IT@Intel White Paper

Intel IT
Data Protection
November 2013

Improving Data Protection with

McAfee Drive Encryption
Executive Overview
McAfee Drive Encryption Intel IT is deploying McAfee Drive Encryption, an integral component of new McAfee

safeguards Intel’s corporate data security products such as McAfee Complete Data Protection - Advanced software
suite. McAfee Drive Encryption provides a hybrid agent that can automatically and
and intellectual property—as
transparently detect whether software- or hardware-based encryption is needed.
well as employees’ personal
information—while improving This hybrid approach is an important • One central management console
aspect of encryption manageability (a “single pane of glass”) that can
the user experience and
for Intel IT because our environment generate enterprise-wide reports
boosting productivity. includes an installed base of laptops with for multiple security solutions, with
Intel® Solid-State Drives (Intel® SSDs) detailed compliance reporting
and non-Opal-compliant, self-encrypting • Significantly faster resume from
drives (SEDs), which require software- hibernation than our previous software-
based encryption. Our environment also based encryption solution1
includes Opal-compliant drives, such as
McAfee Drive Encryption safeguards Intel’s
the Intel® SSD Pro 1500 Series, which
corporate data and intellectual property—as
support hardware-based encryption.
well as employees’ personal information—
We experienced a number of benefits while improving the user experience and
with McAfee Drive Encryption, boosting productivity. We expect to complete
such as the following: the migration to McAfee Drive Encryption
• Deployed on more than 40,000 across Intel’s laptop fleet by mid-2014.
systems with zero data loss to date
• 100-percent integration with
existing products and processes

Oded Bar-El
Client Security Engineer, Intel IT

Efi Kaufman
Client Security Product Manager, Intel IT
IT@Intel White Paper Improving Data Protection with McAfee Drive Encryption

Contents BACKGROUND CPU compute capacity—even on Intel®

Solid-State Drives (Intel® SSDs). Also,
Executive Overview.. ............................ 1 The quantity and sophistication of
passphrase recovery required assistance
information security threats continue
from an IT Help Desk technician.
Background. . ........................................... 2 to increase for enterprises because of
the rapid growth of social media, cloud • Compliance and manageability. We found
Solution.. .................................................. 3 it challenging to verify that each system
computing, IT consumerization, and
Benefits of
mobile technology. By implementing had the encryption software installed and
McAfee Drive Encryption.................. 4 that each employee had completed the
our “Protect to Enable” security
Deployment Method. . ........................ 6 encryption process.
strategy Intel IT is helping to increase
Conclusion. . ............................................. 6 protection while continuing to • Reliability. We experienced reliability
support the flow of information and issues associated with passphrase
Acronyms. . ............................................... 7 the adoption of new technologies. recovery; in some cases, employees lost
all data stored on the laptop.
To help protect Intel’s intellectual property
We continually monitor innovations in
and employees’ personal information,
information security technology and
in 2009 we deployed software-based
evolve our data protection techniques
encryption on corporate-owned laptops
as technology changes and matures.
provided to employees. We encrypted the
The development of the Opal standard,
entire drive—including data, applications,
published by the Trusted Computing
the OS, and free space. If a system was lost
Group, led us to formulate a long-term
or stolen, unauthorized individuals could
encryption roadmap in 2012. This roadmap
not access the data stored on the drive.
includes Opal-compliant drives (see
While the solution we deployed greatly sidebar, “McAfee Drive Encryption and
improved data security, it posed the Opal Standard”) as well as standard
operational and business challenges: encryption-management software.
• Performance. Employees perceived a Because Opal-compliant drives were not
performance impact because continuous generally available in 2012, we developed
encryption and decryption activity a near-term hardware-based encryption
required a significant portion of the solution using self-encrypting drives (SEDs)

McAfee Drive Encryption and the Opal Standard

The Opal standard, published by the Trusted Computing Group (TCG), defines a set
of mechanisms and protocols for self-encrypting drives (SEDs), including encryption,
authentication, configuration, and policy management. The TCG is a not-for-profit organization
IT@INTEL formed to develop, define, and promote open, supplier-neutral industry standards for trusted
The IT@Intel program connects IT
computing building blocks and software interfaces across multiple platforms.
professionals around the world with their
peers inside our organization – sharing SED solutions based on the Opal standard enable integrated encryption and access
lessons learned, methods and strategies. control within the protected hardware of the drive. SEDs provide the industry’s preferred
Our goal is simple: Share Intel IT best solution for drive encryption, protecting data when the machines or drives are lost, stolen,
practices that create business value and repurposed, under warranty repair, or at end-of-life. The Opal standard provides multi-vendor
make IT a competitive advantage. Visit interoperability, allowing application vendors to manage SEDs from multiple providers.
us today at www.intel.com/IT or contact
your local Intel representative if you’d Starting with version 6.2, McAfee Drive Encryption supports self-encrypting Opal-based drives
like to learn more. on both the Unified Extensible Firmware Interface (UEFI) and BIOS. If McAfee Drive Encryption
detects an incompatible or unsupported combination of an OS and Opal drive, it continues the
activation process using software encryption instead of the native Opal functionality.

2 www.intel.com/IT
 Improving Data Protection with McAfee Drive Encryption IT@Intel White Paper

and Intel® Active Management Technology,2 SOLUTION • If needed, McAfee Drive Encryption
part of Intel® vPro™ technology.3 This solution uses software-based encryption and
We are replacing our previous software-
created an end-to-end enterprise-scale takes advantage of Intel® Advanced
based encryption solution with
management solution for SEDs. As part of Encryption Standard – New Instructions
McAfee Drive Encryption, which is an
the solution, we developed a passphrase- (Intel® AES-NI)6—found in select
integral component of the new McAfee
management utility, manageability web Intel® processors—to improve
security products such as McAfee
services, and a secured database.4 system performance.
Complete Data Protection - Advanced
The Opal-compliant Intel® SSD Pro 1500 suite.5 We have chosen a deployment • When running on a system that is
Series is now available (see sidebar, approach that minimizes the impact equipped with an Opal-compliant drive,
“The Intel® Solid-State Drive Pro 1500 to employees and avoids inadvertent McAfee Drive Encryption automatically
Series”). We are deploying these drives, exposure of corporate data to attack detects the drive type and offloads
which support hardware encryption, during the encryption solution all the encryption and decryption
through our standard hardware refresh migration process. processes to be executed by the
cycle. For our installed base of PCs that Opal drive hardware, which provides
do not have Opal-compliant SEDs, we McAfee Drive Encryption provides a hybrid maximum system performance.
still require a software-based encryption agent that can automatically detect McAfee Drive Encryption is now our
solution that is more reliable than the whether software- or hardware-based primary drive encryption solution.
previous software-based solution and encryption is needed. This detection is
that better meets the performance transparent to the end user, and in either
expectations of Intel employees. situation McAfee Drive Encryption provides
drive manageability capabilities.

The Intel® Solid-State Drive Pro 1500 Series

The Intel® Solid-State Drive (Intel® SSD) Pro 1500 Series helps accelerate storage and lower total cost of ownership with integrated drive
encryption, remote management, and high reliability. The following list summarizes some of the enterprise-level benefits associated with
the Intel SSD Pro 1500 Series.

• Flexibility. Capacities range from 80 GB to 480 GB. Available in both thin 2.5-inch and smaller M.2 form factors, the Intel SSD Pro 1500 Series
was designed for the latest Ultrabook™ 2 in 17 designs and can also fit into more traditional PC platforms.
• Enhanced security and manageability. The Intel SSD Pro 1500 Series introduces Trusted Computing Group Opal protocols8 across the full
range of supported capacities and form factors, providing industry-standard encryption-key-management capabilities. The integrated hardware-
based 256-bit Advanced Encryption Standard (AES) engine seamlessly encrypts and decrypts data without compromising performance.
• Power-efficient performance. The Intel SSD Pro 1500 Series accelerates platform performance. Sequential I/O operations occur at 490
to 540 megabytes per second; the drive can process from 42K up to 80K random input/output operations per second (IOPS).9 In addition to
strong performance gains, the Intel SSD Pro 1500 Series extends battery life through advanced low-power modes, reducing idle power by
over 90 percent in comparison to a typical hard disk drive. This reduces power usage from watts to milliwatts. When the Intel SSD Pro 1500
Series is coupled with a 4th generation Intel® Core™ vPro™ processor platform, power consumption is reduced another order of magnitude—
from milliwatts to microwatts.
• Enterprise-ready quality and reliability. The Intel SSD Pro 1500 Series is designed to meet an annualized failure rate of less than
1 percent,10 which can significantly reduce total cost of ownership.

www.intel.com/IT 3
IT@Intel White Paper Improving Data Protection with McAfee Drive Encryption

Benefits of In test cases 1 and 2, system performance McAfee VirusScan® software and
McAfee Drive Encryption for laptops using McAfee Drive Encryption McAfee Host Intrusion Prevention.
was significantly faster than a similarly Therefore deploying McAfee Drive
Overall, McAfee Drive Encryption improves
configured laptop using our previous Encryption provides operational and
performance, compliance and manageability,
software-based encryption solution. security staff with a “single pane of glass”
and reliability compared to our previous
In addition, in test cases 1 and 3, to run comprehensive reports about the
software-based encryption solution.
the McAfee Drive Encryption system information security status of all client PCs.
The combination of these benefits helps
performed almost as fast as the A central management-and-reporting
provide enhanced information security
system with no software encryption console enables IT administrators to easily
and better business value.
installed (see Figure 1). set policies, demonstrate compliance,
identify unencrypted laptops, and
PERFORMANCE
COMPLIANCE AND MANAGEABILITY respond rapidly to loss or theft.
We conducted performance tests on a
McAfee Drive Encryption represents Additionally, our previous software-based
system with no software-based encryption,
enhanced manageability from several encryption solution required a dedicated
a system with McAfee Drive Encryption,
perspectives, such as integration with our set of servers. In contrast, all management
and a system with our previous software-
existing environment and processes, improved of McAfee Drive Encryption—including
based encryption solution. All of our tests
compliance reporting, and passphrase installation, encryption and decryption,
were performed on systems with the same
recovery. The following sections provide and uninstallation—is managed solely
configuration.11 The three tests were:
more detail about each of these areas. from the McAfee ePolicy Orchestrator®
• Test case 1 - Resume from hibernation
(McAfee ePO™) console. Delivery
with no applications running Integration with Our of McAfee Drive Encryption is
• Test case 2 - Resume from hibernation Environment and Processes
managed through McAfee Agent.
with several common applications We already had McAfee security products
• Test case 3 - Power on installed in our environment, such as

Software-based Drive Encryption Test Cases

Lower is Better

System using our previous software-based encryption solution

System using McAfee Drive Encryption
System with no software-based encryption
35
31.4
30 29.4

25.7 26.4
25.2
Time in Seconds

25
21.3
20

15
12.4
10.4 11.3
10

0
Test Case 1 Test Case 2 Test Case 3
Resume from Hibernation Resume from Hibernation Power On
(No Apps) (Common Apps)

Figure 1. McAfee Drive Encryption outperforms our previous software-based encryption solution.In our tests, a system running McAfee Drive Encryption
resumed from hibernation or powered on almost as fast as a system with no software encryption installed.

4 www.intel.com/IT
 Improving Data Protection with McAfee Drive Encryption IT@Intel White Paper

Figure 2 summarizes the process of less time consuming and more efficient
encrypting a drive using McAfee Drive for employees, doesn’t require phone or McAfee Drive Encryption
Encryption from the McAfee ePO console. network access, and reduces operational is deployed to the client
Reboot is required
With our previous software-based costs by lowering support ticket volume.
encryption solution, employees were
• Self-recovery is based on personal
required to start the encryption process
information in the form of security Domain user logs into system
themselves and could pause it, which
questions, which the employee can answer
raised compliance and security issues. With
without intervention from the IT Help
McAfee Drive Encryption, encryption starts McAfee Agent
Desk. This feature must be enabled in the
without user intervention. The employee collects and sends client properties to
ePO console; in addition, the policy must McAfee ePO
is prompted to create a passphrase and
define the number of attempts after which
self-recovery answers upon first reboot
self-recovery is invalid and the number of McAfee Agent
after encryption has started. Similarly,
question to be answered (up to 10). Once receives policy from
employees were previously required to start McAfee ePO
the feature is enabled the employee is
the decryption process once decryption
asked to set the answers after a successful
privileges had been granted. With McAfee McAfee Agent
authentication. When a passphrase is lost,
Drive Encryption, decryption starts sends client data and events to
the employee is prompted for the self- McAfee ePO
automatically once the system is provided
recovery answers and, if authenticated,
with the decryption policy on the back-end.
is required to set a new passphrase.
McAfee ePO
assigns the user account
Compliance Reporting • Administrator recovery is based on
to the system
For compliance management, we the exchange of challenge and response
previously relied on business group codes between the employee and an
McAfee Agent
individuals who were tasked with making IT Help Desk technician. This feature sends client data and events to
must also be enabled in the McAfee ePO McAfee ePO
sure employees follow intellectual property
protection guidelines. These individuals console. When a passphrase is lost, the
tracked which employees had enrolled in employee is presented with a challenge Encryption begins
code to be read to the support technician. User will be prompted for passphrase
the encryption solution and completed on the next reboot
the encryption process. With McAfee Drive The technician generates a response
Encryption, compliance is managed by code using the McAfee ePO console.
The employee types this response Figure 2. IT administrators manage McAfee
the security operations staff; enrollment
Drive Encryption solely from the McAfee
happens automatically.12 code into the McAfee Drive Encryption
ePolicy Orchestrator® (McAfee ePO™) console.
authentication window. As with self-
The McAfee ePO console provides recovery, once authenticated, the employee
approximately a dozen drive-encryption is required to set a new passphrase.
reports: drive-encryption status, installed
version, tracking of client events, and more. RELIABILITY
All reports are exportable to CSV, HTML, and
Unreliable encryption solutions can
PDF files. Administrators can also query the
easily cause data loss. With our previous
ePO database using a wizard-like interface to
software-based encryption solution, due to
generate customized reports as needed.
problems with the encryption engine and
the passphrase recovery process, about 50
Passphrase Recovery
employees per year lost all their data. In
McAfee Drive Encryption simplifies the
contrast, we now have more than 40,000
recovery of lost or forgotten passphrases
systems running McAfee Drive Encryption,
using one of two methods—self-recovery
and to date no data has been lost.
or administrator recovery. Self-recovery is

www.intel.com/IT 5
IT@Intel White Paper Improving Data Protection with McAfee Drive Encryption

Deployment Method CONCLUSION transparently detect whether a drive is

We are using passive refresh to deploy Opal-compliant and apply software- or
Intel IT is chartered to protect Intel’s
McAfee Drive Encryption as our hardware-based encryption as appropriate.
corporate data and intellectual
primary encryption solution. We could Over 40,000 systems are using McAfee Drive
property—as well as employees’
have created a utility or requested Encryption with the following benefits:
personal information. We are also
that employees bring their laptops
committed to increasing employee • No data loss to date.
to PC Service Centers for migration.
productivity and improving the
Instead we chose to deploy the new • Easy integration with existing products
user experience. We are deploying
encryption solution through our standard and processes.
McAfee Drive Encryption to
refresh cycle—updating the encryption • A central management console (a “single
improve performance, compliance,
solution along with the hardware. pane of glass”) with detailed compliance
manageability, and reliability compared
The decryption process drove this decision, with our previous software-based reporting.
because decryption can take several encryption solution. The combination • Significantly faster resume from hibernation
hours on systems that are not previously of these improvements provides a (with and without applications running)
equipped with an SED. If an employee better user experience and reduces the compared to our previous software-based
does not complete the migration process number of calls to the IT Help Desk. encryption solution.
during work hours, the device could be • Systems with McAfee Drive Encryption
left partially decrypted—with the data Our long-term encryption roadmap calls
performed almost as fast as systems
exposed—when the device is not at an Intel for deployment of Opal-compliant drives,
with no software-based encryption in
site or is left overnight. We wanted to avoid such as the Intel SSD Pro 1500 Series.
tests of power-on and resume from
that possibility. These high-performance drives support
hibernation with no applications running.
hardware-based encryption. For now,
We expect the migration to McAfee Drive These results demonstrate that McAfee
our computing environment includes an
Encryption across Intel’s laptop fleet to be Drive Encryption is a high-performing, reliable
installed base of laptops with Intel SSDs
completed by mid-2014. encryption solution with the enterprise-level,
and non-Opal-compliant SEDs, which
require software-based encryption. McAfee integrated manageability, and compliance
Drive Encryption can automatically and reporting capabilities that we require.

For more information on Intel IT best practices,

visit www.intel.com/it.

For more information McAfee Complete Data Protection - Advanced,

visit www.mcafee.com/us/products/complete-data-protection-advanced.aspx.

6 www.intel.com/IT
 Improving Data Protection with McAfee Drive Encryption IT@Intel White Paper

ACRONYMS
AES Advanced Encryption
Standard
SED self-encrypting drive

1
Software and workloads used in performance tests may have been optimized for performance only on Intel® microprocessors. Performance tests, such as SYSmark* and MobileMark*, are measured
using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and
performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. Configurations: All test performed on
laptops based on Intel® Core™ i5 processor M540 2.53 GHz (dual core) with 4.00 GB RAM, Intel® Solid-State Drive X25-M Series. Values represent the time from when passphrase is provided to
when the Alt+Ctrl+Del screen appears. Measurements were taken manually and were averaged over three samples. Common applications tested included email, spreadsheet, and web browser. All
tests were performed by Intel IT. For more information go to www.intel.com/performance.
2
Security features enabled by Intel® Active Management Technology (Intel® AMT) require an enabled chipset, network hardware and software and a corporate network connection. Intel AMT may not
be available or certain capabilities may be limited over a host OS-based VPN or when connecting wirelessly, on battery power, sleeping, hibernating or powered off. Setup requires configuration and
may require scripting with the management console or further integration into existing security frameworks, and modifications or implementation of new business processes. For more information, visit
www.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html.
3
Intel® vPro™ technology is sophisticated and requires setup and activation. Availability of features and results will depend upon the setup and configuration of your hardware, software, and IT
environment. To learn more visit: www.intel.com/technology/vpro.
4
We will continue to use the self-encrypting drive passphrase-management application to support Intel® Solid-State Drive 320 Series and Intel® Solid-State Drive 520 Series as long as these drives are
part of our computing environment. For more information about this solution, see the white paper “Managing Intel® Solid-State Drives Using Intel® vPro™ Technology.”
5
McAfee Drive Encryption was previously sold as a standalone product called McAfee Endpoint Encryption for PCs. This capability is no longer available as a standalone product.
6
Intel® Advanced Encryption Standard – New Instructions (AES-NI) requires a computer system with an AES-NI-enabled processors, as well as non-Intel software to execute the instructions in
the correct sequence. AES-NI is available on select Intel® Core™ processors. For availability, consult your system manufacturer. For more information, visit software.intel.com/en-us/articles/intel-
advanced-encryption-standard-instructions-aes-ni.
7
Ultrabook™ products are offered in multiple models. Some models may not be available in your market. Consult your Ultrabook device manufacturer. For more information and details,
visit www.intel.com/ultrabook.
8
Non-Opal-compliant Intel® Solid-State Drive Pro 1500 Series is also available.
9
Performance varies slightly based on specific model. For more information, see www.intel.com/content/www/us/en/solid-state-drives/solid-state-drives-pro-1500-series.html.
10
The annualized failure rate (AFR) is based on a mean time between failures (MTBF) of 1.2 million hours.
11
See Endnote 1.
12
The use of McAfee Complete Data Protection* or McAfee Complete Data Protection – Advanced* suites does not automatically guarantee compliancy or certify compliancy. IT departments should
enlist the services of third-party compliancy auditing services for this. For more information, see community.mcafee.com/community/business/data/epoenc/blog/2013/05/16/mcafee-endpoint-encryption-
support-for-it-governance-risk-and-compliance.

Performance tests and ratings are measured using specific computer systems and/or components and reflect the approximate performance of Intel products as measured by those tests. Any difference in system
hardware or software design or configuration may affect actual performance. Buyers should consult other sources of information to evaluate the performance of systems or components they are considering
purchasing. For more information on performance tests and on the performance of Intel products, reference www.intel.com/performance/resources/benchmark_limitations.htm or call (U.S.) 1-800-628-8686 or 1-916-356-3104.
THE INFORMATION PROVIDED IN THIS PAPER IS INTENDED TO BE GENERAL IN NATURE AND IS NOT SPECIFIC GUIDANCE. RECOMMENDATIONS (INCLUDING POTENTIAL COST SAVINGS) ARE BASED
UPON INTEL’S EXPERIENCE AND ARE ESTIMATES ONLY. INTEL DOES NOT GUARANTEE OR WARRANT OTHERS WILL OBTAIN SIMILAR RESULTS.
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR
OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF
SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO
SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY,
OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.
Intel, the Intel logo, Intel Core, Intel vPro, and Ultrabook are trademarks of Intel Corporation in the U.S. and other countries.
*Other names and brands may be claimed as the property of others.
Copyright © 2013 Intel Corporation. All rights reserved. Printed in USA Please Recycle 1113/ERAI/KC/PDF 328929-001US