How Intel Contributes to Zero Trust
Establishing an advanced security approach to protect infrastructure, people and data.
Traditional security approaches, with secure perimeters and users/devices granted trust once inside, are no longer effective. Remote work, edge processing, hybrid environments, and sophisticated attacks have shown that credentials can be compromised, firewalls can be breached.
Businesses and governments are moving to Zero Trust, a modern framework to protect infrastructure, people, and data based on the belief that no user or asset is inherently trustworthy. Each user, asset, application, and transaction must be continuously verified. Zero Trust frameworks typically spell out how verification is handled across Identity, Devices, Networks, Applications/Workloads, and Data.
Zero Trust Principles based on NIST guidelines
- All data sources and computing services are resources.
- All communication is secured regardless of network location.
- Access to resources is granted on a per-session basis; trust is verified before access is granted with least privileges needed.
- Access to resources is determined by dynamic policy defining resources, who members are, and what access members need.
- The enterprise monitors and measures the integrity and security posture of assets. No asset is inherently trusted.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about assets, network infrastructure and communications and uses it to improve security.
The Zero Trust Paradox
While Zero Trust mandates a “never trust” mindset, you must establish something to trust (but verify!) as the basis for your strategy.
Hardware, including the component supply chain, offers that root of trust given its privileged position as the foundation of the compute stack.
Intel delivers products, services, and capabilities that partners and customers use to advance their Zero Trust strategy.
What is Silicon-based Security?
Security capabilities physically built in at the silicon level.
Differs from software-based protections in which security measures are installed on top of hardware,
leaving layers located below the OS vulnerable.
Meant to complement software-based security measures rather than replace them.
Result is a multidimensional, comprehensive approach that can detect and prevent a greater range of cyberthreats.
Establish Your Hardware Root of Trust
Zero Trust principle #4:
Access to resources is determined by dynamic policy defining resources, who members are, and what access members need.
For your Zero Trust strategy to be effective, devices must begin in a known good state and be continually verified that they remain that way.
Questions to answer:
- Where was your device designed, made, assembled and tested?
- Was the device you ordered what was delivered?
- Did your PC boot to a “known healthy state”?
- Has your firmware or OS been tampered with?
Intel Product Security Assurance
Intel products are protected by the best security assurance in the industry, as measured by ABI Research.
Intel® Transparent Supply Chain
Tools, policies, and procedures to verify the authenticity of systems and components.
Intel® Device Health
Automated identification of foundational vulnerabilities and targeted patches.
Get Your Key Management Right
Zero Trust principle #4:
Access to resources is determined by dynamic policy defining resources, who members are, and what access members need.
Cryptographic keys are a foundation of modern cybersecurity, used to perform user authentication and enable sensitive information is accessed only by those with the right credentials.
Questions to answer:
- How are your keys generated?
- Do you use approved algorithms for random number generation?
- Where are your keys stored?
- Who is allowed access?
Intel® Platform Trust Technology
Credential storage and key management supporting Trusted Computing standards.
Intel® Trusted Platform Module 2.0
Microcontroller that helps store essential, critical information to enable platform authentication.
Intel® Secure Key
High entropy random number generator designed to comply with ANSI/NIST standards.
Isolate Your Sensitive Data and Workloads
Zero Trust principle #5:
The enterprise monitors and measures the integrity and security posture of assets. No asset is inherently trusted.
Confidential computing solutions protect sensitive and regulated data through isolation, encryption and control, and verification capabilities, helping unlock opportunities for business collaboration and insights.
Questions to answer:
- Can you protect data “in use”?
- Do you have silicon-based isolation and mechanisms to limit damage if breached?
- Are you using secure enclaves or trusted execution environments?
- How can you verify the trustworthiness of compute assets?
Intel® Software Guard Extensions
Protects data using trusted enclaves to reduce attack surface and access.
Intel® Trust Domain Extensions
Enables isolation of guest OS and VMs, removing access from the cloud host, hypervisor, and other VMs.
Intel® Trust Authority
Attests that apps and data are protected on the customer’s platform of choice.
Verify Your Device Integrity
Zero Trust principle #4:
Access to resources is determined by dynamic policy defining resources, who members are, and what access members need.
Trusting your devices comes down to verifying your devices started in a secure state and have not been tampered with or changed or modified in ways you did not authorize.
Questions to answer:
- Did your PC boot based on its “known healthy state”?
- Has your firmware been tampered with?
- Has your OS been tampered with?
- Is your firmware up to date?
- Has your BIOS been modified?
Below-the-OS Security
Intel® vPro®-based devices with Windows OS come with Intel® Hardware Shield* that includes capabilities including the following:
Intel® Trusted Execution Technology
Intel® BIOS Guard
Intel® Boot Guard
Intel® OS Guard
Intel® Firmware Guard
Firmware Update/Recovery
Intel® Tunable Replica Circuit-Fault Injection Detection
Intel® Runtime BIOS Resilience
Intel® System Resource Defense
Intel® System Security Report
Verify VM and Application Integrity
Zero Trust principle #5:
The enterprise monitors and measures the integrity and security posture of assets. No asset is inherently trusted.
With an established hardware root of trust and device integrity, the next area to focus is on is ensuring the things running on our devices are also operating as expected.
Questions to answer:
- Has your application code been tampered with?
- Has your VM been tampered with?
Intel® Virtualization Technology
Hardware-assisted virtualization of CPU context, I/O devices, and direct memory access.
Intel® Control-flow Enforcement Technology
Protect against misuse of legitimate code through common control-flow hijacking attacks.
Enhance Detection with Vulnerability Insights
Zero Trust principle #6:
All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
AI and advanced silicon-based telemetry offer unparalleled insights to help you detect and defend against targeted attacks.
Questions to answer:
- Can you discover zero-day attacks?
- Can you find hidden malware in memory?
- Can you detect threats within VMs?
- Can your device detect anomalous behavior?
Intel® Threat Detection Technology
Provides AI-assisted monitoring and GPU and NPU acceleration to discover advanced attacks that bypass traditional detection methods.
Intel® Device Health
Automates identification of foundational (BIOS, microcode, firmware) vulnerabilities and targeted patches across fleets.
Use Encryption to Prevent Unwanted Access
Zero Trust principle #2:
All communication is secured regardless of network location.
In an environment where a breach is expected, encryption is even more critical to safeguarding sensitive data and ensuring only authorized users have access to information and assets.
Questions to answer:
- How much damage can adversaries do in your environment?
- Is your device FIPS 140-2/3 certified?
- Does it use NIST approved algorithms?
- Have the crypto algorithms been rigorously tested?
- Does your encryption work as promised?
- What happens if you lose physical control of your device?
Intel® Secure Key
Random number generator designed for ANSI/NIST compliance, FIPS 140-2/3 validation.
Intel® Advanced Encryption Standards New Instructions
Enables pervasive data encryption in areas where previously it was not feasible.
Intel® Total Memory Encryption
Provides memory data protection against physical attacks on lost or stolen devices.
Intel® Quick Assist Technology
Offloads compute-intensive workloads to reduce CPU utilization, improve network and storage application performance
Intel® Crypto Acceleration
Enhancements to significantly increase cryptographic performance, starting with instruction set architecture (ISA)
Streamline Device Management
Zero Trust principle #5:
The enterprise monitors and measures the integrity and security posture of assets. No asset is inherently trusted.
With the growth of remote work, devices and data are being used in more locations, making it critical to adopt comprehensive remote management.
Questions to answer:
- Are you able to manage your PCs remotely from a central location?
- Can you manage them even if they are powered off?
Intel® Active Management Technology
Provides comprehensive remote manageability, even access to a device that is powered-off or non-responsive.
Intel® Endpoint Management Assistant
Enables remote, secure management of devices, inside and outside the firewall, over the cloud.
Why Intel and Zero Trust?
Intel is uniquely positioned to help you advance a Zero Trust strategy, when you consider:
- Privileged position, developing leading hardware that is the foundation of the compute stack.
- Breadth of our product portfolio, covering edge, networks, data center and cloud.
- Decades of experience developing the gold standard for a technology supply chain.
- An innovative secure development lifecycle that helps ensure every product is designed with security in mind.
- Robust security assurance program, recently rated tops among silicon providers, which aims to keep our products secure.
Read the 2023 Product Security Report and ABI Research report to learn more about Intel leadership in ongoing security assurance.
Getting Started
Transitioning to a Zero Trust Architecture (ZTA) is a process that’s as much about evaluating and addressing risk as physical systems to enhance security. In fact, ZTA cannot be accomplished solely with a wholesale replacement of technology.
Intel technology forms a significant part of a ZTA. We partner with leaders across the security ecosystem who provide a diversity of solutions relevant to all customers’ needs and minimize reliance on sole-source solutions.
When you are ready to get started, visit The Best Defenders for Your Business: A Guide to Intel Cybersecurity Partners to learn more about security ecosystem partners who build zero trust architecture implementations rooted in silicon-based security.