In the past, a lost laptop automatically meant a compromise of whatever confidential data it contained. This is changing for the better, however. Paul Mah discusses the latest developments on the anti-theft front, featuring remote management or deletion of data for laptops that are lost or stolen.
I recently wrote about some simple hardware approaches to secure laptops. In the earlier article, I have advocated the use of FDE (full disk encryption) or the use of an encrypted flash volume as means to ensure the security of confidential or private data.
A couple of vendor announcements in the past few weeks show an increased emphasis on data protection. I'll examine developments on the anti-theft front for the remote management of stolen laptops — once the sole domain of smartphones like the RIM BlackBerry and Microsoft's Windows Mobile-based devices.
Alcatel-Lucent OmniAccess 3500 Nonstop Laptop Guardian
One proprietary solution that got on my radar a few months ago is the OmniAccess 3500 Nonstop Laptop Guardian by Alcatel-Lucent. The 3500 is a Linux-based PCMCIA card that emulates a smartcard for authentication. In short, the laptop will cease to work if this PCMCIA card is physically removed. What differentiates the 3500 from a typical smartcard is that it packs an integrated 3G modem, GPS, and its own battery for power.
The wireless link and GPS let the PC be located and have its security policies managed even if the laptop is turned off. The depth of its features, which includes the ability to terminate VPN traffic and store encryption keys, currently represents the holy grail of locking down and managing remote laptops.
Of course, its downside is that it is only available in the PCMCIA form factor - which is fast losing appeal among newer laptops.
Lenovo Constant Secure Remote Disable
Lenovo recently announced a feature called Lenovo Constant Secure Remote Disable. Working together with BIOS maker Phoenix Technologies, Lenovo integrated the ability for a user to remotely disable his laptop on the hardware level. This is done by means of a text message containing a "kill command" that is sent by text message from designated mobile phones.
Once the kill command is sent, the ThinkPad is either disabled immediately or when the laptop is turned back on - as in the case when a system is suspended or hibernated. Once shut down this way, the only way to get the laptop back on is to type in a preconfigured "resurrection code" when the laptop is started. Obviously, an embedded cellular WWAN (wireless wide-area network) card will be necessary to use this feature, as well as a relevant mobile subscription to allow receipt of text messages.
Lenovo Constant Secure Remote Disable will be available as a free BIOS upgrade expected this month or first quarter of 2009. The technology will work with ThinkPad laptops running on the Intel Centrino 2 platform.
Intel Anti-Theft PC Protection
The first laptop based on Intel's anti-theft technology, ironically, will also be released by Lenovo this month. Lenovo's new ThinkPad T400 will ship with Intel's Anti-Theft PC Protection as well as Computrace technology from Absolute's Software.
The combination of both hardware and software allows for a robust solution. For example, via the Computrace software, it is possible to set timers to disable logins if the computer has not checked to a central server within a set period of time. It can also help in tracing the location of the laptop or remotely lock it via the Internet in the event of theft.
A machine can also be set to brick upon a certain number of password failures, or a signal from a remote server. When bricking, the chipmaker's vPro technology can halt the laptop at the BIOS boot screen, effectively rendering the entire hardware useless. It can also permanently erase the encryption keys for a FDE disk, ensuring the guaranteed confidentiality of data.
The advantage of the approach taken by the OmniAccess 3500 Nonstop Laptop Guardian by Alcatel-Lucent is by leveraging on well-understood smartcard technologies. Building a stand-alone data modem and GPS hardware into a PCMCIA form factor can't be cheap, but does allow for a comprehensive end-to-end solution for laptops containing extremely high-value data.
Lenovo's approach allows the use of relatively minor BIOS updates to bestow the ability to remotely shutdown compliant ThinkPads. A built-in WWAN card is still necessary, as with a relevant mobile plan subscription. On the bright side, availability of laptops with built-in WWAN cards can only increase and if popular, should be trivial to incorporate by other vendors.
Finally, Intel's approach represents a solution involving both hardware and software vectors. The vPro technology gives it a robustness of a hardware-based solution, while the use of software like Absolute Software's Computrace gives it a versatility and control second to none. The downside appears to be slightly higher complexity in terms of management, though.
What do you think of the solutions mentioned so far? Which anti-theft technology do you see as something you will deploy, or see wide deployment over the next few years?