Jump to content



Photo

Enterprise finally embraces TPM-based security

trusted computing group tcg trusted platform module tpm tpm 1.2 tpm 2.0

  • Please log in to reply
13 replies to this topic

#1 Ian W

Ian W

    Physical presence asserted.

  • 1,483 posts
  • Joined: 01-March 13
  • OS: Windows Vista

Posted 31 July 2014 - 05:00

Enterprise finally embraces TPM-based security
Full article: http://www.computerw...-based-security
 

Enterprises are finally embracing security systems based on trusted platform module (TPM) chips built into computing devices, but why has it taken so long?
 

Since 2006, many computing devices have included TPM chips, but enterprises have been slow to embrace the technology in their information security strategies. However, in 2012 the Trusted Computing Group (TCG), which published the TPM specification, claimed the technology had reached tipping point.
 

Steven Sprague, a founding-member of the TCG, told Computer Weekly that claim was backed up because the number of PCs with TPM chips has crossed the 600 million mark. He predicted further expansion of TPM use in Windows 8 would also drive the first mainstream adoption of TPM and a much broader spectrum of use.
 

This prediction has proven to be correct, according to Bill Solms, who succeeded Sprague as chief executive of Wave Systems in October 2013.
 

“The TPM’s time has come,” Solms told Computer Weekly, driven by the fact that individuals and companies are now far more aware of the need to defend against cyber threats and that mature TPM-based technologies are available to help address that need.




#2 Kelxin

Kelxin

    Neowinian

  • 609 posts
  • Joined: 08-April 04

Posted 31 July 2014 - 06:52

 

Enterprise finally embraces TPM-based security
Full article: http://www.computerw...-based-security
 

 

Yea, cute article ...  Not seeing in the real world though.



#3 OP Ian W

Ian W

    Physical presence asserted.

  • 1,483 posts
  • Joined: 01-March 13
  • OS: Windows Vista

Posted 31 July 2014 - 07:00

Yea, cute article ...  Not seeing in the real world though.

You are limited in your experience - you may not see the TPM, but that does not mean that it isn't being used. According to Steven Sprague, over 600 million devices are using one, and this number will only continue to grow due in no small part to the work of the Microsoft Corporation.



#4 Jared-

Jared-

    Pick it, pack it, light it up...

  • 226 posts
  • Joined: 02-October 07
  • Location: Melbourne, Australia
  • OS: Windows Server\OS X

Posted 31 July 2014 - 07:55

My understanding is that it is already being used some in some capacity automagically, however I could be wrong (I'm talking about server hardware\server OS). 

 

Think I've seen it enabled on some of the serves I manage, but not 100% sure. Everything kinda blurs into one when you're working with servers for a living, haha.



#5 OP Ian W

Ian W

    Physical presence asserted.

  • 1,483 posts
  • Joined: 01-March 13
  • OS: Windows Vista

Posted 03 August 2014 - 01:35

My understanding is that it is already being used some in some capacity automagically, however I could be wrong (I'm talking about server hardware\server OS). 

 

Think I've seen it enabled on some of the serves I manage, but not 100% sure. Everything kinda blurs into one when you're working with servers for a living, haha.

I am not sure about Apple, but Microsoft's server operating systems have supported version 1.2 of the TPM since Windows Server 2008.



#6 PGHammer

PGHammer

    Neowinian Senior

  • 9,013 posts
  • Joined: 31-August 03
  • Location: Accokeek, MD
  • OS: Windows 8 Pro with Media Center x64

Posted 03 August 2014 - 01:57

My understanding is that it is already being used some in some capacity automagically, however I could be wrong (I'm talking about server hardware\server OS). 

 

Think I've seen it enabled on some of the serves I manage, but not 100% sure. Everything kinda blurs into one when you're working with servers for a living, haha.

TPM security was, in fact, DESIGNED for enterprise (in addition to government - in fact, CAC - the Common Access Card - is based on it).

 

The big reason it hasn't been used much outside of government is due to the cost - most businesses won't spend much outside of the minimum on security unless they have to, unfortunately.



#7 Raa

Raa

    Resident president

  • 12,868 posts
  • Joined: 03-April 02
  • Location: NSW, Australia

Posted 03 August 2014 - 02:02

http://www.lafkon.net/tc/
No tks.
 



#8 shastasheen

shastasheen

    Neowinian

  • 102 posts
  • Joined: 18-May 14

Posted 03 August 2014 - 02:14

TPM security was, in fact, DESIGNED for enterprise (in addition to government - in fact, CAC - the Common Access Card - is based on it).

 

The big reason it hasn't been used much outside of government is due to the cost - most businesses won't spend much outside of the minimum on security unless they have to, unfortunately.

So true. There are some minor additional expenses with TPM security, but it can mitigate huge security breaches/loss of customer data. Only takes one knucklehead to lose a laptop with sensitive data...



#9 PGHammer

PGHammer

    Neowinian Senior

  • 9,013 posts
  • Joined: 31-August 03
  • Location: Accokeek, MD
  • OS: Windows 8 Pro with Media Center x64

Posted 03 August 2014 - 02:34

TPM security was, in fact, DESIGNED for enterprise (in addition to government - in fact, CAC - the Common Access Card - is based on it).

 

The big reason it hasn't been used much outside of government is due to the cost - most businesses won't spend much outside of the minimum on security unless they have to, unfortunately.

The issue isn't operating systems, or even the software, but actual deployment of TPM hardware within enterprises or corporations in general.



#10 Enron

Enron

    Windows for Workgroups

  • 10,049 posts
  • Joined: 30-May 11
  • OS: Windows 8.1 U1
  • Phone: Nokia Lumia 900

Posted 03 August 2014 - 02:39

We use it in our enterprise.



#11 OP Ian W

Ian W

    Physical presence asserted.

  • 1,483 posts
  • Joined: 01-March 13
  • OS: Windows Vista

Posted 03 August 2014 - 03:30

I had hoped someone would link to this movie as it is one of my favorites. The description of trust that it provides, at least when referring to individuals, is beautiful.
 

TRUST | confidence
Trust is the personal believe in correctness of something. It is the deep conviction of truth and rightness and can not be enforced. If you gain someone's trust, you have established an interpersonal relationship, based on communication, shared values, and experiences. Trust always depends on mutuality.

However, the video perpetuates some of the misinformation surrounding the Trusted Platform Module and Trusted Computing. Please allow me to explain how it does so, and then I will share my viewpoint on the matter.
 

In the trusted computing environment, the major goal is to protect us from potential threats. The original trusted computing idea is designed to let you to decide what's to consider as threat and what's to consider as trustworthy. You can control by your own personal conviction. The industry's interpretation of the trusted computing idea looks quite similar, aiming at the same: to fight threats, and make computing trustworthy. The main difference is that you cannot decide by your own what is trustworthy and what is not, because they already decided for you, and they already decided not to trust you.

The primary stated objective of Trusted Computing has always been to protect "us" from potential threats.

Trusted Computing does not prohibit "us" (either implicitly or explicitly) from trusting other entities. In fact, there are several features that Trusted Computing enables which directly contradict the video's statement - Sealed Storage and Attestation are two of them, the former allows me to encrypt data to a specific configuration (Example: I don't trust other applications with my banking information, so I will Seal it so that only my banking application can access it), while the latter allows me to send information about my hardware and/or software configuration to external requestors, whom can then determine whether to trust my configuration based on this information.

For the record, implicit, or implied trust being defined as the use of software or hardware. (Example: I may not directly state that I trust this keyboard that I am using to type this message, but logic dictates that I trust it because I am using it). Explicit trust is formed on the basis of something, such as communication (Example: I've seen the information sent by Attestation, and I will allow this computer access because I trust that the information is not lying).
 

So if they don't trust you, why should you trust them?

This is actually one of the reasons that I love Microsoft's Bitlocker encryption - by treating the owner of the computer as a potential adversary, it shows no partiality. In order for me to trust the Trusted Platform Module, the Trusted Platform Module must trust no one.



#12 Torolol

Torolol

  • 3,030 posts
  • Joined: 24-November 12

Posted 03 August 2014 - 04:42

my main complain about TPM that its 'inside' are can not publicly/openly auditable.



#13 The_Decryptor

The_Decryptor

    STEAL THE DECLARATION OF INDEPENDENCE

  • 19,464 posts
  • Joined: 28-September 02
  • Location: Sol System
  • OS: iSymbian 9.2 SP24.8 Mars Bar

Posted 03 August 2014 - 10:43

my main complain about TPM that its 'inside' are can not publicly/openly auditable.


Yeah, that's a big problem. There's similar concerns about the Intel hardware RNG because of how it's designed (It uses AES as a whitening method) and people just don't know whether to trust it or not.

Really, I just don't trust it, having encryption/key storage as a secret blackbox is just a bad idea.

#14 Jared-

Jared-

    Pick it, pack it, light it up...

  • 226 posts
  • Joined: 02-October 07
  • Location: Melbourne, Australia
  • OS: Windows Server\OS X

Posted 03 August 2014 - 12:08

So true. There are some minor additional expenses with TPM security, but it can mitigate huge security breaches/loss of customer data. Only takes one knucklehead to lose a laptop with sensitive data...

 

This is why in all the task sequences I put together, I enable Bitlocker (especially on laptops). I know TPM would offer more, but yeah just saying one example to help combat this (and hopefully other IT pros are enabling this).