Rising global security threats shine light on shortcomings of proprietary software-based security
The headlines paint an increasingly bleak picture for the security industry. By Brian Berger
Rarely does a week go by without another global entity notifying its customers that its records have been compromised because of a lost or stolen laptop. Or consider the conundrum of the scores of enterprises that rely on RSA Security’s SecurID two-factor authentication tokens, who now must re-evaluate their authentication protocols in light of last month’s breach. The list of incidents is seemingly endless, from the hack of the U.S.’ NASDAQ stock trading computers, to the theft of customer data from BP and the recent compromise of the U.K. government’s email.
The unfortunate reality is the global IT security landscape has not improved. The threats are more pervasive than ever before, yet the stakes have never been higher. Today’s IT security manager is forced into full reactive mode, scrambling to counter each new threat, as they contend with protecting endpoints and data that’s moved far beyond the physical walls of the company. Protecting home and mobile workers, defending web applications, performing SaaS deployment and securing the nebulous Cloud are the new realities—all in the face of ever-shrinking corporate budgets.
Built-in Security for 500 Million Endpoints
As we explore these new security challenges, the answer to many of them may be close at hand. The infrastructure exists today that can significantly reduce the risk profile for most organizations and, in fact, has proven highly successful for those adventurous early adopters who recognized that these and other security issues could be mitigated if users simply activated the existing security available in their systems. The industry has long understood the faults of software-based security defenses, and through collaboration by over 100 industry leaders in the Trusted Computing Group, a basically free security feature has now been built into more than 500 million desktop and portable computers. So if organizations around the world possess stronger, hardware-based security within their PCs and computing devices, why have only a small fraction of the users activated the embedded security, per a study by Aberdeen Research?
Most people are not even aware of the security technology that’s been built right into their computers. That's great if the technology is enabled at the time of purchase, as good security should protect without impacting end users. But in this case we’re speaking of an opt-in tool, the Trusted Platform Module. The term Trusted Platform Module (TPM) is not well-known to many IT professionals. Defined simply, it is a security chip attached to a computer’s motherboard, thereby integrating security functionality directly into the device’s hardware. Essentially, the TPM provides a hardware-based root of trust that enables improved computer and network security compared to software-only approaches that can be defeated by the same software they are attempting to detect and block.
Because the TPM chip is physically part of the device, it is uniquely suited for creating and verifying strong device identities and ensuring only authorized access to networks. Indeed, the business case for TPM is fundamentally the same case for strong, fully automated and transparent authentication of both devices and users on the enterprise network. While it can be difficult to establish trust with people, you can easily establish a trusted relationship with a TPM-equipped machine and protect systems and networks. For consumers and enterprises that have PCs, servers and other products with a TPM, the TPM just needs to be turned on.
While not as easy as simply flipping a switch, for corporations with an IT organization turning on the TPM is a trivial technical challenge that only takes four easy steps. Several companies offer tools to make the widespread implementation of the TPM in an organization even easier.
With an activated TPM, users can easily gain significantly more secure password management capability to avoid unauthorized access to computers and networks. Just imagine the security benefit you’ll gain from the most basic use of TPM… how would your organization’s security landscape change if ONLY your known, corporate PCs were EVER allowed onto your corporate network? The TPM provides machine-level authentication that effectively eliminates the possibility of a remote hacker accessing your network, as they’d have to steal an employee’s machine (undetected) and then compromise that individual’s passwords and client security measures.
The Trusted Platform Module is not a bleeding-edge technology. In reality, they’re probably already present in 90% or more of an enterprise’s total PC population, and you may already be using it for basic functionality like secure storage of encryption keys or passwords. Leading vendors, such as Dell, Lenovo and HP, have been including TPMs as a standard component on all their business-class notebook and desktop computer lines for many years. And TPM-equipped laptops now comprise the vast majority of units in use.
Activating the TPM provides a hardware security foundation that opens the door to a wide range of more advanced deployments. It paves the way to health checks for every PC requesting access to your network, through the TCG's Trusted Network Connect standard. A recent extension of that standard even provides secure social networking for machines through an interface to a Metadata Access Protocol (IF-MAP) server. And the Trusted Multi-Tenant Infrastructure Work Group is working on an open-standards framework for cloud computing security, while some of the TPM's capabilities can already be used for cloud security.
In addition, self-encrypting drives (SEDs) have been introduced based on the TCG's Trusted Storage standard that takes advantage of the TPM. Moving encryption to hardware with SEDs not only strengthens security, but it reduces the impact upon users (whose processing power is no longer slowed by encryption) and it simplifies the job for IT security management, who no longer have to re-encrypt PCs every time they re-image a machine, or upgrade software that otherwise impacts software-only encryption.
Who’s Turning on the TPM?
As with any industry standard, the real benefits can only be understood through real-world use. With such widespread market saturation of the TPM, the big question remains, “Who has turned the TPM on, and what can we learn from them?” Major corporations and government organizations have led the early adoption of Trusted Computing technologies, taking advantage of improved TPM-based security for organization-wide implementation, and Self-Encrypting Drives for data protection.
• Since July 2007, the U.S. Department of Defense has explicitly required a TPM in all its new computers, and the U.S. National Security Agency has dedicated an entire Trusted Computing Division to drive research, hold conferences, and educate the commercial sector on the benefits of Trusted Computing adoption.
• The United Kingdom's Communications-Electronics Security Group (CESG)—the Government's National Technical Authority for Information Assurance (IA)—has determined that the TPM can be used to protect security-critical data at Business Impact Level 3 for restricted classified data.
• Companies that have acknowledged the TPM's value and are pioneering the implementation of TPM-based security include PricewaterhouseCoopers (PwC). PwC's next-generation authentication system is replacing employees' software-based private-key certificates with hardware-based storage of new certificates using the TPM. With more than half of its employees already enjoying improved TPM security, PwC expects to have all of its 150,000 users converted within the year.
• Other companies embracing the TPM and associated TCG standards include Boeing, BAE Systems, General Dynamics and Rockwell Collins.
So how much proof does it take to get us to activate and use the TPMs that are already in the organization? Trusted Computing provides a proactive counter to get out in front of the evolving software-based threats, rather than reacting after the fact. And as a security solution most organizations already own—it doesn’t require a significant budget investment. You would think that anyone with proprietary information would do whatever it takes to protect unauthorized access to that information—before it appears on WikiLeaks. Consider how you can leverage the TPM today, for an immediate and impactful new layer of hardware-based security. And you’ll be one step ahead as you implement your long-range security plan, which will surely build upon the industry standards for hardware security introduced by the Trusted Computing Group.
Brian Berger is vice president for Wave Systems Corp