The Challenges of Hybridization in the Modern Workplace: Perspectives and Strategies
The Emergence of Hybridization Hybridization of IT infrastructures is a major challenge for businesses, whether they are small or large....
In the early days of 2022, HP quietly launched the Cloud version of HP Sure Admin, rebranding it as HP Connect. This solution allows you to implement Multi-Factor Authentication (MFA) for accessing the BIOS (Basic Input Output System) on your machines.
Security in the field of information systems has been a major issue for several decades. The goal is to protect company data from malicious individuals. Today, all IT stakeholders are well aware that the most significant risk comes from the user. That’s why organizations in the sector encourage companies to involve their employees in the information security process.
Every day, new vulnerabilities are discovered, and IT teams must regularly deploy updates to address them promptly. The workstation remains the primary front that engineers must defend on a daily basis. However, there are certain vulnerabilities, especially in laptops, where we remain powerless.
One such vulnerability is securing the BIOS. This can be very problematic for a company when a workstation is lost or stolen. In 2022, all companies must have solutions in place to secure their workstations.
At Synapsys, the implementation and maintenance of these tools are fully mastered by our Modern Workplace experts. These are also the points on which we train our junior consultants within the Modern Workplace Squad. The presence of such solutions is essential to ensure the security of your IT infrastructure with confidence.
Today, when a workstation goes missing, we can remotely erase the contents of the disk if the machine has a network connection. However, if the machine remains offline, it remains usable for the individual who has obtained it, and the potentially exploitable data is still accessible.
One might argue that the loss of a workstation is not a significant damage for a large company. However, the disappearance of a machine leads to the following situations:
Cumulatively, these actions result in a significant amount of working time. It is important to note that each of these actions is repeated with each new reported case. Hours of work that could have been dedicated to ensuring the smooth operation or advancement of one or more projects.
The data on the machine is supposed to be secure. The only way to deter these acts would be to emulate Apple, i.e., make the device unusable for anyone except the owner. The operating system does not allow implementing such a level of security. We need to go down to the firmware layer to meet this need, commonly referred to as the BIOS. There is only one option: secure access to the BIOS.
In 2022, all enterprise workstations should, at a minimum, have:
This is the bare minimum. Unfortunately, the BIOS password is the same for an entire batch of machines or even an entire fleet. Therefore, if the password leaks once, this security becomes non-existent.
The three main manufacturers (Lenovo, DELL, & HP) offer solutions to change this password remotely. However, the final problem remains the same; access is only temporarily secured.
Here is a non-exhaustive list of attacks that can be used by a hacker with physical access to your machine, even if you have fully secured your OS:
It’s crucial to understand that once access to your BIOS has been compromised, there is no turning back. No matter how hard you try to reinstall your machine’s OS, update and reset your BIOS, the hacker’s access to your machine will persist. Your only recourse is to contact the manufacturer or flash the BIOS yourself, which will void the warranty.
The second point to note is that this type of attack is undetectable by the user, and no antivirus solution can detect and stop such an attack before the damage is done.
Voici ce que HP propose depuis déjà 3 ans :
A QR code? Enter a code? Yes, indeed! It’s a double-factor authentication.
MFA on the BIOS, one had to think about it, and HP offers it with HP Sure Admin, available on all enterprise laptops released since 2018. This solution is relatively unknown to the public.
HP Sure Admin provides modern security for configuring and managing the BIOS of your PCs. Modern because administrators will be able to manage BIOS settings remotely without physical intervention.
This solution replaces the traditional password-based access with the use of certificates. HP Sure Admin is a feature that owners of recent HP machines can install and customize.
In practice, you need to provision the public key of 2 different certificates on the SPM (Secure Platform Module) chip of your machine. The 2 private keys of your certificates must remain in your virtual safe and should never be transmitted under any circumstances. Without these 2 private keys, the hacker will be unable to access and modify your BIOS.
Definitions :
EK : Endorsement Key SK : Signing Key
LAK : Local Access Key EBAM : Enhanced BIOS Authentication Mode
Two Operating Methods Considered:
1. Standalone Mode:
2. Recommended Mode for Real Security in a Production Environment:
Implementation Challenges and Expertise Needed:
Fortunately, support from the Synapsys Cloud Squad helped address these challenges. Once HP Sure Admin is deployed on your fleet, you can manage BIOS settings for your machines through the SCCM console using the HP MIK add-on.
Limitations of this Management Approach:
In January 2022, HP released HP Connect, a SaaS service enabling the use of HP Sure Admin and other security-related features via Microsoft Intune. HP recognized the trend of companies transitioning from on-premises to the cloud. If you’re curious about what Intune is and what it allows, I recommend reading this article by Tom Machado, which explains it well. Here’s what the dashboard looks like on admin.hp.com.
HP Connect for Microsoft Endpoint Manager provides access to the following features:
BIOS Update:
BIOS Configurations:
BIOS Authentication Method:
Prerequisites for HP Connect:
How HP Connect Works: Simply accept the permission request from the HP MEM Connector App when creating your Azure and Intune tenant.
Then, you will have access to the HP Connect Dashboard through which you can:
What are the other security solutions that can be managed via HP Connect in the future?
Conclusion:
HP has revolutionized the field of workstation security with HP Sure Admin. Today, thanks to the combination of HP Connect and HP Sure Admin, if you have a fleet of HP laptops, you will be able to fully secure their access to the BIOS.
If you are interested in implementing HP Connect and HP Sure Admin, feel free to contact Synapsys. The implementation of HP Connect may be eligible for the FastTrack program. To learn more about the FastTrack program, you can also check out Laurent Bigayon’s article, our Modern Workplace Technical Leader.
Links to HP documentation:
Articles Similaires
The Emergence of Hybridization Hybridization of IT infrastructures is a major challenge for businesses, whether they are small or large....
The definition of roles and scopes in IT tools is a central issue in a modern workplace project. Due to...
Personal devices in the workplace are common, with many employees, both internal and external, preferring to use their own devices...