Management ChallengeBy John Moore | Posted 2007-05-14 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Papa Gino's, which operates pizzerias and sandwich shops, wanted to lock down data on scores of laptops and PCs. It turned to the Trusted Platform Module, which is already built into its computers.
We've heard that one of the reasons TPM hasn't been more widely used, despite the potential to bolster security, is the management challenge. Do you use software to manage TPM across your laptops and desktops?
We use Wave Systems' Embassy Trust Suite, Dell Edition. What Embassy allows us to do is centrally manage the whole solution. We can have TPM keys that are escrowed onto an Embassy Key Management Server. You can easily recover keys.
What else can you do with the software and TPM?
One of the things folks do here is create what are called data vaults. All they need to do is use Windows Explorer to create a folder as they normally would, and then use Embassy Trust Suite's Document Manager to associate the folder with a vault name of their choice. The Embassy Suite product is tightly integrated into Microsoft Office. You can either click on a save-and-encrypt icon within the Office suite of products, or drag and drop a file into your data vault where it is automatically encrypted.
I.T. departments are watching their security budgets. How does the TPM chip factor into that?
One of the things that TPM allows you to do is implement state-of-the-art robust security at a very low cost. The hardware is already in your laptops that you buy today. All you've got to do is turn it on.
And have the means for managing it.
Exactly. For the cost of an antivirus seat, you now have far more security and integrity.
Does that mean you no longer need to use antivirus?
No. What I would love to see is antivirus become TPM-aware, so that users never have to worry about somebody trying to disable the antivirus, for instance.
Down the road, who knows? It's hard to envision how that will go.
What's the broader I.T. environment here? You have people with laptops accessing applications via a Citrix server. What are those applications?
It's a whole variety, really. It could be something as simple as Outlook, or it could be JD Edwards-type financials. What TPMs allow you to do is really have this sort of bulletproof integrity back in the system.
What do you see as the biggest threat now facing your organization in terms of security?
There's research that says it takes four minutes for a device to be compromised once it touches the Internet. So, the problem here is, if your device has lost integrity, any information that you put on there is potentially subject to manipulation.
Data integrity can only be guaranteed in a verifiably trustworthy environment. Only TPMs provide this level of trust. TPMs are a ubiquitous, inexpensive piece of open-standards hardware in laptops and desktops that establishes this verifiable level of data integrity.
I would think it would be a no-brainer for auditors to demand TPMs be turned on. Not to do so could be criminal negligence, in my opinion.
Based on your work with TPM and other security measures, do you have any words of advice for other technology managers?
I think just being aware that TPMs exist on laptops and desktops today is a good start. And I think that awareness has definitely increased. The second piece that folks need to be aware of is that there are applications that are pre-bundled on laptops and desktops today, so they could start to use this TPM right away at no additional cost.
And they can do some pretty cool stuff with that. They can do pre-boot authentication. They can protect their online identities, using TPM. All of that at no additional cost.
So, how critical is the Trusted Platform Module to your company's overall security strategy?
I'd say it's absolutely fundamental to security. You know, it's hard to stress enough that this perception of your laptop or desktop belonging to you is just totally untrue. The only way to introduce that reality is to make sure that the device has integrity. And the only way to do that is with this hardened security.