Brought to you by AMD
Until recently, the way a business set up to defend itself from cyberattacks was very similar to how castles erected fortifications in ancient times.
A moat around the structure would make it harder for invaders to gain direct access to their target, rather like how a firewall works to keep out cyber intruders.
Today, we know perimeter defences are not enough. Cyber attackers employ Trojans today in the form of well designed malware that make the defenders inadvertently let in the intruders themselves.
That’s not to mention the idea that many people don’t keep inside the relatively safe confines of the “castle”, or in this case, an office that is well protected from the outside.
The pandemic has made working remotely a norm rather than exception. Today’s devices, including laptops that employees use, are no longer sitting behind office firewalls but connected at home via private Wi-Fi networks and broadband Internet links.
This means enterprises need to find a way to better secure their endpoint devices, as part of a holistic defence against new threats.
One increasingly important part of the strategy is the hardware used in these office-issued laptops. The first step to a modern defensive posture is getting these devices tightened up.
The right setup helps to reduce exposure to attacks, can reduce downtime, may require fewer patches, and can help to improve the total cost of ownership.
This is where AMD Ryzen™ PRO 5000 Series Mobile Processors and AMD PRO Security come in. Laptops equipped with them bring multi-layered protection, enabling users to be productive while protected from evolving cyber threats.
On an AMD Ryzen™ PRO 5000 Series Mobile Processor, there are actually five layers of security that are tightly integrated to help protect the data your laptop accesses:
1. AMD Secure Processor
A piece of dedicated hardware in each system-on-a-chip (SoC), AMD Secure Processor (ASP) helps anchor a hardware root of trust on which other layers of security rest.
Through this, a laptop will boot up securely and establish an isolated Trusted Execution Environment where software can be run on a secure platform.
The ASP is isolated from other parts of the SoC because the host SoC cannot access its memory. ASP also incorporates several important components, including a Cryptogenic Co-processor (CCP), which extends more protection to PC users.
The CCP is a crypto block that provides cryptographic functionality for key generation and key management. Since cryptographic operations are implemented in hardware, they are faster for time-sensitive operations.
2. AMD Platform Secure Boot
The AMD Platform Secure Boot also provides a hardware root of trust to authenticate the initial firmware, including BIOS during bootup.
When a PC is fired up, the ASP boot ROM code is executed, authenticating other firmware components before the operating system is started.
This helps in platform integrity by warding off malicious firmware that may trick a PC into booting up with malicious code and opening it up to further attacks later on.
3. AMD Memory Guard
Protecting system memory is just as important as low-level firmware as seen in the previous two layers of security. Here, AMD Memory Guard offers full memory encryption that helps protect sensitive data, even when a physical attack is mounted.
With this, DRAM contents are encrypted with a random key, which helps provide protection against physical cold boot, DRAM interface snooping, and similar types of attacks.
Even someone physically extracting a memory module (on systems using NVDIMM) will find it hard to extract its contents because of the encryption engine in the on-die memory controller.
Each controller includes a high-performance Advanced Encryption Standard (AES) engine that encrypts data when it is written to DRAM and decrypts it when read. This prevents data to be stolen when it is in-memory.
4. AMD Shadow Stack
Next up in the protection layers is AMD Shadow Stack, which is a robust tool against sophisticated and increasingly popular Return-on-Programming (ROP) attacks that try to gain control of a system by exploiting weaknesses in the legitimate code.
In such an attack, a hacker would modify what is known as a routine return address, which programs use to complete an action or job, to again access to a system.
AMD Ryzen™ PRO 5000 series mobile processors help mitigate ROP attacks by providing software access to special registers in the CPU where a copy of the return address can be stored and checked against.
Since this is stored on hardware, it is difficult for malicious code to tamper with, thus reducing the risk of an ROP attack.
Microsoft Hardware Enforced Stack Protection is also supported on AMD Ryzen™ PRO 5000 series mobile processors using AMD Shadow Stack.
5. Microsoft Secured-Core PC
Just as important to the multi-layered defence is Microsoft Secured-Core PC, which helps protect your device from firmware vulnerabilities, shields the operating system from attacks, and can prevent unauthorised access to devices and data through advanced access controls and authentication systems.
AMD has various platforms that enable Secured-Core PC on a PC. They include AMD-V with GMET, a set of hardware extensions that enable virtualisation on AMD platforms.
Guest Mode Execute Trap (GMET) is a silicon performance acceleration feature which enables the hypervisor to efficiently handle code integrity checks and help protect against malware.
While there is no failsafe answer to increasingly complex cybersecurity challenges, today’s businesses at least have more advanced tools to ready themselves and reduce the uncertainty of a digital future.
The starting point for many has to be the most basic of devices – laptops and PCs – that are in use every day to log in to corporate servers and handle sensitive data.
At the root of these devices is a processor that should not just be powerful enough to crunch spreadsheets and presentations faster but also provide the foundation of trust from which a successful cybersecurity strategy can be built.
Find out more about AMD Secure Pro features in AMD Ryzen™ PRO 5000 Series Mobile Processors that can be a core part of your organisation’s cybersecurity strategy here.