Changing the status quo for security
When a problem is recognized that impacts virtually everyone and a group of experts provides a solution, what can possibly prevent the solution from being used? If the problem was global warming, with the need to reduce CO2 as the solution, it would be easy to identify the extensive buy-in required from scientists and governments around the world as a major issue. If the problem was a computing and communication tool that did not require a keyboard as the human machine interface and you introduce a product (the iPad) that costs $499, you could have sold over 3 million units in 80 days. That’s immediate acceptance by a significant portion of the world’s population and cost was not an issue.
In contrast, for improved computer security, that comes with virtually every enterprise level computer and server (in other words, it’s free) and just requires activation, the adoption rate has been incredibly slow. According to a study by Aberdeen Research, even though it’s installed in over 300 million desktop and portable computers, only a small fraction of the users have activated the embedded security.
Turn it ON
Most people are not even aware of the security technology in their computer. That’s OK if the technology is enabled when they purchase the computer, but the Trusted Platform Module, or TPM, is an opt-in tool. The TPM, a secure cryptographic integrated circuit (IC), provides a hardware-based root of trust that enables improved computer and network security compared to software-only approaches that can be defeated by the same software they are attempting to detect and block. The TPM was developed by the Trusted Computing Group (TCG) as an open standard, so several companies compete to supply the TPM making it cost competitive. As a result, most leading computer companies install the technology in their computers. In addition to industry experts in computing software, hardware and services, TCG’s members also include companies that have a goal of improving the security in their own operations.
While it can be difficult to establish trust with people, you can easily establish a trusted relationship with a TPM-equipped machine and protect systems and networks. For consumers and enterprises that have PCs, servers and other products with a TPM, they just need to turn the TPM ON. It only takes four easy steps. While not as easy as simply flipping a switch, for corporations with an IT organization, it is a trivial technical challenge. Several companies offer tools to make the widespread implementation of the TPM in an organization even easier. With an activated TPM, users can easily encrypt files, folders and emails as well as more securely manage passwords to avoid unauthorized access to computers and networks.
The TPM provides a hardware security foundation for networks based on hooks in TCG’s Trusted Network Connect standard. A recent extension of that standard even provides secure social networking for machines through an interface to a Metadata Access Protocol (IF-MAP) server. In addition, self-encrypting drives have been introduced based on TCG’s Trusted Storage standard that takes advantage of the TPM.
Join the club
Companies that make computing and network products should investigate and analyze the benefits they can provide consumers by incorporating the TPM in their new products. Several companies already have new products based on TCG standards including the TPM that demonstrate what can be accomplished. As a result, early adopters have already taken advantage of improved TPM-based security in these existing products for organization-wide implementation.
As part of its High Assurance Platform (HAP) Program, the National Security Agency (NSA) uses the TPM in a virtualized approach to run multiple secure environments. In addition, NSA adopted a full disk encryption standard based on the TPM. Since July 2007, the Department of Defense explicitly requires a TPM in all its new computers.
Government agencies outside of the U.S. are also embracing the TPM for improved security. CESG, the United Kingdom’s Government’s National Technical Authority for Information Assurance (IA), has determined that the TPM can be used to protect security critical data at Business Impact Level 3 for RESTRICTED classified data.
Governments that have not bought into the TPM include China, Russia, Kazakhstan and Belarus. This alone should be sufficient reason for most people in all the other countries to activate their TPM.
Companies that have acknowledged the TPM’s value and are pioneering the implementation of TPM-based security include PricewaterhouseCoopers (PwC). PwC’s next-generation authentication system will replace employees’ software-based private-key certificates for hardware-based storage of new certificates using the TPM. With over 35,000 employees already enjoying improved TPM security, PwC expects to have all of its 150,000 users converted in about a year.
PwC is not alone in its efforts. Other companies embracing the TPM and associated TCG standards that take advantage of the TPM include Boeing, BAE Systems, General Dynamics and Rockwell Collins.
With cloud computing growing rapidly, the need for improved security increases even further. TCG expects the TPM to play an important role to strengthen and complement the security services in any cloud operating system or hypervisor, especially with the strong authentication that the TPM enables. A working group (Trusted Multi-Tenant Infrastructure Work Group) aimed at developing an open standards framework for cloud computing security has been established recently. However, some of the TPM’s capabilities can already be used for cloud security.
Having a high level of security does not normally get an organization in the news. In contrast, companies and government entities with vulnerable security frequently are in the headlines. So, how much proof does it take to activate and use the TPMs that are already in the organization? It’s not like embracing a solution for global warming and doesn’t require shelling out almost $500 bucks. You would think that anyone with proprietary information would do whatever it takes to protect unauthorized access to that information – before it appears on WikiLeaks.