduced a challenge for IT because of its
closed architecture and lack of native capabilities that IT requires to
manage and protect the enterprise.
With the release of Windows 8 and the latest generation of Intel
vPro technology and Intel Core vPro processors, a new generation of
enterprise-class tablets, such as the lenovo* Think Pad Tablet 2, is
emerging. running on Windows 8 and IA, these new devices deliver all
the capabilities of the iPad and more, by:
• Running new touch-based Windows applications delivered securely through an apps store.
• Preserving application availability with new hardware-assisted security in desktop mode.
• Enabling IT to continue to secure the enterprise and meet its requirements with trusted background processes.
• Allowing IT to leverage existing IT practices and applications instead of forcing them to adopt entirely new software vendors and processes.
• Providing fine-grained manageability IT is used to.
Windows 8 on IA is meeting the iPad challenge head-on with
enterprise-class solutions iOS cannot deliver.
1 “Mobile Pwn2Own: iPhone 4S hacked by Dutch team” http://www.zdnet.com/mobile-pwn2own-iphone-4s-hacked-by-dutch-team-7000004498/. 2 IT should look for devices with enabled security measures. 3 If an unsigned boot ROM is successfully hacked or physically replaced, the secure bootup process can be compromised. Such threats do exist; for example, the 2011 Mebromi attack in China. The information in this document is provided only for educational purposes and for the convenience of McAfee and Intel customers. The information contained herein is subject to change without
notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. Copyright © 2013 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel Core, Core Inside, and Intel vPro are trademarks of Intel Corporation in the U.S. and/or other countries. * Other names and brands may be claimed as the property of others. Printed in USA 0313/ABD/HBD/PDF Please Recycle 328711-001US