Built-In SecurityBy John Moore | Posted 2007-05-14 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Papa Gino's, which operates pizzerias and sandwich shops, wanted to lock down data on scores of laptops and PCs. It turned to the Trusted Platform Module, which is already built into its computers.
Trusted Platform Module is a relatively recent development. How did you get into TPM, and what do you perceive as the main benefits of going in that direction?
It's an interesting mind-set, that's for sure. I don't think people are used to the security being built in to the devices that they buy. When somebody buys a computer, they assume that they own that computer and they can trust that computer, which really is not the case. It really belongs to whoever was able to drop a rootkit on it.
One of the things that TPM does is it introduces integrity back into the environment so that the only one who's authorized to do something on any particular device is in fact the owner.
Just to walk you through a scenario: When somebody goes to their laptop, they've got built-in finger swipe with the Dell laptop. Then you bring the pre-boot authentication. That alone is a big step because they leave the laptop in the car or something and they get it stolen. You don't have to worry about somebody else being able to have access to the data on the laptop.
What other benefits do you see?
One of the side benefits and something we hadn't intended is that long, complex passwords are no longer an obstacle. The longer a password, the greater the chances are of forgetting that password.
Long, complex passwords are a nightmare for people to remember. This nightmare is passed along to the I.T. staff that support the end user. First, you need to track down someone to reset the password, and then entering a new long, complex password doesn't always go as smoothly as you'd like. The process costs roughly $30 on average in support costs per call. TPM-protected biometrics have allowed our team members to simply use their PC or laptop as a useful, secure toolbox again without worrying about how to access the tools inside.
And so, what's interesting is, by making laptops and PCs infinitely more secure, we've also made them infinitely easier to use. And that's not something that we thought about ahead of time, to be honest with you.
Did any particular event prompt you to look into TPM?
Really, the thing that caught our eye initially was that in our finance department, it's normal for folks to want to use something more than Windows file permissions to protect their work. And so, we had some employees who were using password protections on Excel and Word files, and were using third-party encryption packages.
Well, those are very difficult to recover from if at all if somebody forgets their password or they lose the encryption key. And so, we wanted to eliminate this ad-hoc security. We saw an opportunity, by having this open-standards platform, to be able to do that and centrally manage the process as well.
Did you have any security breaches prior to deploying Trusted Platform Module chips?
We had a case where somebody at home had their system compromised via the Blaster worm and then they connected to the network. Well, that was something that antivirus couldn't help you with. That was something that a firewall couldn't help you with.
Less than a handful of folks got impacted because of that, but it was a real wake-up call that said to us, "Guess what? You're putting a whole lot of faith in the fundamental integrity of the OS to protect you."
Have you had any breaches since?
No. Absolutely not.
How long have you had the TPM strategy in place?
We've been rolling it out since March 2005. Our budget is such that we can't just do a rip and replace. We just roll it out as we retire old equipment, basically.