Trust Your Computer

With the Trusted Computing Group's recent progresses, users can take a much-needed sigh of relief

  • By Steven Sprague
  • Mar 01, 2006

THE precarious state of online security, data protection and identity protection for business, government and consumers is the material of daily news headlines -- from lost and stolen laptops and backup tapes to unsophisticated consumer Internet phishing identity theft.

While the past holiday season showed the demand for online commerce continues to grow dramatically, industry analysts and market researchers are discovering a growing unease about the use of online financial services that expose the most sensitive corporate and personal data.

Cases of financial cyber fraud, identity theft and data losses from Fortune 500 companies, such as Marriott, Bank of America, Wachovia and Citigroup, highlight the fact that valuable data continues to be at significant risk. Data breaches include the loss of sensitive employee and customer profiles, Social Security data and credit information, and outright identity theft. Information is lost through mishandling, theft, unauthorized access to IT networks and malicious attacks.

How Do We Protect Ourselves?
The Federal Financial Institutions Examination Council recently issued guidance suggesting financial institutions offering Internet-based financial services should use more-effective methods to authenticate the identity of customers.

More than 1 million federal employees had personal data lost or stolen in 2005, including those of the Federal Deposit Insurance Corp.

"Identity theft, particularly account hijacking, continues to grow as a problem for the financial services industry and for consumers," Don Powell, FDIC chairman, said recently. "Our review illustrates that ID theft is evolving in more complicated ways and that more can and should be done to make online banking more secure."

The IT industry is responding to these significant challenges by encouraging the development and delivery of a range of new open-standard, hardware-based security solutions. Important progress is being stimulated by the formation of the Trusted Computing Group.

The TCG is a not-for-profit organization formed to develop, define and promote open standards for hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces across multiple platforms, peripherals and devices. TCG specifications will enable more secure computing environments without compromising functional integrity, privacy or individual rights. The primary goal is to help users protect their information assets from compromise.

Leading members of the TCG include AMD, Dell, HP, IBM, Intel, Microsoft, Motorola, Sony, Sun Microsystems, STMicroelectronics and Wave Systems. There are now more than 110 members spanning the IT industry.

Industry developers, manufacturers and service providers use TCG specifications to build products that protect and strengthen computing platforms against software-based attacks. In contrast, traditional older-generation security approaches have taken a "moat" approach, which attempted to create electronic boundaries or firewalls that mirrored organizational boundaries.

However, today's new Web services are aimed at making boundaries virtual so that customers and suppliers can have ready access to important information that resides inside corporate information systems. In addition, the security of today's systems is based almost exclusively on software, which has proven to make them highly vulnerable to malicious attacks from the network. Finally, with the increased mobility of devices for access at all times in all places, the threat of physical theft and loss has seen a corresponding increase.

TCG standards today are based on a special-purpose security chip placed in a PC called a trusted platform module (TPM). These security chips use an open-standards approach to ensure interoperability across vendor platforms, operating systems and product lines. A TPM, a secure key generator and key cache management component enable protected storage of encryption keys and authentication credentials for enhanced security capabilities.

TPM chips store encryption keys and digital signature keys to ensure confidentiality and integrity. This helps protect trusted PCs from typical software-based attacks. Importantly, the keys and other critical security information are stored in non-volatile memory with the chip. Unlike software-only security solutions most rely on today, the private encryption keys stored within the chip are protected by the chip even when in use. The root of trust is stored in the hardware and is less vulnerable to attack.

Additionally, the TPM has the ability to perform measurements of the software installed on the machine. These measurements are then compared against known values to determine if the software or configuration has been changed or altered in some unauthorized manner.

What is Trusted Computing?
With encryption keys protection in the hardware of the trusted PC, what can trusted computing do for typical users? Primary benefits include strong authentication, data protection and endpoint security.

Corporations and government agencies remain vulnerable to malicious attacks when unauthorized users authenticate and spoof themselves and their PC platforms into insecure IT networks. Software-only login and sign-in processes have proven to be easily breached. Strong user authentication and platform validation make access from malicious attack far more difficult.

With private encryption keys stored in a security chip, users may now be strongly authenticated via the TPM chip itself, a password and/or a biometric. The risk of spoofing is dramatically lessened. Protected storage of keys also allows for the creation of strong, complex passwords to further strengthen the authentication process.

In addition to strongly authenticating identities, the TPM security chip also can authenticate and validate the device being used (the trusted computer). Eventually, the chips will validate mobile devices like cell phones and PDAs, as well.

Another important capability easily enabled by trusted computing is the secure storage and management capabilities for file, folder and drive-level encryption. Data protection capabilities from software companies protect files so that they may not be viewed without access to the encryption keys. The means that with lost or stolen laptops or lost backup tapes, extremely sensitive customer or employee data can still be protected by keys stored in the TPM, even when the data is in the hands of those with malicious intent.

The keys that enable authentication and data protection also help in the delivery of a range of easy-to-use trusted services that are useful in everyday business applications. For instance, client-based single log-in allows users to auto fill in username and password with the use of only one password, and register others in the TPM security chip for auto fill as needed.

Users also can help set the policies of how the TPM security chip interacts with the user, such as the use of biometric authentication, through TPM and user management applications.

An endpoint integrity capability potentially offered by vendors building to the TCG framework is the Trusted Network Connect architecture. Products based on the architecture can determine the security and compliance of clients attempting to connect to a network and will provide a level of network access based on the configuration and integrity of the client. With the enforcement of IT security and system requirements, network administrators are expected to decrease security vulnerabilities, support costs and downtime associated with misconfigured or infected systems.

The good news is that the computer industry is offering an increasingly wide variety of trusted PCs and desktop boards equipped with a TPM security chip. More vendors and models are scheduled to be announced in the coming months. Industry experts are now predicting a trusted computing tidal wave.

Making a commitment to trusted computing is designed to be easy. It's mainly a matter of replacing existing PCs -- typically on three- or four-year replacement cycles -- with generally available trusted PCs and associated secure software.

Featured

  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

  • AI Is Now the Leading Cybersecurity Concern for Security, IT Leaders

    Arctic Wolf recently published findings from its State of Cybersecurity: 2025 Trends Report, offering insights from a global survey of more than 1,200 senior IT and cybersecurity decision-makers across 15 countries. Conducted by Sapio Research, the report captures the realities, risks, and readiness strategies shaping the modern security landscape. Read Now

  • Analysis of AI Tools Shows 85 Percent Have Been Breached

    AI tools are becoming essential to modern work, but their fast, unmonitored adoption is creating a new kind of security risk. Recent surveys reveal a clear trend – employees are rapidly adopting consumer-facing AI tools without employer approval, IT oversight, or any clear security policies. According to Cybernews Business Digital Index, nearly 90% of analyzed AI tools have been exposed to data breaches, putting businesses at severe risk. Read Now

  • Software Vulnerabilities Surged 61 Percent in 2024, According to New Report

    Action1, a provider of autonomous endpoint management (AEM) solutions, today released its 2025 Software Vulnerability Ratings Report, revealing a 61% year-over-year surge in discovered software vulnerabilities and a 96% spike in exploited vulnerabilities throughout 2024, amid an increasingly aggressive threat landscape. Read Now

Most   Popular

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.