As organizations continue to grapple with how to manage a hybrid workforce, security outside the corporate firewall continues to play a huge role in day-to-day IT operations.
Following the October launch of Windows 11, which offered features intended to enable hybrid work, Microsoft last week announced the first PCs with its Pluto chip-to-cloud security technology. The technology aims to secure the computers of telecommuters and others.
At CES, Microsoft announced that Lenovo and chipmaker AMD released the first laptops, ThinkPad Z13 and ThankPad Z16, which ship natively with Pluto security chips. The ThinkPad Z13 price starts at € 1,549, the ThinkPad Z16 price starts at € 2,099. Both laptops will be available in May and Lenovo said there is no additional cost associated with the Pluto chip inside.
Pluto will be disabled by default on Lenovo ThinkPad 2022 platforms (specifically, Z13, Z16, T14, T16, T14s, P16s, and X13 with AMD 6000 series processors). Customers will have the option to activate Pluto themselves, a Lenovo spokesperson said.
Asked why the chip is initially disabled, the spokesperson said that enterprise customers "have told us that they thoroughly test and evaluate any new security-related software or functionality that is introduced into their network. And they may choose to activate Pluto." on their devices when they see As Pluto rolls out to market and we have time to assess customer demand for factory activation, we will review activation."
The Pluto processor aims to provide better protection than the existing Trusted Platform Module (TPM) as it is a dedicated security chip that handles security features such as BitLocker, Windows Hello, and System Guard.
Windows 11 came with a host of security updates, one of which was the inability to disable existing features like UEFI, Secure Book, and Crypto TPM. Windows 11 is a Zero Trust enabled operating system designed to be secure from chip to cloud, with verifiable security checks built in and enabled by default.
TPM 2.0 is used to generate and protect encryption keys, user credentials, and other sensitive data so that malware and attackers cannot access or manipulate the data.
The Pluto chip is a specially designed security processor, developed through a joint effort between Microsoft and major silicon manufacturers, including AMD and Qualcomm. Its goal is to protect PCs against some of the most sophisticated malware attacks by storing user credentials (including fingerprint information), identities, personal data, and passwords more securely. The built-in security processor combines TPM 2.0 functionality with the ability to dynamically update and add new security features seamlessly through Windows Update, Microsoft's service that installs the latest software / firmware on a computer.
"Tightly integrated hardware and software" helps protect against security vulnerabilities by adding additional visibility and control, and is more adaptable to changes in the threat landscape, according to Microsoft.
The Pluto chip is built into a device's processor chip and is therefore more difficult for attackers to access. Sensitive information stored on it cannot be removed, even if an attacker has installed malware or is physically in possession of the PC, because the chip is isolated from the rest of the system. The discrete chip also helps prevent emerging attack techniques, such as speculative execution (a side channel attack) that exploits the behavior and functionality of the processor.
Pluto can act as a TPM or provide additional security to a device in conjunction with a third-party discrete TPM, according to Matt Wo, Microsoft's cybersecurity spokesman.
"Our partners have the choice and flexibility to offer Pluto with or without a third-party TPM," Wo said in an email response to Computerworld. "When Pluto is configured as a TPM, it protects the BitLocker keys that are used to help encrypt and protect customer data stored on the system."
Patrick Hevesi, analyst vice president at Gartner, said the biggest benefit of the Pluto chip is the potential elimination of physical side channel attacks against autonomous TPM-CPU communication channels.
Side channel attacks do not target the weaknesses of the cryptographic systems themselves; Instead, the malware looks for information leaks that may indicate something about the operation of the cryptographic system. For example, acoustic attacks can record the sound of a user's keystrokes to steal their passphrase, or electromagnetic field (EMF) radiation emitted from a computer screen can be used to display information before it is released. encrypt.
"Since Pluto's security process will be embedded directly into System on a Chip (SoC) chips, there should be no way to access the channel without destroying the chip," Hevesi said by email. "In addition, according to Microsoft's specifications, keys will never leave Pluto Security's boundaries, which will help prevent attacks such as speculative execution and other types of key hardware attacks."
Another benefit of the Pluto architecture is that Microsoft will control security chip firmware updates and allow direct updates from Windows Update; allowing the company to monitor and secure firmware code and continue to add new security features as new versions of Windows are rolled out, according to Hevesi.
Microsoft will also be able to advance hardware and software security features such as secure boot, metered boot, and virtualization-based security directly on a single SoC processor.
"This will help prevent even remote attacks that attempt to modify the kernel or operating system boot process. The Pluto chip will help protect remote devices through the physical layer and integration of software security features," Hevesi said. . "This technology can also be applied to on-premises devices to potentially prevent physical insider attacks and they've also added this technology to Azure Sphere in the cloud."
Not everyone believes that the new Pluto chip is the maximum security.
Michael Suby, research vice president for IDC's Trust and Security Research Service, said the SoC platform is a useful advance that won't dramatically change business decisions anytime soon.
"A potential malicious actor exploit sequence could smuggle the executive's laptop, open the device and infect it at the hardware level, and then leave the device, apparently undamaged, to the executive and also potential security teams from IT," says Suby.
Lenovo's new laptops are powered by AMD Ryzen 6000 series processors, which feature the Pluto Security chip in newer Windows 11 PCs. The Pluto chip is based on technology that has been used for years in Microsoft Xbox and Microsoft Azure Sphere.
"As we enter this new era of hybrid work, you need modern security solutions that provide end-to-end protection wherever you are," Wo said. "Windows 11 was designed to raise the bar on security, out of the box, to enable protections like Windows Hello, device encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and secure boot, a combination which has been shown to reduce malware by 60%.”
Microsoft said that many Windows 11 updates and collaborative chip designs were inspired by hybrid work themes.
“It is clear that the last few years have fostered a great deal of learning that our partners have integrated into the design of these devices. These learnings, and new ways of working, also influenced many innovations in the design of Windows 11, ”Nicole Dezen, Microsoft vice president of device partner sales, said in a blog post.
Copyright © 2022 IDG Communications, Inc.