Trust Your Computer

With the Trusted Computing Group's recent progresses, users can take a much-needed sigh of relief

THE precarious state of online security, data protection and identity protection for business, government and consumers is the material of daily news headlines -- from lost and stolen laptops and backup tapes to unsophisticated consumer Internet phishing identity theft.

While the past holiday season showed the demand for online commerce continues to grow dramatically, industry analysts and market researchers are discovering a growing unease about the use of online financial services that expose the most sensitive corporate and personal data.

Cases of financial cyber fraud, identity theft and data losses from Fortune 500 companies, such as Marriott, Bank of America, Wachovia and Citigroup, highlight the fact that valuable data continues to be at significant risk. Data breaches include the loss of sensitive employee and customer profiles, Social Security data and credit information, and outright identity theft. Information is lost through mishandling, theft, unauthorized access to IT networks and malicious attacks.

How Do We Protect Ourselves?
The Federal Financial Institutions Examination Council recently issued guidance suggesting financial institutions offering Internet-based financial services should use more-effective methods to authenticate the identity of customers.

More than 1 million federal employees had personal data lost or stolen in 2005, including those of the Federal Deposit Insurance Corp.

"Identity theft, particularly account hijacking, continues to grow as a problem for the financial services industry and for consumers," Don Powell, FDIC chairman, said recently. "Our review illustrates that ID theft is evolving in more complicated ways and that more can and should be done to make online banking more secure."

The IT industry is responding to these significant challenges by encouraging the development and delivery of a range of new open-standard, hardware-based security solutions. Important progress is being stimulated by the formation of the Trusted Computing Group.

The TCG is a not-for-profit organization formed to develop, define and promote open standards for hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces across multiple platforms, peripherals and devices. TCG specifications will enable more secure computing environments without compromising functional integrity, privacy or individual rights. The primary goal is to help users protect their information assets from compromise.

Leading members of the TCG include AMD, Dell, HP, IBM, Intel, Microsoft, Motorola, Sony, Sun Microsystems, STMicroelectronics and Wave Systems. There are now more than 110 members spanning the IT industry.

Industry developers, manufacturers and service providers use TCG specifications to build products that protect and strengthen computing platforms against software-based attacks. In contrast, traditional older-generation security approaches have taken a "moat" approach, which attempted to create electronic boundaries or firewalls that mirrored organizational boundaries.

However, today's new Web services are aimed at making boundaries virtual so that customers and suppliers can have ready access to important information that resides inside corporate information systems. In addition, the security of today's systems is based almost exclusively on software, which has proven to make them highly vulnerable to malicious attacks from the network. Finally, with the increased mobility of devices for access at all times in all places, the threat of physical theft and loss has seen a corresponding increase.

TCG standards today are based on a special-purpose security chip placed in a PC called a trusted platform module (TPM). These security chips use an open-standards approach to ensure interoperability across vendor platforms, operating systems and product lines. A TPM, a secure key generator and key cache management component enable protected storage of encryption keys and authentication credentials for enhanced security capabilities.

TPM chips store encryption keys and digital signature keys to ensure confidentiality and integrity. This helps protect trusted PCs from typical software-based attacks. Importantly, the keys and other critical security information are stored in non-volatile memory with the chip. Unlike software-only security solutions most rely on today, the private encryption keys stored within the chip are protected by the chip even when in use. The root of trust is stored in the hardware and is less vulnerable to attack.

Additionally, the TPM has the ability to perform measurements of the software installed on the machine. These measurements are then compared against known values to determine if the software or configuration has been changed or altered in some unauthorized manner.

What is Trusted Computing?
With encryption keys protection in the hardware of the trusted PC, what can trusted computing do for typical users? Primary benefits include strong authentication, data protection and endpoint security.

Corporations and government agencies remain vulnerable to malicious attacks when unauthorized users authenticate and spoof themselves and their PC platforms into insecure IT networks. Software-only login and sign-in processes have proven to be easily breached. Strong user authentication and platform validation make access from malicious attack far more difficult.

With private encryption keys stored in a security chip, users may now be strongly authenticated via the TPM chip itself, a password and/or a biometric. The risk of spoofing is dramatically lessened. Protected storage of keys also allows for the creation of strong, complex passwords to further strengthen the authentication process.

In addition to strongly authenticating identities, the TPM security chip also can authenticate and validate the device being used (the trusted computer). Eventually, the chips will validate mobile devices like cell phones and PDAs, as well.

Another important capability easily enabled by trusted computing is the secure storage and management capabilities for file, folder and drive-level encryption. Data protection capabilities from software companies protect files so that they may not be viewed without access to the encryption keys. The means that with lost or stolen laptops or lost backup tapes, extremely sensitive customer or employee data can still be protected by keys stored in the TPM, even when the data is in the hands of those with malicious intent.

The keys that enable authentication and data protection also help in the delivery of a range of easy-to-use trusted services that are useful in everyday business applications. For instance, client-based single log-in allows users to auto fill in username and password with the use of only one password, and register others in the TPM security chip for auto fill as needed.

Users also can help set the policies of how the TPM security chip interacts with the user, such as the use of biometric authentication, through TPM and user management applications.

An endpoint integrity capability potentially offered by vendors building to the TCG framework is the Trusted Network Connect architecture. Products based on the architecture can determine the security and compliance of clients attempting to connect to a network and will provide a level of network access based on the configuration and integrity of the client. With the enforcement of IT security and system requirements, network administrators are expected to decrease security vulnerabilities, support costs and downtime associated with misconfigured or infected systems.

The good news is that the computer industry is offering an increasingly wide variety of trusted PCs and desktop boards equipped with a TPM security chip. More vendors and models are scheduled to be announced in the coming months. Industry experts are now predicting a trusted computing tidal wave.

Making a commitment to trusted computing is designed to be easy. It's mainly a matter of replacing existing PCs -- typically on three- or four-year replacement cycles -- with generally available trusted PCs and associated secure software.

Featured

  • Maximizing Your Security Budget This Year

    The Importance of Proactive Security Measures: 4 Stories of Regret

    We all want to believe that crime won’t happen to us. So, some business owners hope for the best and put proactive security measures on the back burner, because other things like growth, attracting new customers, and meeting deadlines all seem more pressing. Read Now

  • 91 Percent of Security Leaders Believe AI Set to Outpace Security Teams

    Bugcrowd recently released its “Inside the Mind of a CISO” report, which surveyed hundreds of security leaders around the globe to uncover their perception on AI threats, their top priorities and evolving roles, and common myths directed towards the CISO. Among the findings, 1 in 3 respondents (33%) believed that at least half of companies are willing to sacrifice their customers’ long-term privacy or security to save money. Read Now

  • Milestone Announces Merger With Arcules

    Global video technology company Milestone Systems is pleased to announce that effective July 1, 2024, it will merge with the cloud-based video surveillance solutions provider, Arcules. Read Now

  • Organizations Struggle with Outdated Security Approaches, While Online Threats Increase

    Cloudflare Inc, recently published its State of Application Security 2024 Report. Findings from this year's report reveal that security teams are struggling to keep pace with the risks posed by organizations’ dependency on modern applications—the technology that underpins all of today’s most used sites. The report underscores that the volume of threats stemming from issues in the software supply chain, increasing number of distributed denial of service (DDoS) attacks and malicious bots, often exceed the resources of dedicated application security teams. Read Now

Featured Cybersecurity

Webinars

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3