Lenovo ThinkShield: a powerful suite of options and services safeguard corporate PC security
Security has always been a top priority for Lenovo. Over many years of work in the desktop and laptop markets, we have implemented many different options and services to protect these PCs. We are also the only ones on the market who were able to implement protection in production processes and in the equipment supply system. Today we would like to talk just about security. And tell you in detail about our new Lenovo ThinkShield brand, which is fully focused in this area. Recently, it combines all the company's developments in the field of protecting computers and the data stored on them.
Why did we even decide to plunge into all this as thoroughly as possible? Because with the development of technology, the number of threats is only increasing. According to the Gemalto research company, which publishes the Breach Level Index (https://breachlevelindex.com/), in 2017, 2.6 billion accounts were stolen, and phishing schemes were successfully implemented in 75% of the thousands of companies studied. More than a quarter of all data security breaches were related to theft of passwords or the problem of their insecurity, while it turned out that less than 10% of people are able to distinguish a regular electronic message from a potential threat. However, 87% of senior managers admitted to an accidental data leak. If we take global numbers, then on average, security breaches cost companies $ 3.62 million. And to eliminate the consequences of attacks carried out with the help of ransomware, experts spend about 23 days during the year.
Russia fits perfectly into these gloomy global trends. In 2018, the average damage from a cyber attack amounted to 130 million rubles, and the total number of attacks increased by 80%. Over a year more than 800 million of them were committed!
Against this background, we, as one of the leading PC manufacturers in the world, have a very important and difficult task: to create products that will help users and companies to solve most of these security problems. That is how ThinkShield came about - an extensive package of options and services to ensure the safety of all components, as well as protect the production and supply chain of laptops and desktops ThinkPad, ThinkCentre and ThinkStation. Its components protect the data of the computer-using company and its customers at the stage of development and production of the device, as well as during the entire further cycle of its use and affect all possible aspects of security.
We took the basis for the name of the brand completely focused on safety of the brand from the corporate product line: Think. And they added the word “shield” - Shield, symbolizing comprehensive protection against modern cyber threats. The brand was first introduced in the fall of 2018, but before that, a team of more than 70 specialists worked on the development of a range of services and their systematization for several years.
The ThinkShield complex - as it is easy to understand from the name - is used only on the Think- line of computers, and this is a very important point. In the vast majority of cases, the buyers of this equipment are various companies: both huge international and medium-sized companies. Their main requirements are that the devices can work without failures 24/7 for 3-5 years. This is at the level of the product itself and the hardware. If we talk about security, here a key need for our customers is protection both at the physical (for example, MilSTD certification) and software levels, and at the level of the component supply system and during equipment repair.
Why with such requirements it is worth paying attention to Lenovo and the components of the ThinkShield complex? It's simple: for this we turn again to statistics. According to the National Vulnerability Database, in 2018 on Lenovo devices, the least number of vulnerabilities were found among all the world's leading PC manufacturers. NVD also gives an average rating of the level of protection on a ten-point scale: here we have the second place with only 0.4 points behind the company that took the top of the pedestal in this parameter.
In this part of the Lenovo ThinkShield, all the developments related to most of the physical aspects of device protection are collected. For example, the ThinkShutter curtain, which allows you to open and close the webcam with one motion of your hand. Plus, an integrated ePrivacy filter and intelligent USB port protection mechanisms. Of course, this also includes the direct reliability of the Think- series devices themselves, many of which are MilSTD certified. We are talking about protection against shock, falls, electrical discharges, dust, high humidity, low and high temperatures, spilled liquids and so on. And this is only the tip of the iceberg, below is an incomplete list of the most interesting options available for installation on ordered products:
ThinkShield provides multi-factor authentication capability, and many of its methods are based on Intel Authenticate technology. This includes Intel AMT Location technology, secure contactless authentication via Bluetooth, secure fingerprint authentication, face recognition, and a secure PIN.
In addition, Lenovo was the first company in the industry to integrate FIDO-certified authentication tools directly onto a Windows PC. The FIDO system verifies the identity on sites such as PayPal, Google and Dropbox, using fingerprint reader technology as a second authentication factor. This is a very safe and confidential way for employees to enter corporate networks and other resources on the Internet. And this, by the way, is a completely free feature for all Think- series computers.
Increasingly, attackers pay attention to the supply chain of companies and introduce vulnerabilities at the production stage. So customers of corporate products have every reason to worry about this. Our task is to dispel such doubts, and this is what we are doing for this. First of all, we have our own program of trusted suppliers. We very tightly and closely control all manufacturers of intelligent components for future laptops and desktops. In order to obtain the status of a trusted supplier, you need to fulfill a number of very serious requirements, and then regularly undergo inspections conducted by Lenovo specialists. In general, all work with suppliers is organized in such a way that all processes for us become as transparent as possible. If a potential danger suddenly arises, then we will see and neutralize it before it can harm anyone.
In terms of supply chain transparency, we work especially closely with Intel - it has its own Transparent Supply Chain standard, all of which we strictly observe. Thanks to this, any user or customer can verify the authenticity of their PC with Intel Core processors supporting vPro technology directly on the Intel website. During this check, it will be seen which components were installed in the PC at the factory and which are inside the computer right now.
Of course, technologies implemented within the Lenovo ThinkShield protect data both during operation, during maintenance, and even after the end of its life. The simplest example of the first is the fingerprint scanner built into many Think devices. It implements the Synaptics Match-on-Chip technology due to which the authentication process does not go beyond the scope of the scanner itself and its electronic "filling" - it is simply not available to the operating system. As a result, credentials and identifications become very reliably protected from potential attacks.
The USB ports on Think-Series computers at the BIOS level can be configured to respond only to the keyboard and input devices. Thanks to such intelligent protection of interfaces, IT-specialists of your company can block data downloading to unprotected devices. Plus, we do not forget about the possibility of installing smart card readers in computers, which will provide an additional level of security in offices where personal badges are used for authentication.
Another interesting story is the ThinkPad Privacy Guard built-in screen filter. Using the camera, the computer detects other people's views from behind the user and not only notifies him about this, but also allows you to limit the viewing angle of the display so that outsiders are not uncomfortable to look where you should not look.
As for data protection during maintenance and at the time of disposal of the device, here we also have two special options. When a corporate PC needs to go to Lenovo's official service for repair, you can use the Keep your drive option: the drive with important data remains inside your company, and the computer goes to the service without a disk, and this becomes the problem of our repair specialists, and not the customer’s problem . After returning to the IT service, you just need to return the drive back. Well, before sending a gadget for recycling, whose life cycle has come to an end, we always destroy data from all its drives.
In the era of ubiquitous Wi-Fi, one should not forget that connecting to many such networks is a huge risk. The Lenovo Wi-Fi Security function even before connecting detects potential threats and notifies the user about it. We have implemented this necessary thing in the list of basic integrated security tools for all Think- series PCs.
We also have a Lenovo Endpoint Management endpoint management system built on MobileIron technology. This is a simple and fairly reliable way to protect a large number of different gadgets by combining cloud security and the security of the devices themselves in a single ecosystem. Everyone wins: companies securely exchange data, and users work without problems in any convenient place and at a convenient time. Endpoint Management maintains the confidentiality of personal data by creating a zone of trust around Lenovo clouds and devices and enables the implementation of personal device utilization programs (BYOD) because IT professionals can delete business data while leaving personal information untouchable.
A couple of words about our exclusive Lenovo ThinkShield exclusive - a special virtual room BIOS Reading Room. Having entered it, any customer can make sure that there are no bookmarks in his computer when he sees the BIOS source code. We intentionally put ourselves in such conditions that we have no way to bypass the administrative password in the BIOS, while other vendors still leave this possibility. Convenience in some situations, in our opinion, does not compensate for the danger of significant compromise of user data.
If you try to count all the services and options implemented within the Lenovo ThinkShield, then there will definitely not be enough fingers on your hands: at the moment there are more than 70 of them. Within the framework of one material, it is simply impossible to tell in detail about everything. However, the essence of this does not change: we make every effort to ensure that our PCs are the most secure on the market. By the way, 20 of these more than 70 options and services are included in the Think- product line by default. Security can be enhanced both at the ordering stage in the configurator and, in some cases, after the purchase of equipment.
Of course, we do not plan to stop there. Existing services and options will be improved, and the ThinkShield package will expand further. Right now, our developers are creating the Buffer Zone, a special environment for safe work in dangerous environments: from such a sandbox, external threats cannot penetrate the computer. The ThinkPad Privacy Guard technology is also under constant development, and in the medium term, users will benefit from services such as WinMagic , Intel Remote Secure Erase , Lenovo Asset Recovery Service, and Lenovo IMAC .
We separately list the components of the Lenovo ThinkShield complex that are available to the customer of our products even in the most basic configurations. We tried to make it as extensive as possible.
So focusing on security in the future will continue to be Lenovo's key priority. At the same time, our goal is not only to offer the most comprehensive range of protection against threats, but also to ensure that each of its components is as comfortable and convenient as possible. So we welcome your opinions in the comments and private messages.
If you have questions about ThinkShield, then feel free to ask them too. Including, by the way, and at the stage of ordering devices: our sales representatives will talk about everything substantively in relation to the particular technique you have chosen. Thanks for your attention!
Why did we even decide to plunge into all this as thoroughly as possible? Because with the development of technology, the number of threats is only increasing. According to the Gemalto research company, which publishes the Breach Level Index (https://breachlevelindex.com/), in 2017, 2.6 billion accounts were stolen, and phishing schemes were successfully implemented in 75% of the thousands of companies studied. More than a quarter of all data security breaches were related to theft of passwords or the problem of their insecurity, while it turned out that less than 10% of people are able to distinguish a regular electronic message from a potential threat. However, 87% of senior managers admitted to an accidental data leak. If we take global numbers, then on average, security breaches cost companies $ 3.62 million. And to eliminate the consequences of attacks carried out with the help of ransomware, experts spend about 23 days during the year.
Russia fits perfectly into these gloomy global trends. In 2018, the average damage from a cyber attack amounted to 130 million rubles, and the total number of attacks increased by 80%. Over a year more than 800 million of them were committed!
Against this background, we, as one of the leading PC manufacturers in the world, have a very important and difficult task: to create products that will help users and companies to solve most of these security problems. That is how ThinkShield came about - an extensive package of options and services to ensure the safety of all components, as well as protect the production and supply chain of laptops and desktops ThinkPad, ThinkCentre and ThinkStation. Its components protect the data of the computer-using company and its customers at the stage of development and production of the device, as well as during the entire further cycle of its use and affect all possible aspects of security.
We took the basis for the name of the brand completely focused on safety of the brand from the corporate product line: Think. And they added the word “shield” - Shield, symbolizing comprehensive protection against modern cyber threats. The brand was first introduced in the fall of 2018, but before that, a team of more than 70 specialists worked on the development of a range of services and their systematization for several years.
The ThinkShield complex - as it is easy to understand from the name - is used only on the Think- line of computers, and this is a very important point. In the vast majority of cases, the buyers of this equipment are various companies: both huge international and medium-sized companies. Their main requirements are that the devices can work without failures 24/7 for 3-5 years. This is at the level of the product itself and the hardware. If we talk about security, here a key need for our customers is protection both at the physical (for example, MilSTD certification) and software levels, and at the level of the component supply system and during equipment repair.
Why with such requirements it is worth paying attention to Lenovo and the components of the ThinkShield complex? It's simple: for this we turn again to statistics. According to the National Vulnerability Database, in 2018 on Lenovo devices, the least number of vulnerabilities were found among all the world's leading PC manufacturers. NVD also gives an average rating of the level of protection on a ten-point scale: here we have the second place with only 0.4 points behind the company that took the top of the pedestal in this parameter.
Fun fact: the original idea was that ThinkShield would be called in a completely different way: the abbreviation DIOD. This stands for Data, Identity, Online, Device. But as a result of internal discussions, this option was abandoned as overly technical. But on the other hand, the abbreviation formed the basis for the systematization of all components of ThinkShield in four different directions. In Russian, it sounds like “Data”, “Passwords”, “Networks” and “Device”. Below we will briefly go through each of them.
Device
In this part of the Lenovo ThinkShield, all the developments related to most of the physical aspects of device protection are collected. For example, the ThinkShutter curtain, which allows you to open and close the webcam with one motion of your hand. Plus, an integrated ePrivacy filter and intelligent USB port protection mechanisms. Of course, this also includes the direct reliability of the Think- series devices themselves, many of which are MilSTD certified. We are talking about protection against shock, falls, electrical discharges, dust, high humidity, low and high temperatures, spilled liquids and so on. And this is only the tip of the iceberg, below is an incomplete list of the most interesting options available for installation on ordered products:
- Discrete TPM 2.0 password storage module
- Intel BootGuard Secure Boot Technology Support
- No Backdoor Supervisor Password / NIST Compliant BIOS
- C-TPAT Logistics Secure Supply Chain Compliance
- HVCI enabled device drivers
- Kensington Lock Support
- Downloading a corporate software image at the factory
- Modification of BIOS, adding user data
- ITC First Boot Service First Boot Technology Support
- Microsoft Autopilot Technology Support
Passwords
ThinkShield provides multi-factor authentication capability, and many of its methods are based on Intel Authenticate technology. This includes Intel AMT Location technology, secure contactless authentication via Bluetooth, secure fingerprint authentication, face recognition, and a secure PIN.
In addition, Lenovo was the first company in the industry to integrate FIDO-certified authentication tools directly onto a Windows PC. The FIDO system verifies the identity on sites such as PayPal, Google and Dropbox, using fingerprint reader technology as a second authentication factor. This is a very safe and confidential way for employees to enter corporate networks and other resources on the Internet. And this, by the way, is a completely free feature for all Think- series computers.
Data
Increasingly, attackers pay attention to the supply chain of companies and introduce vulnerabilities at the production stage. So customers of corporate products have every reason to worry about this. Our task is to dispel such doubts, and this is what we are doing for this. First of all, we have our own program of trusted suppliers. We very tightly and closely control all manufacturers of intelligent components for future laptops and desktops. In order to obtain the status of a trusted supplier, you need to fulfill a number of very serious requirements, and then regularly undergo inspections conducted by Lenovo specialists. In general, all work with suppliers is organized in such a way that all processes for us become as transparent as possible. If a potential danger suddenly arises, then we will see and neutralize it before it can harm anyone.
In terms of supply chain transparency, we work especially closely with Intel - it has its own Transparent Supply Chain standard, all of which we strictly observe. Thanks to this, any user or customer can verify the authenticity of their PC with Intel Core processors supporting vPro technology directly on the Intel website. During this check, it will be seen which components were installed in the PC at the factory and which are inside the computer right now.
Of course, technologies implemented within the Lenovo ThinkShield protect data both during operation, during maintenance, and even after the end of its life. The simplest example of the first is the fingerprint scanner built into many Think devices. It implements the Synaptics Match-on-Chip technology due to which the authentication process does not go beyond the scope of the scanner itself and its electronic "filling" - it is simply not available to the operating system. As a result, credentials and identifications become very reliably protected from potential attacks.
The USB ports on Think-Series computers at the BIOS level can be configured to respond only to the keyboard and input devices. Thanks to such intelligent protection of interfaces, IT-specialists of your company can block data downloading to unprotected devices. Plus, we do not forget about the possibility of installing smart card readers in computers, which will provide an additional level of security in offices where personal badges are used for authentication.
Another interesting story is the ThinkPad Privacy Guard built-in screen filter. Using the camera, the computer detects other people's views from behind the user and not only notifies him about this, but also allows you to limit the viewing angle of the display so that outsiders are not uncomfortable to look where you should not look.
As for data protection during maintenance and at the time of disposal of the device, here we also have two special options. When a corporate PC needs to go to Lenovo's official service for repair, you can use the Keep your drive option: the drive with important data remains inside your company, and the computer goes to the service without a disk, and this becomes the problem of our repair specialists, and not the customer’s problem . After returning to the IT service, you just need to return the drive back. Well, before sending a gadget for recycling, whose life cycle has come to an end, we always destroy data from all its drives.
Networks
In the era of ubiquitous Wi-Fi, one should not forget that connecting to many such networks is a huge risk. The Lenovo Wi-Fi Security function even before connecting detects potential threats and notifies the user about it. We have implemented this necessary thing in the list of basic integrated security tools for all Think- series PCs.
We also have a Lenovo Endpoint Management endpoint management system built on MobileIron technology. This is a simple and fairly reliable way to protect a large number of different gadgets by combining cloud security and the security of the devices themselves in a single ecosystem. Everyone wins: companies securely exchange data, and users work without problems in any convenient place and at a convenient time. Endpoint Management maintains the confidentiality of personal data by creating a zone of trust around Lenovo clouds and devices and enables the implementation of personal device utilization programs (BYOD) because IT professionals can delete business data while leaving personal information untouchable.
A couple of words about our exclusive Lenovo ThinkShield exclusive - a special virtual room BIOS Reading Room. Having entered it, any customer can make sure that there are no bookmarks in his computer when he sees the BIOS source code. We intentionally put ourselves in such conditions that we have no way to bypass the administrative password in the BIOS, while other vendors still leave this possibility. Convenience in some situations, in our opinion, does not compensate for the danger of significant compromise of user data.
If you try to count all the services and options implemented within the Lenovo ThinkShield, then there will definitely not be enough fingers on your hands: at the moment there are more than 70 of them. Within the framework of one material, it is simply impossible to tell in detail about everything. However, the essence of this does not change: we make every effort to ensure that our PCs are the most secure on the market. By the way, 20 of these more than 70 options and services are included in the Think- product line by default. Security can be enhanced both at the ordering stage in the configurator and, in some cases, after the purchase of equipment.
Of course, we do not plan to stop there. Existing services and options will be improved, and the ThinkShield package will expand further. Right now, our developers are creating the Buffer Zone, a special environment for safe work in dangerous environments: from such a sandbox, external threats cannot penetrate the computer. The ThinkPad Privacy Guard technology is also under constant development, and in the medium term, users will benefit from services such as WinMagic , Intel Remote Secure Erase , Lenovo Asset Recovery Service, and Lenovo IMAC .
We separately list the components of the Lenovo ThinkShield complex that are available to the customer of our products even in the most basic configurations. We tried to make it as extensive as possible.
Basic Lenovo ThinkShield
• Disk Wipe Tools
• Trusted Service
• BitLocker
• Self-Encrypted Drives
• Smart USB Protection
• HDD Password
• FIDO
• GEO-fencing security
• Match on chip fingerprint
• Glance Presence & Gaze Detection
• Windows Hello
• Intel Online Connect
• Lenovo Wi-Fi Security
• Intel Software Guard Extensions
• Intel Authenticate Multifactor
• Trusted Supplier Program
• PSIRT & FIRST
• Packaging Security
• Spare Parts Handling
• Secure patch / update of drivers / firmware
• No backdoor Supervisor Password / NIST Compliant BIOS
• LVFS and Windows Update Firmware Updates
• BIOS Asset Information Area
• One switch Device Guard
• HVCI Compliant Drivers
• Intel Boot Guard
• ThinkShutter
• TPM 1.2 / 2.0
• Disk Wipe Tools
• Trusted Service
• BitLocker
• Self-Encrypted Drives
• Smart USB Protection
• HDD Password
• FIDO
• GEO-fencing security
• Match on chip fingerprint
• Glance Presence & Gaze Detection
• Windows Hello
• Intel Online Connect
• Lenovo Wi-Fi Security
• Intel Software Guard Extensions
• Intel Authenticate Multifactor
• Trusted Supplier Program
• PSIRT & FIRST
• Packaging Security
• Spare Parts Handling
• Secure patch / update of drivers / firmware
• No backdoor Supervisor Password / NIST Compliant BIOS
• LVFS and Windows Update Firmware Updates
• BIOS Asset Information Area
• One switch Device Guard
• HVCI Compliant Drivers
• Intel Boot Guard
• ThinkShutter
• TPM 1.2 / 2.0
So focusing on security in the future will continue to be Lenovo's key priority. At the same time, our goal is not only to offer the most comprehensive range of protection against threats, but also to ensure that each of its components is as comfortable and convenient as possible. So we welcome your opinions in the comments and private messages.
If you have questions about ThinkShield, then feel free to ask them too. Including, by the way, and at the stage of ordering devices: our sales representatives will talk about everything substantively in relation to the particular technique you have chosen. Thanks for your attention!
All Articles