Not logged in » Login
Sep 27 2016

Reliability, Security and Efficiency at Their Best: the FUJITSU Desktop ESPRIMO Family (Part 2 of 3)


As a Fujitsu Channel Partner, one of the most frequently asked question you'll hear from your customers is, "Why should I buy desktop computers from Fujitsu?" This article gives an overview of the most relevant arguments that speak for our ESPRIMO product family. In a nutshell, it's a combination of reliability, flexibility/configurability, security, and energy efficiency that puts them ahead of the competition. Part 2 of our three-part series centers on security aspects.

FUJITSU ESPRIMO Desktops address users' security concerns on multiple levels. Among the most important and powerful features in this context are secure authentication and disk sanitization, which enable users to prevent unauthorized access to confidential data as well as to completely eliminate all traces of information before a device is reused or retired. The relevant security mechanisms are PalmSecure™, Workplace Protect/Workplace Manager and EraseDisk.

First introduced in 2004, PalmSecure™ represents Fujitsu's concept of a powerful biometric authentication solution that yields better results than fingerprints and iris scans while at the same time it's more convenient to use and practically immune to forgery. PalmSecure™ uses near-infrared light to scan the individual vein pattern in the palm of a person's hand; the 'scan result' may then be saved as a template and stored on the system or alternatively on a SmartCard to support multi-factor authentication. Key benefits of the technology are that it's not only more secure than conventional authentication methods such as face, fingerprint or voice recognition, but also more comfortable to use:

  • More secure – because palm vein patterns provide a truly unique identifier that remains the same throughout a person's lifetime – no two people, not even twins, have identical patterns, and they even differ in one and the same person's left and right hand. Moreover, the patterns exist inside the body (as opposed to on its surface, like fingerprints) and will only show up if there's blood flowing through the veins – so the identifier is practically impossible to forge and the recognition process is protected against manipulation. As a result, the technology's 'false positive' rate – i.e. the chance that it will accept an unauthorized person – is around 0.00008%. This makes palm vein recognition the most effective form of authentication available today.
  • More comfortable and user-friendly – because a person's palms are rarely covered, which means that authentication can be performed in a fast and contactless manner that is more hygienic, less invasive, and less likely to produce errors than, say, a smeared fingerprint scanner. Moreover, it can be carried out transparently during the Windows logon procedure, which saves valuable time. Finally, even the enrollment process is comfortable: all a user has to do is place her or his hands over the vein sensor and follow the on-screen instructions, and a usable template will be created in seconds.

A model implementation can be found in the FUJITSU Desktop ESPRIMO Q956 (pictured below) with integrated palm vein sensor, the world's first mini PC featuring PalmSecure™ technology. For more information, please see Choose people over passwords, our microsite dedicated to explaining the advantages of biometrics.


Fig. 1: FUJITSU Desktop EXPRIMO Q956 with integrated palm vein scanner and SmartCard reader

Workplace Protect and Workplace Manager
In the context of device security, Workplace Protect helps users protect their 'personal' Windows working environments, whereas Workplace Manager allows administrators to centrally manage the security settings of several hundred clients. Developed exclusively by Fujitsu, they amend the set of security functions provided with modern PC operating systems, especially Windows 10.

The key objective of Workplace Protect is to block unauthorized users from Windows devices and thus prevent misuse of confidential data. To achieve this, Workplace Protect supports a variety of authentication procedures, including the use of palm vein recognition (see above), fingerprints, SmartCards, RFID cards, and face recognition. System administrators and/or tech-savvy users are free to pick the technology and mechanisms that are most suitable for their industry and environment(s) and manage these and other security settings via an intuitive GUI.

Workplace Protect optionally features Pre-boot Authentication (PBA), a mechanism to confirm a user's ID and specific access rights prior to running any logon routines, effectively adding another protection layer either between the BIOS and OS level or directly at BIOS level. Other key features include the ability to store login details, e.g. for web pages, in so-called Password Safes, i.e. encrypted files protected with biometrics, SmartCards or passwords on the hard disk, and keep classified information in special virtual drives called Encrypted Containers; both mechanisms use the AES algorithm with a key length of 256 bits. All of these mechanisms and various others can be adjusted and managed locally via an easy-to-use GUI.

While Workplace Protect provides best-in-class security mechanisms that go beyond what the competition has to offer, it's also true that even the most intuitive GUI will not always prevent setup errors, and that even the fittest sneaker admin will soon get tired of running around offices and adjusting security settings on a plethora of client devices. That's why we developed Workplace Manager as a companion piece of software that provides IT departments with an intelligent remote administration solution. Workplace Manager enables administrators to centrally control the settings on all devices within Windows domains that range from 50 up to 1,500 users. Probably most important among its comprehensive automation options and functions is the ability to import device and user IDs from Active Directory to store relevant settings in a Microsoft SQL database, thus enabling smooth and fast implementation of company-wide or site-specific security policies. In other words, IT departments get to decide which authentication methods (including for PBA) are allowed – and may even centrally deploy passwords should they wish to stick with conventional authentication procedures.

As noted above, EraseDisk is a function that permits the complete and 'residue-free' cleanup of a PC's hard disk drive. As a long-term key component of the FUJITSU ESPRIMO firmware, it basically serves to extend information protection beyond the day that a device reaches its end of life, i.e. the point where the parts are disassembled and then repurposed or physically destroyed. The sanitization process itself is often regarded as overly complicated and costly, which explains why many companies feel tempted to skip it even if they generally favor elaborate security policies. The problem with this approach is that it has often led to severe data leakage and financial losses in the past – reports about security incidents that only occurred because attackers had found login credentials like passwords or PIN numbers on insufficiently cleaned HDDs are legion. EraseDisk for its part was designed to make the process easy as pie: before they return their device, users simply ask their administrators to enter the BIOS setup of the device and then choose one of four overwrite mechanisms that irretrievably eradicate sensitive data. The number of overwrite cycles varies between one and 35 and may be chosen in accordance with general IT standards or individual company policies (however, one cycle will only suffice if a drive doesn't contain user data and/or other personal/confidential information.) For technical reasons, it's not possible to apply the same methods in case a device is equipped with SSDs; here, users or sysadmins have to resort to integrated ATA commands such as "Secure Erase" or "Enhanced Secure Erase," which build on sanitization mechanisms included in the SSD firmware and will lead to identical results.

With this comprehensive set of security mechanisms, FUJITSU ESPRIMO Desktops are shielded against the vast majority of security violations and hacker attacks – and thus ideally suited for companies and professionals that deal with sensitive information on a regular basis.

Bernd Germandi


About the Author:

Bernd Germandi

Senior Product Marketing Manager, Fujitsu


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now