Crypto chip: How the TPM bolsters enterprise securityWant to make your endpoints and servers more secure, and easier to manage? Consider the Trusted Platform Module In computing, Trusted Platform Module (TPM) is both the name of a published specification detailing a microcontroller that can store secured information, as well as the general name of implementations of that specification, often called "TPM chip" or "TPM Security Device" (Dell). (TPM (1) See TP monitor. (2) (Transactions Per Minute) The number of transactions processed within one minute. See TPS. (3) (Trusted Platform M ), a hardware-based cryptography chip built into virtually every enterprise PC and notebook, and now installed in over 100 million PCs. Learn how to activate the TPM and make your enterprise computing Refers to information technology in the larger company. See enterprise data and enterprise networking. environment more trustworthy. Securing an enterprise takes every proven tool at your disposal. Accordingly, many organizations have begun employing a security chip built into virtually all enterprise PC or notebook motherboards that ship today: the Trusted Platform Module (TPM). This secure cryptographic chip provides a hardware-based approach to managing user authentication See authentication. , network access, and data protection, including everything from multi-factor authentication and machine binding for removable media In computer storage, removable media refers to storage media which can be removed from its reader device, conferring portability on the data it carries. A removable drive is a reader device for such media. , to irrevocable digital signatures and full-disk encryption (FDE FDE Full Disk Encryption FDE FedEx FDE Fundação para o Desenvolvimento da Educação (Brazil) FDE Frequency Domain Equalization FDE Fault Detection and Exclusion FDE Full Duplex Ethernet FDE Flat Dark Earth ). According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. a March, 2008 study by the Aberdeen Group Aberdeen Group is a provider of business-related research services. It has its headquarters in Boston, Massachusetts and belongs to the Harte-Hanks group. Founded in 1988, Aberdeen's research is used by over 2. , the current top uses for the TPM are user authentication, network access, and data protection. For example, four out of five TPM-using organizations use the chip to manage PC login, user authentication, and to secure the boot sequence See first boot sequence. , and almost as many also rely on the chip to authenticate a PC during the network access negotiation process. The survey also found that two-thirds of TPM users rely on it to secure their full-disk hard drive encryption processes. The hardware-based TPM can be a powerful tool for improving on software-based security. In fact, “the most compelling finding from this study is that users who have activated their existing trusted computing Trusted Computing (also abbreviated TC) is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning. infrastructure actually have superior security governance, risk management and compliance [capabilities],” notes Derek E. Brink, vice president and research director for IT security at Aberdeen. That said, many IT and security managers report that they're unfamiliar with the TPM. “The research shows that a high percentage of trusted computing-ready devices and infrastructure already exists within the enterprise, but overall awareness about the benefits of trusted computing is still relatively low.”TPM 101What exactly is the TPM, and who's behind it? Briefly, the TPM is a hardware-based cryptographic chip built to protect keys and identities, and create a hardware-based foundation of trust. Using a TPM, enterprises can implement, manage, and enforce such things as trusted cryptography, storage, integrity management, attestation, and many other information security capabilities. The TPM specification itself, which is open and vendor-neutral, was developed by a standards group within Trust Computing Group, which has 140 or so members, including software and hardware vendors, as well as end users such as Boeing, General Dynamics General Dynamics Corporation (NYSE: GD) is a defense conglomerate formed by mergers and divestitures, and as of 2006 it is the sixth largest defense contractor in the world[1]. The company has changed markedly in the post-Cold War era of defense consolidation. , and Lockheed-Martin. The latest and most widespread version of the TPM, 1.2, is certified as compatible with all versions of the Vista OS.Why should I activate the TPM? For starters, because hardware-based security is better than software-based security. For example, take data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign products. Many software-based encryption packages exist today, in addition to capabilities now built into operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. : BitLocker in Vista, FileVault in Mac OS X, and dm-crypt in Linux. But any expert will tell you that with the right tools or attacks, you can break them: you can boot a drive via Firewire, or chill a DRAM chip for long enough to recover encryption keys. No security is perfect, but hardware-based security is a much tougher nut to crack than software-based security. Furthermore, with a TPM, the encryption key never has to be stored in RAM; it can remain resident on the cryptographic chip. And hacking a crypto chip is much more difficult than recovering information from an operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. .What in particular is driving enterprise adoption of the TPM? Driving TPM adoption are endpoint security challenges facing IT and security managers today: weak network and PC log-in passwords, poor machine identity, and not knowing exactly who's on the enterprise network, wireless access points, or logged into the VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. . Don't forget, as well, the ongoing threats from phishing, pharming pharming (fär`mĭng), the use of genetically altered livestock, such as cows, goats, pigs, and chickens, to produce medically useful products. , spam, and malware in general. The TPM addresses security problems by adding hardware-based trust to the equation. If a user ID and password are stolen or cracked, it's not enough -- if you also tie access to having the TPM chip. The end result is a more trustworthy computing The term Trustworthy Computing (TwC) has been applied to computing systems that are inherently secure, available and reliable. The Committee on Information Systems Trustworthiness’ publication, Trust in Cyberspace, defines such a system as one which environment.Beyond the threat of data breaches, what's the “why now” factor for IT managers? First of all, the TPM is installed in more than 100 million PCs that have already shipped. And when the TPM is already on the machine, if you choose to enable it, it just works. That means that an IT department activates every TPM and enables “drive locking,” they can tie a hard drive to a particular TPM. So if that laptop is powered down and gets stolen, it doesn't matter (at least from an information-loss standpoint) if it ends up for sale on eBay. The hard drive will just be a brick. Second, virtually every enterprise PC shipped today — including Lenovo, Dell, HP, MPC (1) (Mobile PC) A handheld or laptop computer. See handheld computer, laptop computer and Ultra-Mobile PC. (2) (MultiPath Channel) See multipath. , Asus, Sony, Toshiba, Fujitsu, and others — includes a built-in TPM, as well as bundled TPM management software. For example, Embassy Trust Suites from Wave Systems is part of the standard enterprise client build shipped on all Dell machines, and this software supports full-disk encryption solutions. That means client software for managing TPM is already on the machine. If an enterprise wants to take advantage of it, they just need to purchase the server-side software.So the TPM is not active, by default? No, the only catch with the TPM is that though it's built into virtually every enterprise-class machine that ships today — PC, Mac, and oftentimes, Linux, as well as numerous consumer platforms -- you must activate it.In general, are IT managers and security managers aware of what a TPM can do, once activated? Typically not. Even for managers who've heard of the TPM, or know that it's a cryptographic chip, the question often is: “I have all these devices with a TPM built in, what can it do for me?” And when told it can provide, out of the box, strong authentication to their remote access IPsec VPN, enterprise PKI (Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of key management and exchange, and that it then is also a core capability as they move to a network access control solution, they're very interested. In addition, for network policy enforcement points — Checkpoint firewalls, Cisco switchers and routers, and other 802.1x-compatible devices are TPM-capable by default.Who's using the TPM and why? Drivers for using the TPM are very consistent across industries. For example, one financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. company has computed that the cost of lost data far exceeds the cost of losing a machine. So that's an easy CFO See Chief Financial Officer. decision to make. Then on the private side, the driver is often laws or regulations. For law firm clients, it's attorney/client privilege. For others, it's complying with data privacy regulations. Or if you're a utility, it's really been about controlling access to competitive information and preventing losses. Finally, if you're a government agency, such as the National Security Agency (NSA NSA abbr. National Security Agency Noun 1. NSA - the United States cryptologic organization that coordinates and directs highly specialized activities to protect United States information systems and to produce foreign ), which utilizes the TPM on its laptops, you simply cannot allow sensitive, confidential, or top secret information to be stored in unencrypted format, as numerous data-loss episodes at the Veterans Administration, Boeing, and other organizations have demonstrated. How does a TPM work with hardware- and software-based full-disk encryption? Surveying data-at-rest options comes down to a conversation about software versus hardware approaches. And hardware-based approaches completely encrypt the data on the drive in minutes per machine, versus hours per machine in the software world. Obviously, this has total cost of ownership and management implications. Also, with hardware there's no impact on machine performance, because the hardware handles the cryptography. Remember that in an enterprise context, simply having full-disk encryption isn't sufficient. You also have to verify it's active, effective, and in the event the machine is lost or stolen, demonstrate that it complied with security policies. Accordingly, by using Trusted Platform management software (for hardware FDE and TPMs), if an employee loses a laptop, the IT department can prove that all data on the drive was encrypted, and that the encryption couldn't have been deactivated. At that point, even if the lost or stolen data was confidential, regulated, or contained personally identifiable information In information security and privacy, personally identifiable information or personally identifying information (PII) is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. , there's no data breach notification requirement.Will a TPM alone fully encrypt a hard drive? No, the TPM enhances software-based encryption tools by speeding the encryption process and also securing archives with strong authentication. In addition, the TPM works with any hard drive that has the ability to be fully encrypted, which means the fully encrypting drives now reaching the market, such as from Seagate. The TPM will also work with the forthcoming Intel chipset, codenamed Montevina, which will enable encryption with any type of software or hardware solution that supports TPM. Also going forward, TCG (Trusted Computing Group, Beaverton, OR, www.trustedcomputinggroup.org) The successor to the Trusted Computer Platform Alliance (TCPA), announced in 2003 by founding members AMD, HP, IBM, Intel and Microsoft. is creating standards for tape, flash and even optical disks with on-board hardware encryption.Is a particular combination of encryption technology and TPM avocated? No, because different companies have different data protection requirements. Accordingly, the TPM isn't locked into any one approach. That means you can use the TPM to secure file and folder-level encryption, both on clients and within workgroups, all the way up to whole-disk encryption. How can IT managers begin experimenting with the TPM? First, just try it out. For example, the Microsoft website has excellent instructions for how to enable BitLocker drive encryption BitLocker Drive Encryption is a full disk encryption feature included with Microsoft's Windows Vista and Windows Server 2008 operating systems designed to protect data by providing encryption for entire volumes. . Several other TCG members have solutions that enable full-disk, directory and file-and-folder encryption solutions. From there, the most efficient and effective way to adopt the TPM is to activate it, and add TPM tools to your enterprise client build. Another best practice: have end users set their own TPM password, and back this with security policies that mandate TPM use, plus an awareness campaign. This, by the way, is the approach used by the NSA.Who's making tools to utilize the TPM? Software and applications for the TPM are available from NTRU NTRU Native Title Research Unit (AIATSIS) NTRU Number Theorists R Us NTRU N-Th Degree Truncated Polynomial Ring (Core TCG Software Stack (1) A stack that is implemented in memory rather than in hardware registers. See stack. (2) A generic reference to a set of system programs or a set of application programs that form a complete system. See stack. ), Phoenix Technologies (Award TCG Agent), Softex (Omni Pass and Theft Guard), Utimaco (SafeGuard), VeriSign (Personal Trust Agent), Wave Systems (Embassy Trust Suites), and many others. What can we expect from the TPM in the future? As enterprises master how to use the TPM, they'll be better positioned to adopt network access control frameworks — as they continue to mature — given that the TPM is compatible with both the TNC (hardware) TNC - A threaded version of a BNC. framework, as well as Microsoft's Network Access Protection. Hence you will have a wide variety of widely compatible — that is to say, non-proprietary — options available to meet your network access requirements. This will save companies money, and make network access control frameworks easier to both deploy and manage. In addition, companies keep creating innovative new ways of putting the TPM to work. For example, the several OEM (Original Equipment Manufacturer) The rebranding of equipment and selling it. The term initially referred to the company that made the products (the "original" manufacturer), but eventually became widely used to refer to the organization that buys the products and makers such as Dell, HP and Lenovo provide TPM support at the BIOS-level for security authentication to the machine before the system OS boots.So the chip is a foundation for future trustworthy computing initiatives? Exactly, because you're relying on a hardware-based cryptographic chip built into a PC to vouch for the endpoint's identity and state. Sure, when Microsoft Vista connects to the network, it says it's your PC and running all current security patches, but what if it's actually an external attacker using my credentials, or a rootkit on my PC that has exploited a known vulnerability and is pretending otherwise? With a TPM, you'll know the difference. Top 10 applications for the TPM Here are 10 examples of what a TPM can do for you:1. Multi-factor authentication: The TPM provides one factor in a multi-factor authentication model. For example, some enterprises are using digital certificates (PKI) tied to a TPM, as well as biometrics, to eliminate passwords and create stronger authentication models for wired, wireless, and VPN access.2. Strong login authentication: The TPM ensures that only users with proper credentials get hard drive or network access.3. Machine binding: Encrypt all data stored on removable media and limit access based on identity.4. Digital signatures: A TPM enables tamper-resistant digital document signing, to reduce fraud. This is also a useful capability for creating a trusted audit trail — for example, under Sarbanes-Oxley, where a “chain-of-trust” should be followed and must be provable and auditable. The TPM can help create the required, irrevocable audit trail.5. Password vaults: Many PC manufacturers ship client software that allows users to make immediate use of the TPM. One popular application, for example, is a hardware-based vault for storing digital credentials, such as passwords. Even if the PC is lost or stolen, passwords are protected by the TPM.6. File and folder encryption: In Microsoft Vista, BitLocker, MS Encrypted File System (EFS EFS Encrypted File System (Microsoft Windows 2000) EFS Event Free Survival (survival rates in clinical trials) EFS Evangeliska Fosterlandsstiftelsen (Sweden) ) and other third-party applications, using the TPM will encrypt files and folders, thus controlling access to those files and verifying their integrity.7. Strong client/server authentication: Embassy Trust Suites from Wave Systems Corp. provides key management tools — including key escrow, backup, and recovery capabilities — for IT managers to administer thousands of TPM chips and enforce their application, which is crucial for demonstrating compliance with numerous regulations. 8. Network access control: In the Trusted Network Connect Trusted Network Connect or TNC is an open architecture for Network Access Control, promulgated by the Trusted Network Connect Work Group (TNC-WG) of the Trusted Computing Group (TCG). (TNC) framework, a TPM attests to the identity and even health of a PC state before it is granted network access, or perhaps shunted into a network quarantine.9. Endpoint integrity: The TPM can hash state information prior to a hard drive shutdown, to report to a host that the machine and its software has not been tampered with when it boots. In addition, it can monitor all applications in the trusted application stack to report they are not tampered with while running.10. Trusted client/server security: IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) , among others, has begun shipping trusted servers — with a built-in TPM — to create even more secure client/server relationships and computing environments. 
|
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion