Enterprise finally embraces TPM-based security


Recommended Posts

Enterprise finally embraces TPM-based security
Full article: http://www.computerweekly.com/news/2240225813/Analyis-Enterprise-finally-embraces-TPM-based-security
 

Enterprises are finally embracing security systems based on trusted platform module (TPM) chips built into computing devices, but why has it taken so long?
 

Since 2006, many computing devices have included TPM chips, but enterprises have been slow to embrace the technology in their information security strategies. However, in 2012 the Trusted Computing Group (TCG), which published the TPM specification, claimed the technology had reached tipping point.
 

Steven Sprague, a founding-member of the TCG, told Computer Weekly that claim was backed up because the number of PCs with TPM chips has crossed the 600 million mark. He predicted further expansion of TPM use in Windows 8 would also drive the first mainstream adoption of TPM and a much broader spectrum of use.
 

This prediction has proven to be correct, according to Bill Solms, who succeeded Sprague as chief executive of Wave Systems in October 2013.
 

?The TPM?s time has come,? Solms told Computer Weekly, driven by the fact that individuals and companies are now far more aware of the need to defend against cyber threats and that mature TPM-based technologies are available to help address that need.

Link to comment
Share on other sites

Yea, cute article ...  Not seeing in the real world though.

You are limited in your experience - you may not see the TPM, but that does not mean that it isn't being used. According to Steven Sprague, over 600 million devices are using one, and this number will only continue to grow due in no small part to the work of the Microsoft Corporation.

Link to comment
Share on other sites

My understanding is that it is already being used some in some capacity automagically, however I could be wrong (I'm talking about server hardware\server OS). 

 

Think I've seen it enabled on some of the serves I manage, but not 100% sure. Everything kinda blurs into one when you're working with servers for a living, haha.

Link to comment
Share on other sites

My understanding is that it is already being used some in some capacity automagically, however I could be wrong (I'm talking about server hardware\server OS). 

 

Think I've seen it enabled on some of the serves I manage, but not 100% sure. Everything kinda blurs into one when you're working with servers for a living, haha.

I am not sure about Apple, but Microsoft's server operating systems have supported version 1.2 of the TPM since Windows Server 2008.

Link to comment
Share on other sites

My understanding is that it is already being used some in some capacity automagically, however I could be wrong (I'm talking about server hardware\server OS). 

 

Think I've seen it enabled on some of the serves I manage, but not 100% sure. Everything kinda blurs into one when you're working with servers for a living, haha.

TPM security was, in fact, DESIGNED for enterprise (in addition to government - in fact, CAC - the Common Access Card - is based on it).

 

The big reason it hasn't been used much outside of government is due to the cost - most businesses won't spend much outside of the minimum on security unless they have to, unfortunately.

  • Like 2
Link to comment
Share on other sites

TPM security was, in fact, DESIGNED for enterprise (in addition to government - in fact, CAC - the Common Access Card - is based on it).

 

The big reason it hasn't been used much outside of government is due to the cost - most businesses won't spend much outside of the minimum on security unless they have to, unfortunately.

So true. There are some minor additional expenses with TPM security, but it can mitigate huge security breaches/loss of customer data. Only takes one knucklehead to lose a laptop with sensitive data...

Link to comment
Share on other sites

TPM security was, in fact, DESIGNED for enterprise (in addition to government - in fact, CAC - the Common Access Card - is based on it).

 

The big reason it hasn't been used much outside of government is due to the cost - most businesses won't spend much outside of the minimum on security unless they have to, unfortunately.

The issue isn't operating systems, or even the software, but actual deployment of TPM hardware within enterprises or corporations in general.

Link to comment
Share on other sites

I had hoped someone would link to this movie as it is one of my favorites. The description of trust that it provides, at least when referring to individuals, is beautiful.

 

TRUST | confidence

Trust is the personal believe in correctness of something. It is the deep conviction of truth and rightness and can not be enforced. If you gain someone's trust, you have established an interpersonal relationship, based on communication, shared values, and experiences. Trust always depends on mutuality.

However, the video perpetuates some of the misinformation surrounding the Trusted Platform Module and Trusted Computing. Please allow me to explain how it does so, and then I will share my viewpoint on the matter.

 

In the trusted computing environment, the major goal is to protect us from potential threats. The original trusted computing idea is designed to let you to decide what's to consider as threat and what's to consider as trustworthy. You can control by your own personal conviction. The industry's interpretation of the trusted computing idea looks quite similar, aiming at the same: to fight threats, and make computing trustworthy. The main difference is that you cannot decide by your own what is trustworthy and what is not, because they already decided for you, and they already decided not to trust you.

The primary stated objective of Trusted Computing has always been to protect "us" from potential threats.

Trusted Computing does not prohibit "us" (either implicitly or explicitly) from trusting other entities. In fact, there are several features that Trusted Computing enables which directly contradict the video's statement - Sealed Storage and Attestation are two of them, the former allows me to encrypt data to a specific configuration (Example: I don't trust other applications with my banking information, so I will Seal it so that only my banking application can access it), while the latter allows me to send information about my hardware and/or software configuration to external requestors, whom can then determine whether to trust my configuration based on this information.

For the record, implicit, or implied trust being defined as the use of software or hardware. (Example: I may not directly state that I trust this keyboard that I am using to type this message, but logic dictates that I trust it because I am using it). Explicit trust is formed on the basis of something, such as communication (Example: I've seen the information sent by Attestation, and I will allow this computer access because I trust that the information is not lying).

 

So if they don't trust you, why should you trust them?

This is actually one of the reasons that I love Microsoft's Bitlocker encryption - by treating the owner of the computer as a potential adversary, it shows no partiality. In order for me to trust the Trusted Platform Module, the Trusted Platform Module must trust no one.

Link to comment
Share on other sites

my main complain about TPM that its 'inside' are can not publicly/openly auditable.

Yeah, that's a big problem. There's similar concerns about the Intel hardware RNG because of how it's designed (It uses AES as a whitening method) and people just don't know whether to trust it or not.

Really, I just don't trust it, having encryption/key storage as a secret blackbox is just a bad idea.

  • Like 2
Link to comment
Share on other sites

So true. There are some minor additional expenses with TPM security, but it can mitigate huge security breaches/loss of customer data. Only takes one knucklehead to lose a laptop with sensitive data...

 

This is why in all the task sequences I put together, I enable Bitlocker (especially on laptops). I know TPM would offer more, but yeah just saying one example to help combat this (and hopefully other IT pros are enabling this). 

Link to comment
Share on other sites

This topic is now closed to further replies.