Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Microsoft: Internet, PCs Need New Security Model
www.internetnews.com/security/article.php/3816701
By Janet Rae-Dupree
April 22, 2009
SAN FRANCISCO -- Scott Charney admits it. His friends laughed because he used the words "Microsoft" and "security" in the same sentence back when he joined the software giant in 2002.
But with Microsoft's (NASDAQ: MSFT) big push into what it calls end-to-end trust, it's time for the laughter to stop, says its chief security strategist, more formally known as corporate vice president for trustworthy computing.
During a keynote presentation here at the RSA Conference, Charney touted Microsoft's progress with ways of ensuring that applications and other executables are legitimate, like identity systems, code signing, and Trusted Platform Modules (TPMs) -- microcontrollers, often based on a PC's motherboard, that store digital certificates, keys and passwords.
TPMs, especially, are critical in Microsoft's vision of how security needs to develop. While the company has been pushing these technologies for nearly a decade, Charney said he believes that security has reached a point where dealing with it purely on the software side isn't enough.
Trust is crucial to continued growth on the Internet, he said, and "we have to root trust in hardware, because it's less malleable than software."
And that, of course, requires collaboration and cooperation across the board -- software and hardware vendors, consumers, enterprises, and society as a whole.
"We need to have alignment," he said. "We need alignment between social forces, economic forces, political forces, and IT. Too often, the information technology community has a solution, but they can't figure out how to monetize it or it's not acceptable for some other reason. Too often, the politicians may have an objective, a worthy one like protecting children online, but the technology is not supportive and it has too many unintended consequences."
"Too often, good ideas fail because the alignment isn't there," he added.
The goal of Microsoft's End-to-End Trust Initiative, launched at last year's RSA Conference, is to build a "trusted stack" incorporating all these layers by weaving in components to authenticate everything, including the user, the applications, the hardware and even the data itself.
He noted that the beta release of Windows 7 includes TPM support to enable encryption at the hardware level. Vista has tried to accomplish much the same thing with BitLocker, while Windows 7 will make portable USB devices secure through an encryption feature called BitLocker-to-Go.
"Trust" doesn't mean the same thing to everyone, Charney said. "I do not mean absolute trust. This is not a binary concept," he said. "Trust has to be reasonable and relative to what you're trying to accomplish."
Charney touted Microsoft's claims-based identity system called Geneva, which is currently being tested in a Washington school district that includes 50 schools and nearly 24,000 students. Under the system, students, parents, teachers and administrators establish their identity in person at the outset, and then receive netbooks with identity information coded in that allows them to access educational materials online.
One highlighted example showed an online calendar that displayed only the events and activities directly related to the specific user accessing it.
The idea, he said, is to create a different model for thinking about identity that doesn't rely on "secrets" such as place of birth or mother's maiden name that aren't in fact secret at all.
"The Internet has created incredible opportunities for our society such as e-commerce, new social interactions and more efficient government," he said. "But it has also attracted the attention of criminals. While we believe the benefits of using the Internet far outweigh the risks, people still need to be safer online than they are today."
Blog: TCG Rolls Out Certification Program
by Brian Berger, Wave Systems Corp.
TCG is delighted to announce that it is putting in place a formal TCG Certification Program for TPM. TCG will publish a certified products list on the TCG website, providing a reference for customers to help ensure security and correctness of TPM implementations. Based on feedback from our membership, TCG believes that the certification "seal of approval" will also help companies market their products, since many buyers look for some type of certification when evaluating vendors.
The program is initially open to TCG member products only. The TPM certification program in particular will allow members to do the compliance functional testing themselves, using TCG provided test suites, and submit the results of those test suites to the TCG. On the other hand, TPM security evaluation will require the use of a Common Criteria Lab for the product to be certified against a protection profile published by the TCG. TCG also recognizes that many organisations use TCG specifications who are not yet TCG members. Therefore TCG is considering how to work with non-members to certify their products, should there be sufficient interest. TCG will keep you posted on that important issue.
Looking beyond TPMs, the TCG is planning a certification program which will be launched in the fall of 2009 for a set of Trusted Network Connect specifications.
TCG will list certified products on its website and will help promote these products through its marketing activities. Look for more information on this new program in coming months here and at our website, http://www.trustedcomputinggroup.org/certification.
Replacing Vulnerable Software with Secure Hardware
Based on open, vendor-neutral specifications, the architecture of TPM ICs provides flexible implementation by system and device manufacturers as well as flexible deployment by the owners of these solutions. An organization that uses TPM-capable computing and communication products obtains greater security without lowering productivity or introducing new obstacles in manageability.
The Trusted Platform Module (TPM) and How to Use It in the Enterprise
With the support of over 140 leading hardware, component, software, service, computing, networking, storage, and mobile phone companies, the Trusted Computing Group (TCG) has developed and continues to develop open industry standards to deliver products and services with a higher level of trust to users. This trust is based upon a hardware element called a Trusted Platform Module (TPM).
In systems such as PCs and servers, the TPM is typically a microcontroller that securely stores passwords and digital keys and certificates that can provide unique identification. The TPM can be a separate integrated circuit (IC) or an embedded portion of another IC, such as an Ethernet controller. Using standard software interfaces, the TPM works with other security methodologies to ensure deployment of secure applications.
In the TPM, a co-processor handles cryptographic operations such as asymmetric key generation (RSA), asymmetric encryption/decryption (RSA), hashing (Secure Hash Algorithm (SHA-1)), and random number generation (RNG).
With increasing threats to security and the increasing cost of security breaches, the TPM provides privacy protection and interoperability across multiple platforms. Based on open, vendor-neutral specifications, the architecture of TPM ICs provides flexible implementation by system and device manufacturers as well as flexible deployment by the owners of these solutions. An organization that uses TPM-capable computing and communication products obtains greater security without lowering productivity or introducing new obstacles in manageability.
In addition to computers, hardware-based, embedded security subsystems that use TCG technology and include TPM capabilities can provide reliable and cost-effective protection for cell phones and PDAs and enable the enforcement of strong security policies to ensure trustworthy transactions for these wireless devices. In storage systems, the TPM can enable disk encryption and capabilities for trusted drives and network security.
Companies that have previously developed and currently market TPM chips, software, TPM-capable motherboards, and system-level products that comply with TCG specifications include: Atmel, Broadcom, Dell Computer, Fujitsu, Hewlett-Packard, IBM, Infineon, Intel, Lenovo, National Semiconductor, NTRU, Softex, STMicroelectronics, Utimaco Safeware AG, Wave Systems and many others. In addition to PCs, the TPM provides security in voting machines, set top boxes, POS terminals, and ATMs.
One of the major TPM successes in 2007 was its use in Microsoft's Windows Vista operating system as part of the BitLocker Drive Encryption feature. In the Ultimate and Enterprise editions of Windows Vista, BitLocker encrypts the computer's boot volume and provides integrity authentication for a trusted boot pathway. Built-in command-line tools allow the encryption of other volumes as well. TPM and BitLocker support for additional cryptographic features and expanded volume encryption are expected to proliferate in future Windows versions.
Prior to Microsoft's utilization of the TPM's capabilities, over 70 million desktop and portable PCs with TPMs were estimated as shipped. This number is expected to increase to over 200 million in 2008. The TPM can also be found in servers and with the recent publication of TCG's Mobile Trusted Module Specification that uses a subset of TPM commands, mobile phones and other types of mobile devices may include a TPM in the future.
Using the TPM
In addition to the TPM's well-established role in desktop computers and use in Microsoft's Vista operating system, it has demonstrated its value in several other applications. In the enterprise environment, one of its critical and unique roles is eliminating deceptive endpoints in Network Access Control (NAC). In NAC, an endpoint infected by a virus or other malware may lie about its health status, gain access to the network, and infect other machines. While software can provide a level of protection, software is vulnerable to attacks as well. The limitations of software-based approaches can be overcome by using the TPM with its hardware-based security. In TCG's Trusted Network Connect (TNC) architecture, the TPM is used for integrity measurement and remote attestation.
During the boot process, the TPM measures (hashes) all the critical software and firmware components, including the BIOS, boot loader, and operating system kernel, before they are loaded. By making these measurements before the software runs and storing them on the TPM, the measurements are isolated and secure from subsequent modification attempts. When the PC connects to the network, the stored measurements are sent to the TNC server, checked against the server's list of acceptable configurations, and quarantined as an infected endpoint if a non-match occurs. However, this is just one example of the TPM's usage.
Based on the efforts of TCG's Storage Work Group, the group has implemented security protocols to enable trusted storage, such as on hard disk drives. Under one user scenario for trusted drives, when the authentication screen is displayed, the user simply selects their User ID and then enters their Password similar to normal software-only protection schemes. But, the User is confirmed by the drive and, once confirmed, the drive unlocks and the OS boots normally. Another example of a trusted storage function is Full Disk Encryption (FDE), which encrypts everything on the drive using drive hardware. FDE provides protection against loss or theft, as well as re-purposing and end-of-life. An FDE drive can be rapidly erased by simply deleting the key under administrator control.
Organizations that have applied TPM-based trusted computing include: pharmaceutical companies to protect trade secrets and authenticate remote access, a pizza franchise chain to transmit and receive sensitive financial data and employee records, a car rental company to secure PCs in thousands of locations that handled confidential customer personal information and financial data, and even the U.S. government's National Security Agency (NSA) is evaluating full disk encryption, with associated credentials stored in the computer TPM.
In spite of overwhelming indication of the need for improved protection for users of a variety of computing-based systems, including the enterprise network itself, a few remaining naysayers continue to voice skepticism for TCG's efforts. Among the misperceptions for the TPM are:
It will take years before enough large companies and ISVs utilize the TPM
There is insufficient justification for implementing a TPM
Software can do the job without new hardware
However, Microsoft and other leading companies' use of the TPM and its ability to provide an improved solution to issues, such as the deceptive endpoint problem should dispel these misconceptions and accelerate the acceptance of the TPM to increase security in products and the entire network at the enterprise level.
Building on the foundation of the Trusted Platform Module, TCG members have invested extensive effort to develop open, industry-wide specifications for essentially every software aspect that impacts the enterprise and requires security. When TCG's specifications are implemented in PCs, servers, storage devices, mobile phones, PDAs, and the network, the enterprise-wide protection will essentially create a trusted enterprise.
The Trusted Computing Group's home page provides direct links to its efforts in PCs, servers, the software stack, infrastructure, networking, mobile phones, storage, and hard copy as well as the TPM.
Lenovo shows tool to manage encrypted drives
http://www.techworld.com/security/news/index.cfm?newsID=114586&pagtype=samechan
PC maker Lenovo hopes to give IT managers a helping hand with encrypted hard drive systems after announcing a new password management tool.
Called Hardware Password Manager, the tool is designed to allow system administrators to manage and reset staff passwords with all brands of hard drives, including those that have full disk encryption. A demonstration of the product can be seen here on YouTube.
Encrypting hard drives is often used as a way to protect confidential data, but when a password is lost (if the employee is made redundant for example) or is forgotten, administrators are often unable to decrypt the data and have to "burn the hardware".
Lenovo cited a Gartner study that found that helpdesk related calls, including password resets, can cost companies up to $18 (£12.35) per call, which can add up quickly across a large organisation. It also found that 30 percent of the total call load for multipurpose help desk calls are password related and that password management can help reduce that volume by 70 percent.
The Lenovo tool has remote management capabilities built in, so even if the machine is outside the corporate VPN, IT administrators can easily deploy, remotely manage and reset the hard drive passwords of any staff member.
Essentially, the tool allows the IT department to create an administrative user ID and hardware password within a "vault" in the PC's BIOS. The IT personnel can then deploy the PC or remotely send the installation package to a staff member's PC when he is out in the field.
When the staff member turns his PC on, he will choose a unique user ID and password to access the PC's hard drive. Similarly, when the employee enters his user ID and password, it will also unlock the fully encrypted hard drive. This ID and password could be the employee's Windows Domain user ID and password.
But if the staff member forgets or loses their password, there are a number of recovery methods. He can either log onto the company's intranet through a wired connection, and using his intranet credentials, re-enroll a new password. He can also be given access by the IT administrator to an emergency account already created in the BIOS vault in the PC (just for this purpose).
Finally, he can also bypass the prompt for the Hardware Password Manager and enter the real hardware passwords (provided by the IT dept). Then the helpdesk can simply deregister the old "vault" remotely to allow the user to re-enroll a new ID and password.
Lenovo says that the Hardware Password Manager also allows for the central management of the BIOS Supervisor password, which allows the IT department to control the configuration of the BIOS settings of all its PC assets.
"Encrypting drives offer state of the art protection for PC data, but companies everywhere previously had difficulty managing them," said Peter Schrady, vice president and general manager, Enterprise, Software and Peripherals, Lenovo, in a statement.
"Lenovo's new Hardware Password Manager product provides an easy tool to reset passwords by remote control, including full-encryption drives," he said. "This is the world's only solution to centrally manage all available brands of fully encrypting drives. The fact that it can also utilise our fingerprint reader to access encrypted drives makes it even better."
The tool is expected to be available in early May and there is no word on pricing yet. Lenovo says it will work on "many Lenovo Think-branded laptops and desktops." Specifically, it says that Lenovo's ThinkPad X301, X200, X200s, X200 Tablet, T500, T400, R500, R400, W700, W700ds and ThinkCentre M58/M58p desktop will support the technology.
Standards Matter: The Battle For Interoperability Goes On
http://www.informationweek.com/news/infrastructure/management/showArticle.jhtml?articleID=216600011
Lenovo unveils Hardware Password Manager
http://www.echannelline.com/usa/story.cfm?item=24446
Lenovo unveils Hardware Password Manager
by Mark Cox
Lenovo has announced the Lenovo Hardware Password Manager, a universal tool that allows companies to get full value from hard disk encryption by letting IT administrators remotely manage employee hard drive passwords.
"This is an industry first," said Stacy Cannady, product manager, security, at Lenovo. "No one else is able to centrally manage all available brands of fully encrypted drives."
Cannady said that the full potential of encrypted drives has not been utilized previously because they were such a nuisance to manage, many companies chose not to deploy them. The core of the management technology has existed for years, being developed by IBM in the 1980s. But applying it in such a way that conformed with modern privacy laws, particularly in the EU, where such laws are more stringent was one challenge. And doing it using the PC BIOS, where difficulty in programming there made OEMs understandably reluctant to see changes made to it, was another. Consequently, adapting the IBM technology to this solution required four years of development.
Hardware Password Manager deals with these issues by having two separate passwords, IT administrators create the "real" password within a "vault" in the PC's BIOS. The administrator can then deploy the PC or remotely send the installation package to an employee's PC in the field. When the employee turns the PC on, he or she will choose their own unique user ID and password to access the PC's hard drive. Similarly, when the employee enters his or her user ID and password, it will also unlock the fully encrypted hard drive.
"The result is that the user does not know the 'real' password, and the administrator does not know individual users' passwords." Cannady said. But the administrator will have access to the encrypted drive if the user forgets their own password.
Where companies do not manage employees' hard drive passwords, a drive would have to be sent to a third party for recovery if an employee forgot a password for their PC's hard drive, and if the drive happened to be encrypted, the data would be unrecoverable. For the small number of companies that do manage employees' passwords, password resets would most likely require on-site support, adding time and expense for the organization. A Gartner study found that help-desk related calls, including password resets, can cost companies up to $18 per call, which can add up quickly across a large organization.
Hardware Password Manager is thus particularly attractive to very large firms. But Cannady said that in some industries, particularly those related to defense, regulation and contract requirements mandate certain BIOS configurations, and without central management of the supervisor password, meeting that requirement can be costly and labor intensive. Password management is also attractive to companies which face compliance requirements, and this covers a broad range, from banks, to doctors' officers to certain types of retail organizations.
While VAR opportunities with Hardware Password Manager in very large firms is likely limited, Cannady said that it has real potential for them as a managed services play.
"For VARs, there is a real opportunity here to create a managed services solution for smaller companies, who can see the value in having this provided as a service," he said.
Lenovo Hardware Password Manager will be available worldwide starting in early May.
Full disk encryption comes to SSDs
for mobile devices, laptops
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9131684&intsrc=news_ts_head
Dell adds encrypted drives to its Latitude line of laptops
Lucas Mearian
April 16, 2009 (Computerworld) Samsung Electronics Co. announced today it is shipping its first self-encrypting solid-state disk (SSD) drives. The drives will come in 1.8-in. and 2.5-in. sizes for handheld devices and laptops, respectively.
In tandem with Samsung's announcement, Dell promptly introduced a suite of mobile data security technologies for its Latitude line of laptops, with native drive encryption expected to be available in the next few months.
"The drive, which is designed to deliver some of the fastest encrypted storage available, offers customers 8.5 times the shock tolerance versus standard notebook hard drives," Dell said in a statement.
Full disk encryption (FDE) is already a standard feature on some desktop and laptop hard disk drives, including Seagate's Momentus 5400 FDE.2 laptop drive. Samsung claims its SSD is the first to come with FDE.
While Samsung is not the first to offer hardware-based SSD encryption -- pureSilicon Inc. released its Renegade Series SSDs with hardware-based encryption in January -- Samsung is the first to offer the feature to the consumer market, according to Gene Ruth, a senior analyst with the Burton Group.
"For the laptop market, full disk encryption is a very important feature for security," Ruth said. "People are most likely to use these drives in a business environment and there it's a good and necessary thing. Also, for SSDs to be comparable to hard disk drives, encryption becomes another check mark."
Samsung's news drives, which come in 256GB, 128GB and 64GB capacities, use AES encryption along with management software from Wave Systems Corp. Samsung was unable to provide model numbers for the drives, but did say the FDE feature will be available on its latest SSDs.
Dell said the Samsung drives add to the company's encryption technologies, which can be managed remotely with the Wave Embassy Server.
"Samsung has combined the tremendous performance advantages of solid-state technology with integrated hardware encryption for drives designed especially for today's 'road warrior' professionals," Samsung's vice president of memory systems, Jim Elliott said in a statement. "Business users now get the best of performance and security in a single drive."
Samsung said its SSD performance is not affected by FDE, a drawback sometimes seen with hard drives.
The benefits of hardware encryption over today's software-only encryption approaches include faster performance, better security and an "always on" feature. "Because encryption keys and access credentials are generated and stored within the drive hardware, they never leave its confines and are never held in the operating system or by application software," Samsung said.
Jim McGregor, chief strategist at research firm In-Stat, said Samsung's announcement is yet another part of the software equation that could boost SSD adoption over time. "Everyone mentions security as a growing concern, [but] only enterprise customers typically pay close attention to it," he said. "In enterprise applications, it is increasingly important to be able to provide security for data in a market were computers are increasingly mobile and subject to theft."
Samsung said its 1.8-in. self-encrypting drive is the world's first encrypted storage drive of that size.
"Samsung is breaking new ground in performance and security with its solid-state FDE drives," said Wave CEO Steven Sprague. "With self-encrypting drives, users have the peace of mind that whatever's on the drive -- credit card numbers, medical records, sensitive personal data or intellectual property -- is always protected."
Each Samsung self-encrypting SSD, when ordered in a new computer, comes bundled with Wave's EMBASSY Trusted Drive Manager for life-cycle management of the drive, including pre-boot authentication to the drive and enrolling drive administrators and users. Trusted Drive Manager also enables the backup of drive credentials.
Wave's EMBASSY Remote Administration Server can also be purchased separately and will allow IT administrators to remotely turn on each SSD in seconds and provides detailed event logs for compliance to prove that the security settings were in place when a loss or theft occurs, Sprague said.
Dell also announced several other security features for its Latitude line:
Dell ControlPoint Security Manager, which is for remote access to mobile security features and data management. Dell ControlPoint gathers hardware and security settings within a single user interface, ending the need to search through multiple control panels.
Dell ControlVault, which is available on Dell Latitude E4200, E4300, E6500 and E64000 laptops offering hardware-based security for storing and processing user passwords, biometric templates and security codes.
Integrated RSA SecurID, which is a two-factor authentication method provided by EMC's RSA security division.
User Authentication, which in addition to RSA SecurID or fingerprint authentication, is an embedded multi-technology contactless smart card reader that enables organizations to implement multi-factor user authentication to verify user ID with HID Global iCLASS technology. This allows users to carry a single card that can be used for both logical and physical access control.
"With the new drives and Dell's broader security portfolio, customers can feel comfortable that their data will be secured not only from prying individuals, but also from destruction caused by the daily rigors of mobile computing," said Brian Beard, Samsung's SSD marketing manager.
Dell Offering Samsung Encrypted SSDs, Security Suite
http://www.eweek.com/c/a/Desktops-and-Notebooks/Dell-Offering-Samsung-Encrypted-SSDs-Security-Suite-129312/
By Michelle Maisto
2009-04-16
Dell is offering a new suite of mobile data security solutions in the coming months, including encrypted solid-state drives from Samsung. The news arrives on the same day that Lenovo announced its new remote management solution for fully encrypted hard drives.
Dell is rolling out a new suite of mobile data security solutions for its Latitude line of laptops, including encrypted solid-state drives from Samsung that are due in “the coming months.”
“We think of security in terms of being preventative and protective,” Dell senior product planner Craig Durr told eWEEK. “Preventative tends to be preventing unauthorized access and attacks from viruses and spam, and protective is in regard to protecting the asset itself and also the data.”
In conversations with Dell users, Durr says, “CIOs will say the computer is important, but the data is even more so.”
“The value of the solid-state drive is it adds durability to a weak part of the notebook,” said Durr. “You have no moving parts [with an SSD], so you get a more-reliable product with greater durability. And now we’re also overlaying encryption to the product.”
Dell’s new security suite will include:
• The Dell ControlPoint Security Manager, which gathers hardware and security settings within one user interface.
• The Dell ControlVault, which enables Dell Latitude E4200, E4300, E6400 and E6500 notebooks to be configured with a security engine that protects end-user security credentials. A hardware-based solution, it features a dedicated chip for storing and processing user passwords, biometric templates and security codes.
• An Integrated RSA SecurID, which offers two-factor authentication for hardware-level security for the storage of RSA SecurID software tokens and one-time password generation, eliminating the need for a separate hardware token.
“It’s the equivalent of soldering a one-time-password key fob to the motherboard,” said Durr. “You can store credentials and process them outside of the operating system, to help prevent unauthorized access [from things like sniffers].”
User authentication will also be heightened through a contactless smart card reader from HID, along with smart cards and fingerprint readers, enabling organizations to implement multi-factor authentication.
The Ponemon Institute reports that 41 percent of employers said that employees’ failure to use proper authentication or passwords represents the largest threat to their organizations’ confidential data.
Security is increasingly being taken more seriously, as more information becomes mobile, information breeches cost companies millions of dollars and customer confidence, and the public, press and government hold businesses to greater levels of accountability.
For example, Massachusetts has a state law in the works, scheduled to go into effect Jan. 1, 2010, mandating that businesses holding the personal information of Massachusetts residents be forced to encrypt the data on mobile devices or when wirelessly transmitted.
“These days, accountability is being rolled up to the highest level of business, to the CEO,” says Durr.
On April 16, Lenovo also announced a remote management solution for fully encrypted hard drives.
How much better are solid-state drives over hard disks?
http://dvice.com/archives/2009/04/ssd-vs-15000rpm.php
HANDS ON
Related Sections: Computer Peripherals Galleries Reviews
Test: How much better are solid-state drives over hard disks?
I have seen the future, and it is solid state. The solid-state disk (SSD) computing revolution has arrived, almost. Solid-state drive are, of course, like the flash drives in your camera, only bigger, and now, much faster. Devoid of moving parts, cool-running, quiet as a church mouse, energy-sipping and data crunching at light speed, these hard drives will be our medium for data storage for the foreseeable future.
We snagged a quartet of these mind-boggling wafers of goodness, and they gave us a fascinating peek into the future. Just how fast are they? We benchmarked them in a group of four, all lashed together in a single volume that uses teamwork to speed things up (known to geekdom as a RAID 0 array), and then we loaded up a singleton to see how it compares. Click on Continue Reading to see how they fared.
They're small. The four Intel X25-E SATA solid state drives we tested are actually 2.5-inch drives (each now selling for $848) adapted by Western Digital to fit into 3.5-inch drive cages. Surrounding the small and thin enclosures are heat sinks, hardly needed because these drives barely heat up at all.
They are completely silent. We loaded Windows XP onto an array of four of these drives, and the only drive noise we heard was the whine of the DVD as it offloaded its data onto the 4-SSD volume. Once the data was onto the drives, there was none of that mechanical grinding, clinking, humming and groaning that normally emanates from fast spinning drives. It's an eerie silence, but wonderfully serene.
They're fast. Intel's figured out how to get these NAND chips to access small files, a former weakness that was holding SSDs back. Using "Native Command Queuing" with a 10-channel flash controller, seek time is minimized, and the result is some lickety-split performance. It's almost as fast as RAM, but unlike RAM, that data permanently sticks to the solid-state disk, rather than going away when the PC is shut down as it does with RAM.
Read 'em and weep. Look at these numbers! TK per second for a single drive vs. TK for a SAS (serial-attached SCSI, the fastest) drive spinning at 15,000 rpm. And the clincher, TKMB/s when you strip four of the babies together in a RAID 0 array. Goodness gracious.
We tested the drives using four different benchmarks, and all the results were similar to these from the Passmark PerformanceTest (download a free 32-bit or 64-bit trial here to test your system — we used the 64-bit version).
--------------------------------------------------------------------------------
(Click each image for enlargement) The spinning drive almost keeps up with the SSD in sequential reading, but look how it gets manhandled with random seeks — it's 93.4% slower. Ouch.
--------------------------------------------------------------------------------
When you gang up the SSDs in an array, they're substantially faster, especially the sequential reads, 202% faster than a single drive.
--------------------------------------------------------------------------------
We gave the 15,000 RPM spinning disk array a head start, striping together six of them against the four SSDs. They still got smoked, especially in random seeks.
--------------------------------------------------------------------------------
But boot time isn't affected as much. Check out these numbers, where shutdown time was strangely longer with the solid-state drives.
Bootup time to first cursor:
SSD:1:22
15K: 1:34
Shutdown:
SSD: 00:28
15K: 00:11
--------------------------------------------------------------------------------
They're still not perfect. While we didn't see any degradation in our four "single-level cell" (SLC) drives' performance after multiple tests, other reviewers have seen that problem in multi-level cell (MLC) devices such as Intel's 80GB and 160GB drives, saying that they slowed down as more data was written to them, and defragmentation utilities only made matters worse. But Intel's working on this problem, and recently released new firmware for those 80GB and 160GB SSDs that reportedly fixed the problem. Still, this is new tech, and not everything about it is perfect yet. Sounds like a good reason to wait awhile before jumping into the SSD game. Here's one last, and very big reason to wait:
They're crazy expensive. It's definitely not time to buy these suckers, oh no. Just watch and enjoy the tech for now and let the early adopters spend $1000 apiece for 64GB drives. That's roughly 4x-4.5x the price of already-pricey 15K SAS drives. Two years from now, many more drives will be solid-state, because prices will have plummeted to an affordable level, and those pesky fragmentation issues will be solved. Until then, rest assured that you've seen the future, and it's solid state.
Solid-State Drives Grow More Appealing
http://www.newsfactor.com/news/Solid-State-Drives-Are-Appealing/story.xhtml?story_id=100006IY8JJG&full_skip=1
By Sven Appel
April 16, 2009 7:19AM
Samsung offers an SSD drive with a 256GB capacity. Verbatim has a unique offer that could be of interest for notebook users. Its PCMCIA Express Card Standard -- coming in either 16, 32 or 64GB versions -- lets users pop a card into their notebook to expand its storage space. The card offers more space and quicker speeds than a USB stick.
Solid State Drives (SSD) are becoming standard in modern notebooks and netbooks, often replacing traditional hard drives. More and more, it's becoming common to retrofit older computers with SSDs, either as external hard drives or with PCMCIA cards.
Anyone in need of an especially fast hard drive should do well with an SSD. They work much faster than standard drives, which rely on magnetic storage, reported the German magazine PC Welt recently. A test of 10 SSD drives showed that users usually enjoy faster speeds, both with index and data searches, the report said.
Anyone interested in buying an SSD drive has a choice between MLC and SLC technology. An SLC device costs about 9 euros (12 dollars) per gigabyte, while the MLC costs about 1.80 euro per gigabyte. PC Welt recommends that anyone who can afford one, should opt for the SLC, since it offers steady high writing speeds and long life.
Compared with standard drives, SSDs have relatively small capacities. Magnetic drives have reached capacities of a terabyte (TB), with one producer even announcing a 2 TB model. Currently, SSD technology offers no more than 250 GB, and that costs 600 euros. For comparison's sake, a 500 GB standard drive costs significantly less than 100 euros.
Samsung offers an SSD drive with a 256 GB capacity. Meanwhile, Verbatim has a unique offer that could be of interest for notebook users. Its PCMCIA Express Card Standard -- coming in either 16, 32 or 64 GB versions -- lets users pop a card into their notebook to expand its storage space. The card offers more space and quicker speeds than a USB stick.
Meanwhile, Buffalo Technology has an SSD external drive for sale. The LinkStation Mini transfers data wirelessly and thanks to the SSD technology is practically noiseless, according to the Dusseldorf-based manufacturer. The drive comes with two SSD drives, each containing 120 GB of space. This allows double copies, which protects against data loss. But that also pushes the price up toward 900 euros.
What makes SSDs so expensive? Unlike standard drives, they have no moving parts, making them more shock resistant. Notebook users in crowded trains, for example, need not fear a crashed drive if bumped into by fellow passenger. Additionally, SSDs are silent and relatively energy efficient.
SSD is also faster than standard drives when it comes to accessing data in standard applications. That's immediately obvious when switching on a computer: start-ups time are half the normal rate.
Standard drives often split up data, spreading connected information across different parts of the drive. Tracking down all that data can make recall slow. But SSD skips that problem because it accesses all data simultaneously. But there are exceptions: when it comes to accessing larger linked blocks of data, then standard drives remain faster.
Storage is storage!
http://www.glgroup.com/News/Storage-is-storage-37490.html
* Western Digital is the number 2 HDD company, after Seagate * WD has weathered the current economic situation better than many companies due to its focus on low cost HDD production
* Western Digital has not made any forays into the solid state storage market until this purchase
* Although Silicon Systems primary market focus is on embedded industrial and military type applications WD should learn a lot about flash products through this acquisition
Analysis
Western Digital announced that the company will acquire Silicon Systems for $65 million. Silicon Systems has a headquarters in Southern California, not too far from where Western Digital is headquartered. Silicon Systems makes solid state drives (SSDs) for the industrial and military market. Their products are used in embedded computing, industrial computers and equipment and military and aviation systems. Silicon Systems offers SSDs with SATA, EIDE, PC card, USB and CF interfaces in 2.5-inch and 1.8-inch form factors.
Western Digital gains some accretive storage business from the purchase but they also get some experienced solid state drive engineers used to working in demanding markets. WD will probably continue to support the current Silicon Systems products but we expect that the company will use this experience to expand into other markets.
In particular we consider it likely that WD will come out with SSD products for the so-called Tier 0 enterprise market. This market appears to be the one where SSD products are showing the most traction and where the higher price per GB of SSDs is off-set by the much faster performance, particularly in reading. In order to do this WD will need to introduce SAS, Fibre Channel and/or PCI express versions of solid state storage products.
In the enterprise market flash products are expanding the Tier 0 market where speed of delivery of content is most critical. The much faster read speed of flash memory compared to HDDs provides a less expensive alternative to volatile DRAM solid state drives and reduces the need to use over-provisioned HDD solutions to get faster data transfers. As shown in Coughlin Associates 2009 Digital Media and Entertainment Storage Report, flash-based SSDs are starting to play a significant role in content delivery systems.
WD’s experience with low cost production should should give them an advantage in the SSD market. It is possible that WD will combine their leadership in enterprise ATA-storage with SSD Tier 0 storage to offer very competitive initial price and operating cost storage components to the enterprise market and perhaps even impact the traditional high performance enterprise HDDs offered by Seagate, Toshiba (formerly Fujitsu) and Hitachi GST.
Analyses are solely the work of the authors and have not been edited or endorsed by GLG.
Looks like we'll be having some visitors:
Editor’s Note: Interested media and analysts can see Toshiba’s new self-encrypting drive technology by visiting the Wave Systems’ booth (#1039) at the RSA Conference. Toshiba’s Scott Wright also is available to offer insight on full disk encryption technology at the Wave Systems booth during show hours, or you may contact Erica Rios at (714) 662-5111 (erios@golinharris.com) to pre-arrange an appointment.
Security Conference Set
RSA Conference 2009 to be held in San Francisco
http://www.ddj.com/article/printableArticle.jhtml;jsessionid=JYJ1EJE2ZYKCGQSNDLRSKHSCJUNN2JVN?articleID=216500622&dept_url=/security/
By Dr. Dobb's Journal
Apr 14, 2009
The RSA Conference and Expo 2009 is slated to be held April 20-24 at the Moscone Center in San Francisco. Among the events scheduled at this cybersecurity event is a keynote on April 22 by Melissa Hathaway, Acting Senior Director for Cyberspace for the National Security Council (NSC) and Homeland Security Council, in which she will provide details about the Obama administration's 60-day comprehensive review to assess U.S. cyberspace policies and structures.
Other conference speakers will include John Chambers, Chairman and CEO of Cisco Systems; Scott Charney, Corporate Vice President for Trustworthy Computing, Engineering Excellence and Environmental Sustainability at Microsoft; Philippe Courtot, Chairman and CEO of Qualys; Arthur W. Coviello Jr., Executive Vice President of EMC and President of RSA (the Security Division of EMC); Dave DeWalt, Chief Executive Officer and President of McAfee; Dave Hansen, Corporate Senior Vice President and General Manager, Security Management Business Unit, CA; Enrique T. Salem, Chief Operating Officer and CEO-designate of Symantec; and Brian Smith, Chief Architect at TippingPoint.
Sessions at the conference will features such topics as "Securing Tamper Resistant Devices--Introduction to Timing Attacks, SPA, and DPA," "Building an Enterprise-Strength Identity & Access Management Architecture," "The Evolution of Authentication," and "Smart Cards and Information Technology."
This year, the conference will also feature its inaugural Innovation Sandbox event, a half-day interactive program devoted to highlighting technological breakthroughs and solutions that are designed to help security practitioners tackle emerging security issues facing the industry.
Each year, the RSA Conference is built around a different theme highlighting a significant historical example of information security. In 2009, the influence of Edgar Allan Poe is the theme. Poe was fascinated by cryptography, which he often treated in his journalism and fiction. He concealed anagrams and hidden messages in his own poems. His famous story The Gold Bug centers on the solution of a cipher, which turns out to be a map to hidden private treasure.
Giving Government Power To Unplug The Internet
In the best-case scenario, that power could enable a president to prevent cyberattacks on the power grid, air traffic control systems or the root of the Internet.
By J. Nicholas Hoover, InformationWeek
April 9, 2009
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=216500090
As the U.S. government considers significant changes to federal cybersecurity regulations, one line item in proposed Senate legislation shows why companies and citizens should pay attention.
The bill would give the president explicit power to turn off computer networks in the interest of national security.
In the best-case scenario, that power could enable a president to prevent cyberattacks on the power grid, air traffic control systems, or the root of the Internet. On the other hand, the government would be given the power to shut down vital telecommunications, financial, and corporate networks with self-serving claims of national security interest.
The bill, from Sens. John Rockefeller, D-W.Va., and Olympia Snowe, R-Maine, is part of a larger debate over what federal powers are necessary for cybersecurity. The bill and related legislation come as the Defense Department this week said it spent $100 million in just six months fighting cyberattacks and the White House nears completion of a national cybersecurity review.
If used correctly, the power isn't likely to be executed except in the direst of situations.
"I guess the question is, what criteria arises to that level, because we haven't yet seen it," said Bruce Brody, chief security officer for the Analysis Group and former chief information security officer at two federal agencies. "I do not foresee the set of circumstances that would cause him to pull the trigger unless the nation's critical infrastructure was under some very threatening circumstances."
According to a Wall Street Journal report on Wednesday, Russian and Chinese spies have hacked into the U.S. electrical grid and left behind malware. If true, the hacking raises the possibility of a scenario where the president or a top cybersecurity aide might need to take decisive action to turn off select parts of the power grid, for example in the case of an actual attack, in order to protect the nation's commerce.
A major attack on the Internet's root DNS servers, or more targeted at federal networks, could make it necessary for the president to order the shutdown of significant networks, said Rod Beckstrom, former Homeland Security cybersecurity director. That often can be combated without such extreme measures, by blocking certain IP addresses -- a presidential power also explicit in the Rockefeller-Snowe legislation -- or by taking other corrective measures.
But "if you've got a foreign hostile party with 100 coordinated hackers attacking you at any one time, or a bot army, the most effective thing you can do might be to unplug," Beckstrom said. In any such circumstance, he said, a civil liberties board would be put in place that could override the president's decision, though it could also be overridden. Another option -- aimed at maintaining security while preserving commercial activities and civil liberties -- may be to require private network operators to police their own networks in the case of a major cyberattack.
"Once you give that extraordinary power, it will be hard to walk back from it," said Leslie Harris, executive director of the Center for Democracy and Technology. "Let's figure out the problems, figure out if targeted legislation is necessary, and then do that in a way that is warranted and measured. The potential for abuse and inappropriate use in the wrong administration is something we should not be enacting."
Wave & Pre-Conference Sessions on Trusted Computing
http://www.wavesys.com/news/events/RSA2009/
TCG Continues Popular Hands-On Labs at RSA Conference 2009
https://www.trustedcomputinggroup.org/blog/
April 8th, 2009 by Brian Berger
By Brian Berger, Wave Systems Corp.
Get your comfy shoes and business cards ready — it’s that time of the year! In less than two weeks, the leading security and computing vendors will gather in San Francisco at the RSA Conference! Four years ago, we here at Trusted Computing Group tried something that was a bit new for us and for the conference: we hosted a session the Monday before the “real” conference to talk to attendees about what then were some really new industry standards for trust in hardware and associated security. To our surprise, we got quite a large crowd (providing lunch might have helped). The folks at RSA thought it was a great idea to have this content available, so we have continued the tradition. Last year, we had to close the doors to additional attendees because the room was beyond capacity and the fire marshal was going to come after us.
This year, we have expanded the idea a bit. “Turning on the Trust: A Developer and End User Lab to Enable Higher Security for Clients, Networks and Storage Devices” session will keep the hands-on element, meaning attendees can touch and feel systems that use Trusted Computing specifications. But because RSA draws an increasing diverse crowd, we are offering sessions targeted to developers and sessions for IT users. This means that people interested in learning how these specifications work and how they can be embedded into hardware and applications can get detailed information and examples, from those in the trenches.
For the IT community that is facing specific challenges such as data protection, authentication, network security and the like, the afternoon sessions will focus on how to USE these products and services. Speakers who have experience deploying network security equipment to control who gets on the network, for example, will talk about what works and what does not. Users who have set up their Trusted Platform Modules in large numbers of clients will talk about their experiences. We hope you will walk away with some good information, ideas and notes on what you can do with Trusted Computing. And trust us, it’s not that hard to take real advantage of equipment and technologies that you probably already have!
Both sessions will run Monday, April 20, in the Orange Rooms 130-133 at Moscone Center North. Full session descriptions and the latest agenda can be seen on the RSA Conference 2009 page. To register to attend the TCG seminar, please visit http://www.rsaconference.com/2009/US/Home.aspx . Because these sessions have been very popular, we encourage you to register in advance.
You can see demos of various TCG technologies also at the TCG booth #2133 during RSA. Safe travels and hope to see you there!
TNC Implementers Demo Interoperability
http://www.tradingmarkets.com/.site/news/Stock%20News/2264676/
Apr 09, 2009 -- Fifteen companies and organizations participated in testing a growing number of implementations of the Trusted Computing Group's Trusted Network Connect (TNC) specifications for network security and network access control.
Enterasys Networks, Fujitsu Limited, Great Bay Software, Infoblox, Juniper Networks, Lumeta, Trapeze Networks and several others participated in the group's fourth annual interoperability event, hosted by the University of New Hampshire Interoperability Laboratory (UNH-IOL). First-time attendees included Great Bay and Lumeta, while Enterasys, Juniper, and Trapeze Networks tested products for at least their third year.
Microsoft's implementation of NAP (Network Access Protection) in Windows XP SP 3 software was demonstrated as working interoperably at the event as well.
The Trusted Computing Group (TCG) hosts the interoperability session to enable member companies using the TNC specifications to test implementations with TNC-based products from other vendors. The session serves as validation of interoperability in addition to providing discussion and sharing of best practices and experiences with the specifications.
Five open-source projects - FreeRADIUS, libtnc, OpenSEA, TNC@FHH, and wpa_supplicant - also tested software this year, demonstrating an increasing amount of support and product choice of operating systems and platforms.
Participants tested hardware and software supporting the TNC specifications in a simulated enterprise environment, using more than a dozen test cases that model common enterprise usage of TNC specification-based systems.
TNC is an open, non-proprietary architecture and set of specifications, available free of charge to any interested party, that enables the application and enforcement of security requirements for endpoints connecting to the corporate network.
TCG is an industry standards body formed to develop, define, and promote open standards for trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices.
Bills call for cyber adviser, private network security regulations
By Jill R. Aitoro 04/01/2009
http://www.nextgov.com/nextgov/ng_20090401_6424.php
Two senators introduced bills on Wednesday that would establish a direct cybersecurity adviser to the president and regulate how governments and businesses protect their networks from attack, strong actions that security professionals said are necessary to thwart global threats.
Sens. John D. Rockefeller, D-WVa, and Olympia Snowe, R-Maine, jointly introduced two bills, one of which raises the profile of cybersecurity within the federal government, while the other streamlines cyber-related functions and authorities and tightens the relationship between government and the private sector on cybersecurity, according to a summary document.
The bills "could do more to improve cybersecurity than any action in the last decade," said Jim Lewis, director and senior fellow for the technology and public policy program at the Center for Strategic and International Studies.
Lewis served as program director for the CSIS Commission on Cybersecurity for the 44th Presidency, which released recommendations in December 2008 for improving cybersecurity practices in government, a number of which are included in the bills.
"This looks like the game-changer -- or at least the conversation-changer," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research group based in Bethesda, Md. "Its reach is far greater than any cyber bill I have ever seen, extending deep into corporate America."
The first bill, which has no title, establishes a national cybersecurity adviser within the White House to "serve as the principal advisor to the president for all cybersecurity-related matters. The adviser would "furnish timely and appropriate recommendations, information and advice to the president in connection with the administration and execution of laws relating to cybersecurity."
The new position also would have full access to information from all federal cyber program activities, and review and approve cybersecurity related budget requests.
The second bill, titled the 2009 Cybersecurity Act, is more comprehensive. It calls for the president to establish an advisory panel made up of qualified specialists from the public and private sectors who would offer advice on cybersecurity. The bill also requires a threat and vulnerability assessment of government systems and the corporations that own the nation's critical infrastructure such as electric utilities, energy producers and transportation systems. A public-private clearinghouse would be established so the federal government and owners of the critical infrastructure could share information on cyber threats and vulnerabilities.
"The bill serves to raise the visibility of this critical national issue," said Bruce McConnell, former IT policy chief at the Office of Management and Budget and a member of the CSIS commission. "Government must take the lead, in close partnership with private sector owners and operators, to protect our critical infrastructures from the growing cyber threat."
The Cybersecurity Act would require the National Institute of Standards and Technology to develop cybersecurity standards for government, contractors and operators of the systems that control the nation's critical infrastructure. A newly created acquisitions board would certify that products the federal government purchased meet security standards, and regional cybersecurity centers would be set up to support small- and medium-size businesses complying with the standards.
Corporations currently oversee the security of their computer networks, although some industries have established standards for protecting information.
"The market has failed by definition and thus public policy is necessitated," said Tom Kellermann, vice president of security awareness at Core Security Technologies and former senior data risk management specialist for the World Bank treasury security team. "Hopefully, the private sector will comprehend that legislation like this creates long-term comparative advantage for American industry and subsequent technological sustainability."
Once a cybersecurity plan is developed, the bill calls for the national cybersecurity adviser to review the U.S. cybersecurity program every four years, including strategy, budget, plans and policies, to ensure federal efforts address both existing and emerging threats.
Trusted Computing Group to Host Computer Security Lab at RSA Conference 2009
Security Experts to Participate in Panel Sessions and Demonstrate Trusted Computing Products in Booth #2133
http://www.businesswire.com/portal/site/google/?ndmViewId=news_view&newsId=20090408005062&newsLang=en
RSA Conference 2009
PORTLAND, Ore.--(BUSINESS WIRE)--Trusted Computing Group (TCG) and its member companies again will host the popular pre-conference Trusted Computing hands-on lab session at the RSA Conference 2009 in San Francisco, April 20-24, 2009.
This year, the “Turning on the Trust: A Developer and End User Lab to Enable Higher Security for Clients, Networks and Storage Devices” session will run a full day on Monday, April 20, in the Orange Rooms 130-133 at Moscone Center North. The morning session, 9 a.m. to 12 p.m., is targeted to developers and will give them overviews of the TCG’s Trusted Storage, the Trusted Platform Module and Trusted Network Connect network security specifications and how to develop products and applications based on those. Presenters will address development and interoperability issues.
The afternoon session, 1–4 p.m., will focus on using Trusted Computing products and services to secure data, systems and networks and will include examples from organizations about how to use the Trusted Platform Module. Presenters will discuss deployment of self-encrypting drives based on TCG specifications and key management issues, as well as network security deployment. Attendees will take away a deployment plan and checklist for using these widely available technologies in their enterprises.
For more information or to register, go to https://www.trustedcomputinggroup.org/news/events/rsa_2009/. Pre-registration is advised as past events have filled to capacity.
On the show floor, in TCG’s Booth #2133, TCG members General Dynamics C4 Systems, Great Bay Software, Infineon Technologies AG, Lumeta Corporation, LSI Corporation, Seagate Technology and Wave Systems will demonstrate products based on TCG specifications.
Also during RSA, TCG members will participate in conference sessions. Steve Hanna, Juniper Networks and co-chair of the TCG Trusted Network Connect Work Group, will participate in a panel discussion on “The Changing Face of Network Access Control” on April 21, 2009, at 1:30 p.m.
Walt Hubis, LSI Corporation and chair of TCG’s Key Management Services Subgroup, will participate in a panel session “It’s Your Call: Where Should You Encrypt” on April 23 at 10:40 a.m.
TCG is an industry standards body formed to develop, define, and promote open standards for trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices. TCG specifications are designed to enable more secure computing environments without compromising functional integrity with the primary goal of helping users to protect their information assets from compromise due to external software attack and physical theft. More information and the organization’s specifications are available at www.trustedcomputinggroup.org.
Brands and trademarks are the properties of their respective owners.
Contacts
Trusted Computing Group
Anne Price
602-840-6495
Mobile: 602-330-6495
press@trustedcomputinggroup.org
TNC PlugFest - Gearvana!
https://www.trustedcomputinggroup.org/blog/
April 6th, 2009 by Lisa Lorenzin
By Lisa Lorenzin, Juniper Networks
A couple weeks ago, I had the great pleasure to attend the TNC’s fourth annual interoperability test event. We fondly call this gathering a PlugFest, because we plug this into that and see what happens! And this year, we had a whole lotta pluggin’ goin’ on.
Our gracious hosts, the University of New Hampshire InterOperability Lab, provided their usual impressive facilities and service. They have an amazing lab, host to several different testing areas for everything from IPv6 to POE (as well as flexible space with power and patch panels, for groups like ours), with adjacent conference rooms for white-board sessions and participating in WG calls. As if that wasn’t enough, they also had an on-site cafeteria, and an endless supply of snack bars and coffee in the lab itself! (I have the metabolism of a rodent, so I regard calories the way most people seem to regard caffeine: critical for a multi-day testing marathon.)
As with previous PlugFests, we had TNC implementers bringing products that utilize a wide range of TNC interfaces: IF-PEP for RADIUS, IF-TNCCS, IF-TNCCS-SOH, IF-IMC & IF-IMV, and IF-MAP. Whew! This year we had so many participants that we divided the room into three areas: IF-PEP for RADIUS, in which we tested policy servers acting as PDPs and switches & wireless APs acting as PEPs; IF-TNCCS-SOH, in which we tested communication between a TNC policy server and a client using Microsoft NAP’s Statement of Health protocol; and IF-MAP, in which endpoint discovery and behavior monitoring solutions acted as Sensors and Flow Controllers publishing data to, and searching / subscribing to data from, a MAP Server.
And that was just the meatspace setup. New for this year, we had a contingent of participants testing an open-source solution, involving five separate open-source components, in a virtual environment! Last year we had the first-ever testing of open-source TNC implementations. The testing never actually succeeded, but the process was incredibly educational, and it was very cool to watch the participants patching their code on the fly. This year, many things worked! And the virtual environment allowed us to have testers from Germany, Australia, and western US participating together, while I verified the results from the northeastern US. Technology really does bring the world together - and it was awesome to see how far the open-source implementations have come since just last year.
The whole thing was, as you might expect, loosely-organized chaos. It was also extremely productive and incredibly fun. Sometimes the tests succeeded on the first try - always exciting! Sometimes they didn’t - and we had to stretch our brains to figure out the cause: Was it a bug? A misconfiguration? A difference in interpretation of the spec? A problem with the spec itself? Packets flew, sniffers captured, tcpdumps dumped, code was modified on the fly. The best part about testing among friends is that when something goes wrong, everybody jumps in to try to solve the puzzle - no egos involved, just a bunch of geeks poking at a bunch of packets.
(A note to the reader: In case you think I’m being coy by not mentioning specific names or products, you should know that the proceedings and results of the TNC PlugFest are confidential, which is a pretty tight constraint on what I can write here. It’s quite a challenge to describe a PlugFest without being able to talk about what actually happened! You can read the official TCG press release for more info on who participated.)
Not only were we able to work through the base set of TNC interoperability tests, but a small group of us piggybacked an additional project on the PlugFest: Testing for our joint interoperability demo at the TCG pre-conference workshop at RSA. Want to know what we did? Come to the workshop and see! (Yes, sorry, that’s a shameless plug. I’m really excited about this year’s workshop - we get to do separate sessions for developers and end-users, so we get to explore under the hood and address the real world.)
Lest I give the impression that the PlugFest was all work and no play, we had some truly incredible food while we were there, too. The Green Monkey, in nearby Portsmouth, NH, was the site of our first night’s feast - “New American Cuisine”, which apparently means they serve a little of everything, and all of it delicious. This being New England, they even knew how to make a real dark ‘n’ stormy - no wimpy ginger ale here. Plus, they were willing to split checks for a table of sixteen! Now that’s service. The next night, a smaller group of us converged on Jumpin’ Jay’s Fish Café, which is much tastier than the name, or even the website, would suggest. If you go, get the sauce sampler - each one better than the last…
So - good geeking, good food, and good company. I miss it already, and I can’t wait for the next one.
Network Security Products Based on Trusted Network Connect Standards Test Interoperability and New Capabilities
http://in.sys-con.com/node/909271
Fifteen companies and organizations from around the world participated in testing a growing number of implementations of the Trusted Computing Group’s Trusted Network Connect (TNC) specifications for network security and network access control.
Enterasys Networks, Fujitsu Limited, Great Bay Software, Infoblox, Juniper Networks, Lumeta Corporation, Trapeze Networks and several others participated in the group’s fourth annual interoperability event, hosted by the University of New Hampshire Interoperability Laboratory (UNH-IOL). First-time attendees included Great Bay and Lumeta, while Enterasys, Juniper, and Trapeze Networks tested products for at least their third year.
Microsoft’s implementation of NAP (Network Access Protection) in Windows XP SP 3 software was demonstrated as working interoperably at the event as well.
The Trusted Computing Group (TCG) hosts the interoperability session to enable member companies using the TNC specifications to test implementations with TNC-based products from other vendors. The session serves as validation of interoperability in addition to providing discussion and sharing of best practices and experiences with the specifications.
Five open-source projects - FreeRADIUS, libtnc, OpenSEA, TNC@FHH, and wpa_supplicant - also tested software this year, demonstrating an increasing amount of support and product choice of operating systems and platforms.
Participants tested hardware and software supporting the TNC specifications in a simulated enterprise environment, using more than a dozen test cases that model common enterprise usage of TNC specification-based systems. Six interfaces were tested:
The interface for integrity measurement verifiers (IF-IMV) and the interface for integrity measurement collectors (IF-IMC), which allow TNC clients and servers to load and use plug-in software components from different vendors, enabling easy integration of software from many vendors into a complete TNC implementation.
The interface for TNC client-server communications (IF-TNCCS), which allows TNC clients and servers to exchange integrity measurement data.
The interface for TNC client-server communications using the statement of health (IF-TNCCS-SOH), which allows TNC servers to easily integrate Microsoft Windows systems and other Network Access Protection clients.
The interface for policy enforcement points (IF-PEP), which enables network hardware from any vendor to serve as a policy enforcement point in a TNC system.
The interface for metadata access points (IF-MAP), which integrates a wide variety of security systems into a cooperative and responsive team, sharing information and alerts.
TNC is an open, non-proprietary architecture and set of specifications, available free of charge to any interested party, that enables the application and enforcement of security requirements for endpoints connecting to the corporate network. The TNC architecture helps IT organizations enforce corporate configuration requirements and to prevent and detect malware outbreaks, as well as the resulting security breaches and downtime in multi-vendor networks. More information on TNC is available at https://www.trustedcomputinggroup.org.
TCG is an industry standards body formed to develop, define, and promote open standards for trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices. TCG specifications are designed to enable more secure computing environments without compromising functional integrity with the primary goal of helping users to protect their information assets from compromise due to external software attack and physical theft. More information and the organization’s specifications are available at www.trustedcomputinggroup.org.
Telstarjohn/titlewave
Your back and forth is getting tiresome. Why don't both of you become paid members and start exchanging jabs via PMs. I'll delete any more of these barbs.
thanks,
FM
Is the plot thickening??
Northrop Grumman Showcases Health IT Programs and Solutions At HIMSS Annual Conference
DJ Press Release Wire
11:00 AM Eastern Daylight Time Apr 02, 2009
Northrop Grumman Showcases Health IT Programs and Solutions
At HIMSS Annual Conference
CHICAGO, April 2, 2009 (GLOBE NEWSWIRE) -- Northrop Grumman
Corporation (NYSE:NOC) will highlight its clinical and public health products and solutions next week at the Healthcare Information and Management Systems Society (HIMSS) 2009 Annual Conference and Exposition.
The conference and exposition will be held April 4-8 at
McCormick Place in Chicago. Northrop Grumman will feature
demonstrations in booth 2422.
In the conference exhibit hall, Northrop Grumman will
showcase health information technology applications and solutions relevant to the needs of health and research institutions worldwide.
The success of local, regional or nationwide health
information exchange communities and networks relies on secure and seamless access to health information. Northrop Grumman has established health information network services that facilitate electronic health information and its exchange. The company will illustrate how existing electronic health records, state, and regional health information exchange initiatives can be linked to exchange health care information
nationwide through sustainable services.
Northrop Grumman has deployed public health solutions on the
local, regional, national and global levels. Through established public health systems, Northrop Grumman helps to improve the health and welfare of the United States and its allies by enabling timely and efficient delivery of essential public services. The company's public health capabilities span the areas of informatics, biostatics, epidemiology, disease surveillance, occupational and environmental health, and communications and education.
The Centers for Medicare and Medicaid with Northrop Grumman
as its information technology provider have developed the Continuity Assessment Record and Evaluation (CARE) instrument, a Web-based tool for collecting patient assessment information to measure and compare Medicare beneficiaries' health and functional status across various provider settings.
Currently being demonstrated across multiple providers, when
fully implemented, CARE will be a standardized assessment instrument that is clinically relevant to delivering safe, efficient, effective, equitable and timely patient-centered care.
Northrop Grumman deploys intelligent natural language
processing to extract computable clinical information from narrative forms, which supports the advantages of computable data while minimizing the impact on clinicians responsible for recording findings and results of clinical encounters. Health care providers can record medical encounters in simple, narrative form and apply natural language processing tools to capture computable clinical information.
Computable data can be extracted from textual health records, which will support storage, retrieval and clinical alert capabilities.
Northrop Grumman's e.POWER suite of applications delivers
business process management and automation for agile, end-to-end control of the enterprise processes. The e.POWER Claims and Adjudication solution provides end-to-end visibility and full accountability by automating health providers' claims and adjudication processes.
Northrop Grumman is a trusted integrator of advanced health
solutions, including health and benefits systems management and information security. The company's services span the public health, healthcare delivery and life sciences domains, and include cutting-edge information exchange for electronic health records, Web-enabled workflow processing and large-scale information management.
Northrop Grumman has developed a range of military health solutions applicable and adaptable for today's emerging national priorities.
Northrop Grumman Corporation is a leading global security
company whose 120,000 employees provide innovative systems, products, and solutions in aerospace, electronics, information systems, shipbuilding and technical services to government and commercial customers worldwide.
What's Up With NAC Standards?
http://www.wwpi.com/networking/featured-articles/6893-whats-up-with-nac-standards
Thursday, 02 April 2009 08:06 Lisa Lorenzin for Trusted Computing Group
For those considering a Network Access Control (NAC) deployment, one of the biggest challenges is the state of the standards and how they relate to current NAC offerings. While a viable solution needs to address security and monitoring as well as networking aspects, its ability to adapt to future changes could be critical. Open standards available today help ensure that NAC solutions implemented at present will both work with the current network and endpoint environment and offer a strong foundation for future growth.
Evolution of NAC Architectures
Over the past six years, NAC frameworks have evolved from proprietary beginnings to today's open standards-based architectures. From a historical perspective, Cisco announced its Network Admission Control (NAC) program in 2004. The C-NAC architecture included an endpoint running a NAC Agent, a Network Access Device, and an authenticator running a NAC Manager. C-NAC addressed the need to apply policy-based controls to a device requesting access to the network. They achieved this goal by offering a proprietary solution that included a client software component -- which supplied information about the endpoint, a management component -- which made the decision whether to permit or deny access, and an enforcement component -- which applied the access control decision.
Another proprietary framework, Microsoft’s Network Access Protection (NAP) Platform Architecture, was introduced in 2004. The Microsoft architecture included a NAP Agent on the endpoint and a Network Policy Server for management, and used Statements of Health (SOHs) to validate the health of the endpoint. Also in 2004, the Trusted Computing Group (TCG), an industry consortium dedicated to strong security through open standards for trusted computing, established a group - Trusted Network Connect (TNC) - with the goal of creating an open architecture for Network Access Control. (Network Access Control has become the commonly-accepted meaning of the acronym "NAC" in the industry today.)
Similar to the Microsoft and Cisco frameworks, the TNC architecture identified an Access Requestor (AR), the endpoint requesting access to the network, which runs a TNC Client to provide health information; a Policy Enforcement Point (PEP), such as a switch, wireless access point, or gateway, which allows or denies access; and a Policy Decision Point (PDP), which evaluates endpoint health, determines what policy to apply, and provisions policy to the PEP. Unlike the preceding proprietary solutions, the purpose of TNC was to ensure interoperability and compatibility with a multitude of standards-based network infrastructure solutions, as well as choice by providing open standards for NAC implementation. Figure 1 shows a comparison of key aspects of the three NAC architectures.
By 2005, these three architectures - two proprietary and one open industry standard - were clearly defined; products were shipping based on the Cisco and TNC architectures, and security administrators could choose which were most appropriate to meet their requirements. In 2006, Microsoft and Cisco cross-licensed their NAC and NAP protocols to enable the two frameworks to interoperate in a shared network environment.
As a member of TCG, Microsoft joined forces with TNC to enable interoperability between TNC and NAP; in April of 2007, TNC published an interface specification that allows either the use of Microsoft SOH or the TNC health checks. Microsoft shipped its first NAP architecture-based products, Windows Server 2008 and Vista / XP SP3, in 2008. Now, endpoints running a TNC Client or a Microsoft NAP Agent can communicate with a TNC PDP or a Microsoft NPS.
Current TNC standards extend NAC beyond the original three-element endpoint / network device / policy server model to include other security devices such as network Intrusion Prevention Systems (IPS), vulnerability scanners, and more, via a Metadata Access Point (MAP) that acts as a clearinghouse for information. In addition to the location, identity, and health considerations enabled by the original TNC architecture, this adds a behavioral factor to policy decisions.
Current Status of NAC Standards Efforts
While Microsoft and TNC are interoperable via open standards today, Cisco is not - yet. However, the Internet Engineering Task Force (IETF) has created a Network Endpoint Assessment (NEA) Working Group with the goal of universal agreement on NAC protocols, and Cisco participates in that effort.
In March of 2006, IETF held a “Birds of a Feather” meeting (BOF) to discuss establishment of a working group for network endpoint assessment. With the interest confirmed, the NEA WG was chartered in October 2006, co-chaired by a Cisco engineer and one of the TNC WG chairs. In the fall of 2008, NEA reached consensus to use two TNC protocols as the basis for development of its first two specifications: PA-TNC: A Posture Attribute Protocol (PA) and PB-TNC: A Posture Broker Protocol (PB). A Cisco engineer is a co-editor, along with the original TNC editors, on each of these specifications.
Through a typical IETF process, each specification is discussed on the working group email list and at IETF meetings for periodic changes to the protocol as it progresses towards becoming a standard. As a result, the IETF specification will not be identical to the original TNC interface when it is finally published. However, TNC has committed to make its protocols compatible when the IETF standard is finalized and approved, providing an open, interoperable NAC roadmap to the future.
The IETF specification discussion is open to anyone with an email address. This provides an extensive amount of feedback but also can mean that issues take a long time to resolve. In 2009, IETF is working on the first two protocols. Currently, TNC has published seven interfaces, so it will take time before the IETF standard addresses a similar set of functionality. The first two protocols will not completely standardize the endpoint integrity communications, so universal agreement on NAC protocols is still a goal for the future. All major vendors except Cisco have agreed on the TNC standards today, but full convergence will not be achieved until the IETF specs are completed. Fortunately, Cisco switches and wireless access points are fully compatible with the TNC specifications so those specifications provide broad compatibility.
Choosing a NAC Solution Today
IT departments implementing NAC today are turning to TNC for several reasons. TNC is a mature architecture with product implementations - such as Juniper's Unified Access Control (UAC) - available and tested in the field for several years. TNC standards will keep pace with IETF NEA's work, and the implementers will keep pace with the TNC revisions.
The open standards from TNC ensure interoperability, reducing vendor lock-in concerns, and ensuring flexibility for deployment and integration of additional network security devices. For IT
This says "New" on Dell's website
but may have been posted:
http://accessories.us.dell.com/sna/products/Server_Applications/productdetail.aspx?c=us&l=en&s=biz&cs=555&sku=A1233139
Overview
The Embassy® Remote Administration Pilot Gold Maintenance from Wave® Systems offers 24-hour response time support via email. It includes version upgrade and access to Wave Support Portal. This maintenance provides patch releases and up to 4 hours of Professional Services for enhanced service options. This plan requires yearly renewal on the invoice anniversary date. The Gold Maintenance Plan is designed specifically for Embassy Remote Administration Pilot.
Manufacturer Part# : 12-000044-P
Dell Part# : A1233139
Aruba Networks' 802.11n Solution Wins Network Computing's Wireless Infrastructure Product of the Year Award
"The AP-125 includes many path-breaking features including very low-power consumption, touch-free over-the-network updates, a Trusted Platform Module to protect network certificates, integrated flat-panel antennas, and a snap-lock ceiling mounting bracket.
http://www.marketwire.com/press-release/Aruba-Networks-Inc-NASDAQ-ARUN-969541.html
SUNNYVALE, CA--(Marketwire - April 2, 2009) - Aruba Networks, Inc. (NASDAQ: ARUN), a global leader in wireless LANs and secure mobility solutions, today announced that its AP-125 802.11n Access Point family has won Network Computing's Wireless Infrastructure Product of the Year Award. Awards were conferred upon one vendor or service provider in each of 24 unique categories based on feedback from readers. The wireless infrastructure category included a wide range of Wi-Fi related products, and the AP-125 Access Point family was the only 802.11n product so honored.
First shipped in February 2008, the dual-radio AP-125 was the first 802.11n access point on the market to be powered from a single 802.3af Power-over-Ethernet source while operating in 3x3 MIMO mode. It is also among the smallest 802.11n enterprise access points on the market, featuring an ultra-compact enclosure designed for wall or ceiling mounting. At less than one-fifth the weight of its closest rival, the AP-125 can be easily be affixed to a suspended ceiling without any additional reinforcement.
"802.11n is a game-changing wireless technology but it requires careful implementation to deliver wire-like performance and high security," said Keerti Melkote, Aruba's co-founder and chief technical officer. "The AP-125 includes many path-breaking features including very low-power consumption, touch-free over-the-network updates, a Trusted Platform Module to protect network certificates, integrated flat-panel antennas, and a snap-lock ceiling mounting bracket. Used in tandem with Aruba's Adaptive Radio Management technology to optimize 802.11n performance in real-time, and with Aruba's policy-enforcement firewall to secure the network, these features give the AP-125 family its industry-leading performance and security. We're honored to have the capabilities of this innovative product recognized by Network Computing."
The Network Computing Awards were launched to recognize the products, services and companies that have particularly impressed readers of Network Computing, the UK's longest established computer networking magazine. The 3rd annual Network Computing Awards this year drew more than 25,000 individual votes. The 2009 award winners are highlighted in a special section on Network Computing's Web site at http://www.networkcomputingawards.co.uk/.
About Aruba Networks
People move. Networks must follow. Aruba securely delivers networks to users, wherever they work or roam. Our mobility solutions enable the Follow-Me Enterprise that moves in lock-step with users:
-- Adaptive 802.11a/b/g/n Wi-Fi networks optimize themselves to ensure
that users are always within reach of mission-critical information;
-- Identity-based security assigns access policies to users, enforcing
those policies whenever and wherever a network is accessed;
-- Remote networking solutions ensure uninterrupted access to
applications as users move;
-- Multi-vendor network management provides a single point of control
while managing both legacy and new wireless networks from Aruba and its
competitors.
The cost, convenience, and security benefits of our secure mobility solutions are fundamentally changing how and where we work. Listed on the NASDAQ and Russell 2000® Index, Aruba is based in Sunnyvale, California, and has operations throughout the Americas, Europe, Middle East, and Asia Pacific regions. To learn more, visit Aruba at http://www.arubanetworks.com.
© 2009 Aruba Networks, Inc. AirWave®, Aruba Networks®, Aruba Mobility Management System®, Bluescanner, For Wireless That Works®, Mobile Edge Architecture, People Move. Networks Must Follow., The All-Wireless Workplace Is Now Open For Business, RFprotect, Green Island, and The Mobile Edge Company® are trademarks of Aruba Networks, Inc. All rights reserved. All other trademarks are the property of their respective owners.
Media Contacts
Michael Tennefoss
Aruba Networks, Inc.
+1-408-754-8034
mtennefoss@arubanetworks.com
Patty Oien
Breakaway Communications
+1-415-358-2482
poien@breakawaycom.com Digg this Bookmark with del.icio.us Add to Newsvine
Technorati: 802.11n Network Computing Aruba Product of the Year Wi-Fi WLAN Cisco Motorola HP Meru
Click here to see all recent news from this company
Privacy Statement | Terms of Service | Sitemap |© 2009 Marketwire, Incorporated. All rights reserved.
Your newswire of choice for expert news release distribution.
1-800-774-9473 (US) | 1-888-299-0338 (Canada) | +44-20-7562-6550 (UK)
Apple, Dell, Intel Sued Over Encryption Patent
The PACid Group named 19 tech companies in its lawsuit claiming infringement of its patent on generating encryption keys.
By Thomas Claburn, InformationWeek
March 31, 2009
http://www.informationweek.com/story/showArticle.jhtml?articleID=216402041
The PACid Group, a Houston company formed by inventors Guy L. Fielder and Paul N. Alito, on Monday filed a patent-infringement lawsuit in the Eastern District of Texas against 19 computer and semiconductor companies and their subsidiaries.
The patent in question is U.S. patent No. 5,963,646, "Secure deterministic encryption key generator system and method," which describes an encryption key generator. The system allows for "the destruction of an encryption key after each use by providing for the re-creation of the key without need of key directories or other encryption key storage processes."
Companies named in the lawsuit include Apple, Atheros, Broadcom, Dell, Edimax, Gateway, Hewlett-Packard, Intel, Lenovo, Marvell, Realtek, and Toshiba. These defendants, PACid's complaint charges, include in their products the patented technique for generating pseudo-random, symmetric encryption keys.
PACid describes itself as "an encryption technology research firm, specializing in dynamic key management." It lists on its Web site four encryption patents, which it seeks to license to interested parties.
PACid did not immediately respond to a request for comment.
Several of the companies named in the lawsuit are members of the Coalition for Patent Fairness, including Apple, Dell, HP, and Intel. The group has been lobbying for patent reform as a way to reduce patent litigation costs.
In testimony before the Senate Judiciary Committee earlier this month, Steven Appleton, chairman and CEO of coalition member Micron Technology, explained the situation as the tech sector sees it: "Technology companies have been victimized by a growing wave of patent litigation and licensing fee requests that often precede the filing of a patent lawsuit," he said.
Appleton attributes the surge in patent litigation to the major source of patent claims today: companies that exist solely to license intellectual property, otherwise known as nonpracticing entities, or NPEs. These companies do not make or sell any product or service; they exist only to collect patent royalties. According to PatentFreedom, a company that tracks NPEs as a service to companies involved, or likely to be involved, in patent litigation, the number of patent lawsuits filed by NPEs jumped from 2.7% in the period between Oct. 1, 1994, and Sept. 30, 2002, to more than 10% in 2006 and 2007.
The 10 tech companies sued the most for patent infringement between 2004 and 2008 are Samsung, Microsoft, Motorola, HP, AT&T, Sony, LG, Apple, Dell, and Nokia.
As an example, there were 34 patent-infringement lawsuits filed by NPEs against Microsoft between 2004 and 2008. In 2004, there were three such suits. In 2005, there were five. In 2006, there were six. In 2007, there were 11. And in 2008, there were nine.
NPEs filed 88% of patent suits against U.S. technology companies over the past five years, according to the Coalition on Patent Fairness, which also claims that licensing fee requests to U.S. technology companies have increased 650% since 2004.
In 2005, Nathan Myhrvold, CEO of Intellectual Ventures, a major patent holding company, defended NPEs in his testimony before the House Subcommittee on the Courts, the Internet, and Intellectual Property.
"Discriminating against patent holders on the basis of whether or not they produce a product disenfranchises some of America's most creative and prolific inventors," he said. "This broad group includes: university professors and research scientists, who often make great breakthroughs without having the facilities or resources to manufacture the products commercially; individual inventors who are in the same situation; and, finally small businesses who may commercialize some of their inventions but frequently invent more than they are able to productize simultaneously."
Myhrvold said that there's nothing dishonorable about licensing patents, as Thomas Edison and Nicola Tesla did. He expressed some sympathy for Microsoft, where he used to work as chief technology officer, because it's a major target for patent lawsuits. But, he insisted, the "magnitude of the supposed problem is not borne out by the statistics."
Nonetheless, the lobbying clout of the tech industry appears to be moving the needle toward reform of some kind. In a blog post on Tuesday, the Coalition on Patent Fairness hailed a tentative deal among Senate lawmakers to advance legislation to update U.S. patent laws.
Who Should Be in Charge of Cybersecurity?
http://online.wsj.com/article/SB123844579753370907.html
By BRUCE SCHNEIER | Special to THE WALL STREET JOURNAL
U.S. government cybersecurity is an insecure mess, and fixing it is going to take considerable attention and resources. Trying to make sense of this, President Barack Obama ordered a 60-day review of government cybersecurity initiatives. Meanwhile, the U.S. House Subcommittee on Emerging Threats, Cybersecurity, Science and Technology is holding hearings on the same topic.
One of the areas of contention is who should be in charge. The FBI, DHS and DoD -- specifically, the NSA -- all have interests here. Earlier this month, Rod Beckström resigned from his position as director of the DHS's National Cybersecurity Center, warning of a power grab by the NSA.
About the Author
Bruce Schneier is a chief security technology officer of BT and author whose books include "Applied Cryptography" and "Beyond Fear."
Putting national cybersecurity in the hands of the NSA is an incredibly bad idea. An entire parade of people, ranging from former FBI director Louis Freeh to Microsoft's Trusted Computing Group Vice President and former Justice Department computer crime chief Scott Charney, have told Congress the same thing at this month's hearings.
Cybersecurity isn't a military problem, or even a government problem -- it's a universal problem. All networks, military, government, civilian and commercial, use the same computers, the same networking hardware, the same Internet protocols and the same software packages. We all are the targets of the same attack tools and tactics. It's not even that government targets are somehow more important; these days, most of our nation's critical IT infrastructure is in commercial hands. Government-sponsored Chinese hackers go after both military and civilian targets.
Some have said that the NSA should be in charge because it has specialized knowledge. Earlier this month, Director of National Intelligence Admiral Dennis Blair made this point, saying "There are some wizards out there at Ft. Meade who can do stuff." That's probably not true, but if it is, we'd better get them out of Ft. Meade as soon as possible -- they're doing the nation little good where they are now.
Not that government cybersecurity failings require any specialized wizardry to fix. GAO reports indicate that government problems include insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and incomplete or ineffective information security programs. These aren't super-secret NSA-level security issues; these are the same managerial problems that every corporate CIO wrestles with.
We've all got the same problems, so solutions must be shared. If the government has any clever ideas to solve its cybersecurity problems, certainly a lot of us could benefit from those solutions. If it has an idea for improving network security, it should tell everyone. The best thing the government can do for cybersecurity world-wide is to use its buying power to improve the security of the IT products everyone uses. If it imposes significant security requirements on its IT vendors, those vendors will modify their products to meet those requirements. And those same products, now with improved security, will become available to all of us as the new standard.
Moreover, the NSA's dual mission of providing security and conducting surveillance means it has an inherent conflict of interest in cybersecurity. Inside the NSA, this is called the "equities issue." During the Cold War, it was easy; the NSA used its expertise to protect American military information and communications, and eavesdropped on Soviet information and communications. But what happens when both the good guys the NSA wants to protect, and the bad guys the NSA wants to eavesdrop on, use the same systems? They all use Microsoft Windows, Oracle databases, Internet email, and Skype. When the NSA finds a vulnerability in one of those systems, does it alert the manufacturer and fix it -- making both the good guys and the bad guys more secure? Or does it keep quiet about the vulnerability and not tell anyone -- making it easier to spy on the bad guys but also keeping the good guys insecure? Programs like the NSA's warrantless wiretapping program have created additional vulnerabilities in our domestic telephone networks.
Testifying before Congress earlier this month, former DHS National Cyber Security division head Amit Yoran said "the intelligence community has always and will always prioritize its own collection efforts over the defensive and protection mission of our government's and nation's digital systems."
Maybe the NSA could convince us that it's putting cybersecurity first, but its culture of secrecy will mean that any decisions it makes will be suspect. Under current law, extended by the Bush administration's extravagant invocation of the "state secrets" privilege when charged with statutory and constitutional violations, the NSA's activities are not subject to any meaningful public oversight. And the NSA's tradition of military secrecy makes it harder for it to coordinate with other government IT departments, most of which don't have clearances, let alone coordinate with local law enforcement or the commercial sector.
We need transparent and accountable government processes, using commercial security products. We need government cybersecurity programs that improve security for everyone. The NSA certainly has an advisory and a coordination role in national cybersecurity, and perhaps a more supervisory role in DoD cybersecurity -- both offensive and defensive -- but it should not be in charge.
Top 10 Technology Rainmakers
http://www.channelinsider.com/c/a/Commentary/Top-10-Technology-Rainmakers-701316/
Wildman, I searched the board to see if it had been posted. I didn't go too far back since the link I saw said the pdf was from March 2009. I thought it looked familiar.
Trusted Computing – Getting Started In Three Easy Steps
http://i.zdnet.com/whitepapers/CNET_WP2_TC_Getting_Started_final_final.pdf
Solid State Drives: High Speed for the Enterprise
http://pr-canada.net/index.php?option=com_content&task=view&id=87413&Itemid=65
Solid state drives (SSDs -- also known as flash drives) are the latest major innovation in computing. Coming to the rescue of sites the world over that have been tied to agonizingly slow mechanical drives since the advent of modern computing, solid state drives bring a level of data transfer rates close those of CPU and memory.
Since the broad availability of solid state drives several years ago, they have been taken up by the early adopters and high-end PC users. Because of the considerable cost differential between solid state drives and hard drives, enterprises have been waiting for prices to come down before broad implementation. But now that is occurring -- solid state drive pricing is expected to equal that of hard disks before very long -- and one company, Sun Microsystems, is now offering solid state drive options for some of their high-end servers.
To make sure that a company will truly benefit from the inclusion of solid state drives thereby justifying the extra cost, Sun is offering a free download called the Sun Flash Analyzer. This utility identifies databases and other applications that can really benefit from SSDs' high throughput and faster response times, and also makes recommendations about methods of increasing system performance.
As corporations begin adopting SSDs, there is one other measure they will need to take, however: the inclusion of a utility to optimize free space on each drive. NTFS -- the file system found in all of Microsoft's current operating systems -- saves files to solid state drives in such a way that free space is shattered into pieces. This is because NTFS is designed for saving data onto hard drives, not solid state drives. As a result, write performance slows dramatically and within a month can degrade by as much as 80 percent.
Solid state drives also have a limited number of erase-write cycles, and the breaking up of free space increases the number of such cycles. Hence, drive life is shortened considerably.
To ensure that solid state drives provide the performance required by an enterprise, a solution must be employed that optimizes their free space. When this is done, write performance is brought back to a high-speed level and kept there. Once the solution has been in operation a short time, write-erase activity becomes substantially reduced. The life of the drive is lengthened and performance is maximized.
It is evident that we are on the brink of a paradigm shift with enterprise storage technology. Companies can ensure the transition is smooth -- and all performance benefits are realized -- by addressing this free space issue with each drive before it becomes a problem.
Dell Offers Solid State Drives
http://www.enterprisestorageforum.com/hardware/news/article.php/3811956
Dell Offers Solid State Drives, New EMC Storage Array
March 25, 2009
By Paul Shread
Dell (NASDAQ: DELL) is sprucing up its data storage product line with new solid state drives (SSDs) and the latest unified storage array from EMC (NYSE: EMC).
The new solid state drives are part of a major upgrade of Dell's EqualLogic iSCSI storage line, which the company acquired a year ago.
The flash drives are a particularly interesting offering. At $25,000 for eight 50GB drives, with chassis, dual controllers and software, and $35,000 for 16 SSDs, the $43.75 to $62.50 per gigabyte is well below the $200 to $300 per GB that competitive enterprise solid state offerings typically cost.
The drives, from Samsung, may not have the performance of drives from STEC (NASDAQ: STEC), but Dell senior manager Travis Vigil said the drives are a "more cost-effective drive" that still gets customers into solid state performance.
Vigil said STEC quotes raw numbers of 30,000 to 40,000 IOPS, while Dell has seen 4,000 to 6,000 raw IOPS on the Samsung SSDs depending on workload.
But Vigil said raw drive performance numbers are misleading. "For competitive architectures, you actually share the same bandwidth/controller for the STEC drive with SATA and FC/SAS drives," he said. "Thus, you have contention and performance impacts."
With the EqualLogic arrays, "you dedicate controller and bandwidth resources to a set of eight or 16 SSDs, and with our scale-out architecture you can scale performance and capacity linearly as you add additional SSD nodes into your SAN," Vigil said. "Thus, in real-world performance, EqualLogic can guarantee your SSD performance without contention and scale that performance by adding additional nodes while at the same time coming in at one-third the dollars per gigabyte."
The SSDs are sold as the new PS6000S, and Dell also offers the drives in blade servers. Other new arrays, as Dell replaces its 5000 series EqualLogic arrays with the new 6000 series, include the entry-level PS6000E and the high-density PS6500E, both SATA-based, and the performance-oriented, SAS-based PS6000X and PS6000XV.
The new arrays offer as much as 91 percent faster performance for sequential write workloads and 29 percent faster for sequential read workloads, Dell says. As much as 576TB can be packed into a PS group. List pricing for the PS6000 arrays starts at $17,000.
Dell is also upgrading its accompanying EqualLogic storage software, including new support for Microsoft (NASDAQ: MSFT) Hyper-V Smart Copysnapshots for "rapid recovery of Hyper-V virtual machines in as little as seconds," the company said. The software also supports RAID-6, Microsoft Exchange and SQL, VMware (NYSE: VMW) and Citrix (NASDAQ: CTXS) XenCenter, and the arrays are VMware vStorage-ready.
The company also unveiled SAN Headquarters, a centralized dashboard that monitors performance and events for dozens of PS Series groups and is available to current Dell EqualLogic customers at no additional cost.
Finally, Dell is now offering EMC's Celerra NX4 as the Dell NX4. The popular unified storage array also includes EMC's new primary storage deduplication and compression.
The NX4 combines Fibre Channel, iSCSI and NAS connectivity, but Vigil said Dell's focus will be as a NAS offering because of the strength of its EqualLogic line.
Vigil said the array "demonstrates the continuing commitment to the EMC alliance."
Back to Enterprise
Insecure smart grid technology could result in utility attacks
Dan KaplanMarch 23 2009
http://www.scmagazineus.com/Insecure-smart-grid-technology-could-result-in-utility-attacks/PrintArticle/129310/
So-called smart grid technology must be developed with security in mind, or the next generation of the nation's power grid runs the risk of being overrun by hackers, a security company said Monday.
IOActive, provider of application security and risk management services, said in a report that digital smart grid technologies, designed to allow for increased efficiency and reliability, are vulnerable to common cyberattacks, such as malicious code, buffer overflows and protocol tampering.
That means products such as smart meters, which can be connected to appliances and enable two-way communication between homes and the utility companies, could provide entryways for malicious individuals -- resulting in extortion attempts or even blackouts.
"It increases the attack surface," said Josh Pennell, IOActive's president and CEO. "Something that used to be behind lock and key is open to the American public. You are encouraged to participate, in fact."
But Pennell said smart grid manufacturers may not be thinking about security.
"It's first to market wins," he said. "They'll deal with security later."
As a result, Pennell, who presented his company's findings to the U.S. House Committee of Homeland Security last week, called on vendors to utilize a framework similar to Microsoft's Trustworthy Computing Security Development Lifecycle model, used to develop the company's software. Plus, vendors must perform actions such as penetration testing and provide clients with white papers before rolling out their offerings, he said.
With $4.5 billion earmarked to develop the smart grid under the nation's economic stimulus bill, $10 million is going to the U.S. Commerce Department's National Institute of Standards and Technology (NIST) to facilitate the development of standards around the interoperability and security of the technology.
Mark Bello, a NIST spokesman, told SCMagazineUS.com on Monday that developing guidelines will require a lot of collaboration among many different entities.
"When you introduce the ability to interoperate, you don't want to also introduce the opportunity for security threats and breaches," he said. "It's a back-and-forth process that involves working with a lot of parties and getting them to a level where everyone is satisfied."
Once the standards have been created, the North American Electric Reliability Corp. (NERC), authorized by Congress to regulate the bulk power system, could decide whether to make them requirements. A NERC spokeswoman could not immediately be reached for comment.
Eliminating the Mobile Security Blind Spot
http://www.technewsworld.com/rsstory/66590.html?wlc=1237903919
Locking down enterprise systems that remain in the office is one thing. Securing mobile devices like laptops that workers frequently take outside of the office is another matter entirely. An effective mobile security management system goes further than just encrypting the data, writes Alcatel-Lucent's Dor Skuler.
Office-bound workers at most companies today have a significant amount of IT security available to them when best practices are followed. Their computers are physically secure; their hard drives are hopefully encrypted; secure Web gateways, intrusion-prevention systems and firewalls block dangers from the Internet. Audit trails are in place. Passwords and policies are enforced. Data protection is comprehensive.
Take that computer outside of that office, and much of that protection is not available or much less effective -- creating a "mobile blind spot," when mobile control is in the hands of the employee and no longer in the hands of IT. It's like a driver changing lanes on a busy freeway -- there's often a blind spot where another car might be hiding outside of the driver's field of vision. No matter what precautions the driver takes, the blind spot presents a potential for danger because the driver simply cannot see what's there. This mobile blind spot is an issue because when a laptop leaves the office, it oftentimes takes with it very sensitive data, and the IT department loses visibility of that data. Additionally, IT has no control over the laptop or its usage, and that punches a hole in its security integrity.
2009 is expected to bring even greater security threats, as industry watchers anticipate more attacks via the Web, increasingly dangerous social networking threats and more effective botnets. Add to this an anticipated slew of cyber-laws that will push companies to prove compliance on all computers and restricted data, and it's easy to see the impact the mobile blind spot can have on an enterprise.
The real issue with getting visibility into the mobile blind spot is the comprehensive nature of the solution needed. It must emulate all of the protections offered to office users -- protecting the data on the hard drive, protecting the laptop itself, guarding the connection, providing network access control and facilitating laptop management. Let's address each of these issues individually.
Protecting Sensitive Data
The value of the data on many remote computers makes encryption of the data on a laptop one of the first solutions that many companies implement for remote worker data security. Too frequently, it is often the only solution they implement, leaving the laptop vulnerable in other ways.
The primary solutions needed to protect data on a mobile computer are encryption as well as "remote kill" capabilities. Encryption has evolved in the past few years from file- and folder-based encryption to full-disk encryption (FDE). This is an important advance because it protects swap space and temporary files that can reveal sensitive information. Also, full-disk encryption eliminates the need for the user to differentiate which location on the drive is encrypted; FDE solutions automatically encrypt every file on the hard disk.
In addition to FDE, "remote kill" capabilities are important in the event that the laptop is misplaced or stolen. Given enough computing power, or the right social engineering, a hacker can break an encryption key and gain access to data. With a remote kill capability, once IT learns of the loss of a laptop, it can delete all of the encryption keys/access to the encrypted drive, making it virtually impossible to decrypt the data. The best of these solutions also have the ability to reinstate access if the laptop is recovered. Strong "remote kill" capability will work whenever IT needs it to, regardless of the end user actions -- i.e. even if the laptop is offline or physically turned off. Such solutions leverage out-of-band networks to initiate the kill feature.
Protecting the Device
According to a survey by the Ponemon Institute, nearly 637,000 laptops are lost each year in large to medium-sized U.S. airports. The survey notes that 76 percent of companies surveyed reported losing one or more laptops each year and that 53 percent of people surveyed said that their lost laptops contain confidential company information. Getting these laptops back is a cost-effective way to manage assets, especially in the case where the laptop is misplaced and regaining possession of it would both keep the remote worker productive and would eliminate a security issue.
GPS tracking is an emerging capability built into many new laptops and available as a security add-on for existing laptops that provides the ability to track the whereabouts of the computer if it is stolen.
Guarding Connectivity
Data encrypted on the hard drive is not always protected if it's being sent via email or transmitted across an unprotected Internet link. Virtual private networks (VPN) are an essential tool for connectivity protection, encrypting data while it is being transmitted. However, many mobile workers are given the choice of whether to use a VPN by their enterprise.
With so many Web-based threats, an effective VPN solution is always up, any time a user connects to the Internet, regardless of the intended use or the interface over which they connect.
Facilitating Laptop Management
Providing patch management protection to remote devices has always been difficult because of bandwidth limitations or other policies. In fact, many companies measure the time it takes a patch to be implemented from the time it's made available by IT in weeks or even months. Naturally, the need for fast patching is now even greater due to faster vulnerability development and too many patches, with simply not enough time between the time an exploit is in the wild and when IT can send out the patch.
The speed of these viruses can be scary. For example, in early January 2009, the Downadup, aka Conficker, virus began spreading to computers at an unusually fast pace. The virus jumped from 2.4 million to 8.9 million infections in only four days, according to F-Secure . Despite Microsoft's (Nasdaq: MSFT) issue of a patch in October, users continued to become infected by the fast-moving virus because they neglected to install the patch.
According to the SANS Internet Storm Center, an unpatched Windows XP system connected to the Internet can be infected in an average of four minutes. This is a troubling fact, considering a sizable amount of remote users routinely neglect necessary patch downloads.
A strong solution targeting mobile users will proactively push patches to the laptop upon the availability of the patch and not rely on the endpoint to pull the patch from the patch management servers.
Another management issue is data backup. Most enterprises implement systematic backups to alleviate the potential loss of data from a computer malfunction. However, these backups rely on frequent transfers of large amounts of information. An employee faced with inconsistent access speeds or only a few minutes a day to log on to the enterprise network may not wait for the daily backup to complete before taking control of the access connection. Employees commonly postpone imminent backups. As a result, overdue backups may build up to the point where large amounts of critical information are exposed to potential risk.
Software update distributions and inventory collections streamline computer management in enterprises with a large base of managed computers. However, this can be difficult to sustain when a sizable number of laptops are assigned to mobile employees.
Even while on the road, the remote worker will need to tap network resources -- with the potential to bring outside viruses to the enterprise network. One of the most popular approaches to restricting network access is with endpoint policy enforcement applications based on network access control (NAC) or network access protection (NAP). These mechanisms restrict network access for hosts with software that does not comply with current corporate policies. When a policy violation is detected while connecting to the enterprise network, the protection mechanisms validate the host software and quarantine the host to a restricted portion of the enterprise network.
Eliminating Mobile Blind Spot
To fully eliminate the mobile blind spot, IT must do its best to emulate the full protection offered to office-bound worker to those in the field. That means putting together a solution that implements all of the functionality mentioned above. This raises management and updating questions for the IT department, so finding as many of the functions as possible in an integrated solution helps to cut down on management and helpdesk calls.
The cost benefit can make the effort worthwhile, as an effective mobile blind spot solution not only makes mobile computing more effective, but also ensures that customer information is protected and any unfortunate hardware losses have a minimal impact on the business
Using Intel vPro Technology in a Full Disk Encryption Environment
http://www.symantec.com/connect/articles/using-intel-vpro-technology-full-disk-encryption-environment
Using Intel vPro Technology in a Full Disk Encryption Environment
Terry Cutler March 23rd, 2009
Did you know that Symantec Endpoint Encryption has an “autologon” capability? Wouldn’t it be great if full disk encryption solutions didn’t inhibit client management, especially when using Intel® vPro™ Technology for out-of-band management?
Security is often the nemesis of manageability, just as manageability can be the nemesis of security. Full drive encryption may cause a lot of trouble when attempting out-of-band management, power-on and patch, trying to enforce a balance of power usage with Green IT requirements, and so forth. It is truly unfortunate that today's environments require the extra security precautions. Yet as much as I might complain about all the added security - especially power-on and pre-boot authentication for a device - I also respect the underlying effort to protect data. I, as like many others out there, have been a victim of identity theft (personal data, credit\financial data, etc) due to a provider of services (retail, healthcare, financial, etc) having a unit or system compromised thus exposing very valuable customer data and information. I can appreciate the reason for additional protection yet the overall success of a client management implementation may be frustrated by such demanding security requirements. If only we could trust one another and not have to lock our houses, our cars, our desk drawers, our labs, our files, and so forth. Since that state of utopia isn’t likely, what options do we have?
With all the added security requirements to protect data, a few core problems arise for remote out-of-band management solution examples shown previously (see http://www.symantec.com/connect/articles/combining... and http://www.symantec.com/connect/articles/scripting... ). Basically, if a pre-boot authentication (PBA) is required, how do you auto-login a collection of clients that are remotely powered on via Intel® vPro™ technology and need to receive a software update from Altiris Client Management Suite?
All glimmers of hope should not fade away just yet. While talking with some Symantec Endpoint Encryption experts during ManageFusion 2009 in Las Vegas, I came across an interesting insight. There is a way to temporarily disable or bypass the pre-boot authentication (PBA). “Disable” may be the wrong term, but it prompted some additional investigation on how to retain the benefits of a remote repair or software update session initiated by Intel® vPro™ Technology management when full disk encryption (FDE) is used. The focus point is not necessarily how Intel® vPro™ technology addresses this, yet more importantly an awareness of the tools, processes, and options available from a holistic point of view. The following data may be of interest in your respective discussions to find a happy medium between security and manageability tenets.
Brief Background
The intent of this section is to help focus the conversation and provide context. Volumes of data have been written on what is only summarized below regarding disk encryption. If you have a constructive viewpoint or insight to the summary below, please state.
The main question I keep asking is “How do you handle software distribution or other client computing maintenance events in your environment today?” This question receives a variety of responses:
Systems are powered on 24 hours a day
That might compete with Green IT initiatives, and could possibly defeat the original intent of FDE. Plus, how do you ensure the systems are powered on 24 hours a day? What happens to you patch saturation or PC support routines if a system with FDE is not powered on 24 hours a day?
Software distributions or maintenance activities occur during business hours
Effectively this means that the user must be present to provide credentials to the PBA. It also means that existing client management processes are impacted, along with impact to user productivity.
A defined maintenance windows is scheduled
Either the users are asked to leave their systems on during that maintenance window, or a mechanism is used to bypass or autologon to the PBA. More will be addressed in the next section.
For a single system diagnostic and remediation, the user enters the required authentication credentials for the disk encryption solution
The “user” could be a local PC technician with administrative level authentication. If this is the process today, the same process would be used for Intel® vPro™ technology based out-of-band management activities. If the user’s operating system will not load, you still have out-of-band management functionality via Intel® vPro™ technology. Although some might prefer absolutely no end-user involvement during the diagnostic and troubleshooting session, their involvement might prevent a sneaker-net or truck roll response. In my own case, IT HelpDesk personnel are often in a different building, state, or country to where I am located at the time I needed support. If a remote desktop session (i.e. PC Anywhere or similar) cannot be established, the technician and user might both be inconvenienced. More will be addressed in the next section
Generally speaking, drive encryption applies primarily to devices which are outside the corporate environment. Laptops are the most commonly targeted platform, although desktop systems will also be targeted depending on your security policies and requirements. From a manageability perspective, laptops will often have a higher cost and associated challenges (i.e. less manageable) than desktops. This should not be a surprise, since desktop systems are often in a controlled environment, whereas a laptop introduces a number of variables on location, connectivity, physical access, and so forth. If interested in hearing what analysts and Intel® vPro™ technology evangelists have said about the cost savings and estimates, see the following video (http://www.podtech.net/home/4679/roi-intel-vpro-te... ). In case you didn’t watch the video, there’s a few hundred dollar difference between costs savings of desktop versus laptop when using Intel® vPro™ technology. This is not due to the technology, but more to the circumstances of the device location, connectivity, and so forth. There are still benefits to be gained.
Instead of listing all the drive encryption vendors, it may be helpful to categorize the approaches taken to secure the filesystem.
First – are you using a full disk encryption, partition encryption, or folder\file encryption solution? Since definitions and viewpoints will differ, here is my brief description of each – and I’m open to friendly debate on correct terminology:
Folder\file encryption – Target a specific folder\file within your filesystem using an application loaded on the local operating system. Similar in principle to password protecting a file. This will not affect Intel® vPro™ Technology functionality
Partition or MBR encryption – This basically secures sectors or locations on the physical drive. A software based application or driver is needed to access. This driver might be inserted into the operating system boot sequence, thus prompting a user for authentication prior or during the operating system boot process. Authentication can be password, smartcard, or other based on other mechanisms. Although this will not affect the core Intel® vPro™ technology out-of-band management capabilities, such as remote power management, it will affect the in-band management functionality (i.e. software distribution).
Full Disk Encryption (FDE) – This approach commonly uses a pre-boot authentication (PBA) operating system, such as a secure Linux or Windows Pre-Execution environment. The PBA may be text or graphic user interface based. Although this will not affect the out-of-band management capabilities of Intel® vPro™ Technology, it will affect in-band management functionality (i.e. software distribution)
In understanding what type of solution you might have, the next question might be how that drive encryption solution handles key management. In essence, there are different roles and security levels determining who is able to provide appropriate credentials to the PBA. The drive encryption solution may have an administrative credential, or your security policies may dictate that only a defined user is able to provide correct credentials to the PBA. Although I have heard about a certificate based approach – where the PBA is able to communicate on the network to central directory or certificate authority – I am not directly familiar with what solutions actually take this approach.
To summarize the above statements – understand how your drive encryption solution works, especially how it applies to current PC support and maintenance operations. Collaboration between IT operations and security teams may be required.
Autologon for Pre-Boot Authentication
Now to the golden nugget discovered during ManageFusion – there is a way to schedule an AutoLogin time period via Symantec EndPoint Encryption. Perhaps a common knowledge for some, yet an exciting discovery which prompted further investigation.
In the image below, a Symantec Endpoint Encryption group policy can be defined to bypass user authentication (i.e. bypass the preboot authentication) for a specified time period and specified number of instances.
Some coordination would be required to make this happen, yet hopefully the benefits outweigh the effort. To a previous comment, understanding how the support processes are handled today with restrictive security policies will help align tools, processes, and approaches to further enhance.
Do other disk encryption solutions offer similar capabilities? This is where I need your help. The following is a summary of information I’ve received thus far on how similar workarounds can be accomplished:
McAfee Safeboot 5.1 – $AutoBoot$ user account in the Safeboot database. A tool or script to remotely unlock the drive.
Utimaco Safeguard Enterprise Management Center 5.3 – Secure Wake-on LAN option which sounds similar in concept to the example shown above (i.e. GPO based setting)
Checkpoint Pointsec FDE R70 – For a remote repair to a single system, Checkpoint provides an update to replace their GUI-based PBA with a text-based interface. The text-based interface remotely viewed and accessed via Serial-over-LAN Redirection session (one of many capabilities within the Intel® vPro™ technology platform)
Wave (Seagate HDD with FDE) – Using the Embassy Remote Admin Manager, an option to remotely Unlock drives.
PGP – For drive recovery purposes, using Symantec Ghost 10 and IDE-Redirection, an bootable ISO can be used to grab data off an encrypted drive. See the following knowledge base article - https://pgp.custhelp.com/cgi-bin/pgp.cfg/php/endus...
Will Intel® vPro™ Technology provide more security integration?
My intent and focus is to address what is commonly available today, and provide awareness on you might overcome immediate hurdles around full disk encryption (FDE) and client system management. Intel® vPro™ technology is a tool to extend the reach of the PC or HelpDesk technician. There are efforts underway to further integrate and enhance the abilities of Intel® vPro™ technology. As the technologies or software integrations become available, more information will be shared.
To provide a teaser to other security integrations and focus, have you seen the Anti-Theft offering of Intel® vPro™ technology? Take a look at http://www.intel.com/technology/anti-theft/index.htm and http://www.youtube.com/watch?v=bnTggBxhOVk
Protect Your Data With Whole-Disk Encryption
http://www.pcworld.com/businesscenter/article/161519/protect_your_data_with_wholedisk_encryption.html
David Strom, PC World | Wednesday, March 18, 2009 5:35 PM PDT
In my last post, I talked about some of the tools that claim to recover your stolen laptop. This time I want to review another series of tools that can be useful protection as well: doing whole-disk encryption of your hard drives across your enterprise. The idea that even if your laptop falls into the wrong hands, no one besides yourself will be able to read any of the files stored on it. When you boot your PC, you need to enter a password, otherwise the data in each file is scrambled, and no one else can gain access to your files.
Both the Mac OS X and Windows Vista Enterprise Editions currently offer built-in encryption as part of their operating systems: Apple calls theirs FileVault and Vista's is called BitLocker. If you are going to start using either feature, make sure you review the information contained in both hyperlinks as there are a lot of limitations and configuration issues. Neither is very reliable and both are very fussy about how you setup your hard drive. That makes me a little nervous, especially if you want to start deploying them widely.
If you want something more reliable and powerful, then TrueCrypt.org has free open source tools for Mac, Windows, and Linux machines. One of the features that I like is the ability to recover a forgotten password, which is probably the biggest fear in using any of these products. Another is that they will extract some performance from your system, but the current versions work well and without much system overhead.
If you want something more powerful than password protection, you can link the encryption technology to the Trusted Computing Module chip, or make use of the built-in fingerprint reader, both are part of most modern Windows laptops.
But if you want something that you can deploy across your entire organization, there are four principal vendors of whole disk encryption utilities that come with more management features and of course will cost some dough. They are PGP's Whole Disk Encryption and Secure Star's DriveCrypt, both of which are reviewed here about two years ago. There are also Utimaco's SafeGuard and MobileArmor's Data Armor. On all of them, you can set up security policies, recover passwords, and generally have a better view of what is going across your fleet of hard drives that are using this software. Figure on paying about $50 a seat if you buy any of these products in some quantity.
In my next post we'll look at some of the issues around using online backup service providers.
David Strom is a former editor-in-chief of Network Computing, Tom's Hardware.com and DigitialLanding.com and an independent network consultant, blogger, podcaster and professional speaker based in St. Louis. He can be reached at david@strom.com.
whoa, centrally managed, full-disk encryption
http://www.crn.com.au/Feature/5790,working-for-the-people.aspx
Well, a couple names come to mind:
"Governments and their public service departments are under the greatest legal pressure and the keenest media scrutiny. So data leakage and encryption requirements will be key within the government agencies. This represents a strong growth area for revenue since there is likely to be investment in new technologies such as centrally managed, full-disk encryption and data leakage prevention."
Vendors ship self-encrypting hard drives
http://www.itexaminer.com/vendors-ship-self-encrypting-hard-drives.aspx
Automatically secures and erases data in milliseconds
By Aharon Etengoff in San Francisco @ Friday, March 13, 2009 7:08 AM
Vendors have reportedly begun shipping self-encrypting hard drives based on specifications formulated by the Trusted Computing Group (TCG).
TCG's standards allow manufacturers to design self-encrypting storage devices capable of automatically securing and erasing data in milliseconds.
'TCG's new specifications for self-encrypting drives give users an easy, transparent way to protect important data on laptop PCs and in data centres. By purchasing systems with these drives, user data will be protected if the system is lost or stolen,' Seagate spokesperson Robert Thibadeau told IT Examiner. 'Self-encrypting drives also help enterprises comply with various data protection regulations and allow them to re-use drives more easily. All of these benefits come with no impact on system performance, which has been an issue with software-based encryption.'
Rob Enderle, president of Enderle Group, concurred.
'TCG's new storage security specifications and resulting drives from the vendors that support them have been needed for some time and address a number of high-performance, interoperability, and security concerns. This change represents a significant improvement for the storage industry and will benefit vendors as well as users who must protect their data,' said Enderle.
According to TCG, placing cryptographic operations in an actual drive ensures that the unit is always encrypted and protected by hardware that 'cannot be observed by other parts of the system.' In addition, self-encrypting drives do not interfere with system maintenance, compression, de-duplication, or end-to-end integrity metrics. TGC's specification supports AES and other cryptographic algorithms, as well as optional security features added by third-parties.
It should be noted that Fujitsu has already demonstrated drives based on TCG's Opal self-encrypting drive specification, while Seagate is working with IBM and LSI Corporation on data centre storage devices supporting the new standard. X
Wave's Q4 and Full Year Net Revenues Rose 75% to $3.3 Million and 40% to $8.8 Million -- Each Record Levels
Market Wire
4:03 PM Eastern Daylight Time Mar 12, 2009
Wave Systems Corp.
LEE, MA, Mar 12 (MARKET WIRE) --
Wave Systems Corp. (NASDAQ: WAVX), a leading developer of PC security
software and services, today reported results for the fourth quarter (Q4)
and year ended December 31, 2008 and reviewed recent corporate progress
and developments. Wave's Q4 2008 net revenues rose 75% to $3,291,000,
compared with Q4 2007 net revenues of $1,875,000, reflecting increased
software royalties, as well as growth in software license upgrades. For
the full year 2008, net revenues grew 40% to $8,810,000, compared to 2007
net revenues of $6,307,000.
Reflecting continued increases in Wave's software license activity, Q4
2008 billings, a non-GAAP measure of demand which reflects shipments and
license upgrade contracts signed during the period but which may be
recognized over future periods, rose 121% to $3,724,000 versus Q4 2007
billings of $1,686,000, and rose 62% versus Q3 2008 billings of
$2,297,000. For the full year 2008, billings grew 62% to $10,005,000,
compared to 2007 billings of $6,192,000.
As disclosed in prior quarters, Wave's software license upgrade sales are
recorded as deferred revenue and recognized generally over a 365-day
period. As a result of this treatment and the additional growth in Wave's
license upgrades during Q4 2008 (net of revenue recognized), deferred
revenue increased 41% or $433,000 to $1,484,000 at December 31, 2008,
compared with the deferred revenue of $1,051,000 at September 30, 2008.
For the full year of 2008, deferred revenue grew over 400% to $1,484,000
from deferred revenue of $289,000 at December 31, 2007.
As a result of expense-reduction programs initiated during the quarter,
Wave's Q4 2008 operating expenses (including cost of sales) decreased to
$6,560,000 versus Q4 2007 operating expenses of $7,230,000 and Q3 2008
operating expenses of $7,433,000.
For Q4 2008, Wave reported a net loss of $3,295,000, compared with a Q4
2007 net loss of $5,288,000, and a Q3 2008 net loss of $5,605,000. Wave's
Q4 2008 net loss attributable to common stockholders after accounting for
the accretion of a non-cash beneficial conversion feature on the Series J
and Series K convertible preferred stock issuances during the quarter was
$3,952,000, or $0.07 per basic and diluted share, compared with a Q4 2007
net loss attributable to common stockholders of $5,288,000, or $0.11 per
basic and diluted share, and a Q3 2008 net loss attributable to common
stockholders of $5,605,000, or $0.10 per basic and diluted share.
Per-share figures are based on a weighted average number of basic shares
outstanding in the fourth quarters of 2008 and 2007 of 58,708,000 and
49,699,000, respectively, and 57,896,000 for Q3 2008.
For the full year 2008, Wave reported a net loss of $20,549,000, compared
with a 2007 net loss of $19,952,000. Net loss attributable to common
stockholders after accounting for the accretion of a non-cash beneficial
conversion feature on the Series J and Series K convertible preferred
stock issuances in Q4 2008 was $21,206,000 for 2008, or $0.38 per basic
and diluted share, compared with a 2007 net loss attributable to common
stockholders of $19,952,000, or $0.43 per basic and diluted share.
Per-share figures are based on a weighted average number of basic shares
outstanding in 2008 and 2007 of 55,379,000 and 46,661,000, respectively.
As of December 31, 2008, Wave had total assets of $3,429,774.
Steven Sprague, Wave's President and CEO, commented,
"2008 was a year of steady progress, increased revenues and important
milestones for Wave, including the shipping of the 44 millionth copy of
our EMBASSY Trust Suite (ETS) software in December. We also continued to
make great strides in delivering an easy-to-use, easy-to-manage security
capability for Dell laptops and desktops. In August, Dell launched its new
E-series family of notebook and workstation PCs, replacing Dell's D-series
line. Dell made security a top priority with the E-Series, creating a new
interface called Dell Control Point with advanced security capabilities
including support for contact and contactless smart cards and integrated
biometrics for user authentication in the preboot mode.
"In other partner news, in Q4 Wave signed a distribution agreement with
Acer, the third-largest PC OEM in the world and an important industry
player in the Asia Pacific region. Acer began shipping ETS on its Veriton
line of business-class desktops in December.
"Wave also played an important role in the industry's debut of new full
disk encryption (FDE) drives from the leading FDE drive manufacturers,"
Sprague continued. "In Q4, we announced support for Fujitsu's new FDE
drives and for Seagate's next-generation of higher capacity, faster 7200
FDE drives. Industry awareness of these drives increased further last
month when the Trusted Computing Group published its much-anticipated Opal
storage security standard. The Opal standard is a significant step in
removing barriers for businesses interested in deploying FDEs, enabling
them to begin buying and using drives today, even in mixed environments.
Wave takes pride in the fact that our software is the only lifecycle
management solution compatible with all FDE drives on the market today, as
well as Opal-compliant drives in development. Full disk encryption is now
a simple security option that we believe new PC buyers should require. It
provides seamless, automatic factory-installed protection of your PC data.
"We have also continued to make progress on our sales of enterprise server
products that enable companies to manage their trusted devices. While we
are making advances, the rate of adoption by IT departments continues to
be challenging. Hardware security as part of the PC can provide any
enterprise with significant benefits. Our objective is to be well
positioned as market adoption of trusted device management technology
continues to grow. We are also seeing growing interest at the federal
government level to leverage TPMs and FDE hard drives to secure the
government networks.
"Lastly, like many businesses trying to adapt to the global economic
downturn, Wave found it necessary to begin a series of cost-cutting
measures," Sprague added. "After successfully supporting NBC Universal's
online distribution of the Beijing Olympics, we elected to suspend the
TVTonic consumer media service and to explore opportunities to sell or
license the technology. Between these reductions in staff, substantially
reducing business travel and cutting other overhead expenses, Wave made
significant progress in reducing its expense rate. As a result of these
measures, which are continuing into 2009, Q4 2008 operating expenses
(including cost of sales) decreased to approximately $6.6 from $7.4
million in Q3 2008. With these and other ongoing expense reductions, we
believe operating expenses per quarter will continue to decrease toward a
range of $5.6 to $5.9 million.
"Despite taking these hard steps to reduce costs and continued concern
over the global economic landscape, we're encouraged by the strong
partnerships we have built with Dell, Acer, Intel and the world's leading
drive vendors. We are working to continue to capitalize on opportunities
in 2009 and beyond, including opportunities presented by the broad
installed base of trusted computing hardware and our EMBASSY Trust Suite."
Auditor's Opinion Letter Disclosure
Pursuant to Rule 4350 of the FINRA Marketplace Rules, Wave is announcing,
as it has done the past four years at this time, that its auditors'
opinion letter which will be contained in Wave's Form-10-K for the year
ended December 31, 2008 raises substantial doubt about Wave's ability to
continue as a going concern given its recurring losses from operations,
working capital position and its accumulated deficit.
Summary of recent progress/developments:
-- Wave Systems Corp. Awarded $750,000 Contract by DoD Agency. In January
2009, Wave filed an 8-K announcing that it will provide consulting services
in connection with a study to evaluate the implementation of trusted
computing solutions for an agency of the U.S. Department of Defense. The
term of the project is expected to be six months.
-- Wave Supports New Hardware Encryptions Industry Standard. Also in
January 2009, the first public version of the Trusted Computing Group's
Opal security subsystem storage specification was announced, giving vendors
a "blueprint" for developing self-encrypting drives that secure data. Wave
announced its support for the specification which will enable stronger data
protection and help organizations comply with increasingly tough
regulations aimed at preventing a data breach. Wave has developed or is
working on Opal-compliant FDE solutions with Fujitsu, Toshiba and Hitachi,
and Wave's FDE solution is currently shipping with Seagate DriveTrust(TM)
technology.
-- Wave Increases Royalties through Amended OEM Software License
Agreement. Under a new arrangement with Wave's largest OEM Customer,
disclosed in an 8-K filing in December, the per-unit royalties that Wave
receives for each OEM PC model shipping with Wave's EMBASSY Trust Suite
(ETS) software were increased by at least 100%, retroactive to November 1,
2008, and apply to all of that OEM's PCs shipped with Wave's software on or
after that date. As noted in the related 8-K, these royalty increases may
be cancelled prospectively by the OEM at any time on 30 days written and
the contract does not provide for guaranteed minimum royalties or shipped
quantities of units containing our software.
-- Fujitsu and Wave Systems Debut FDE Solution. Fujitsu Computer Products
of America, Inc. showcased its full disk encryption hard disk drive at the
Network World IT Roadmap Conference & Expo in San Francisco. The 2.5-inch
HDD is the first technology in the world that will meet the Opal Security
Subsystem Class (SSC) specification. Wave's management software provides
system administrators with capabilities including remote configuration,
lost password recovery and separation of administrative and user roles.
About Wave Systems Corp.
Wave provides software to help solve critical enterprise PC security
challenges such as strong authentication, data protection, network access
control and the management of these enterprise functions. Wave is a
pioneer in hardware-based PC security and a founding member of the Trusted
Computing Group (TCG), a consortium of nearly 140 PC industry leaders that
forged open standards for hardware security. Wave's EMBASSY(R) line of
client- and server-side software leverages and manages the security
functions of the TCG's industry-standard hardware security chip, the
Trusted Platform Module (TPM). TPMs are included on well over 300 million
PCs and are standard equipment on an increasing number of enterprise-class
PCs shipping today. Using TPMs and Wave software, enterprises can
substantially and cost-effectively strengthen their current security
solutions. For more information about Wave and its solutions, visit
http://www.wave.com.
Safe Harbor for Forward-Looking Statements
Under the Private Securities Litigation Reform Act of 1995. This press
release may contain forward-looking information within the meaning of
Section 21E of the Securities Exchange Act of 1934, as amended (the
Exchange Act), including all statements that are not statements of
historical fact regarding the intent, belief or current expectations of
the company, its directors or its officers with respect to, among other
things: (i) the company's financing plans; (ii) trends affecting the
company's financial condition or results of operations; (iii) the
company's growth strategy and operating strategy; and (iv) the
declaration and payment of dividends. The words "may," "would," "will,"
"expect," "estimate," "anticipate," "believe," "intend" and similar
expressions and variations thereof are intended to identify
forward-looking statements. Investors are cautioned that any such
forward-looking statements are not guarantees of future performance and
involve risks and uncertainties, many of which are beyond the company's
ability to control, and that actual results may differ materially from
those projected in the forward-looking statements as a result of various
factors.
All brands are the property of their respective owners.
WAVE SYSTEMS CORP. AND SUBSIDIARIES
Consolidated Statements of Operations
(Unaudited)
Three Months Ended Twelve months ended
December 31, December 31,
2008 2007 2008 2007
----------- ----------- ----------- -----------
Net revenues:
Licensing 3,248,746 1,869,672 8,691,576 6,223,487
Services 41,990 5,647 118,239 83,473
----------- ----------- ----------- -----------
Total net revenues $ 3,290,736 $ 1,875,319 $ 8,809,815 $ 6,306,960
----------- ----------- ----------- -----------
Operating expenses:
Cost of sales -
licensing 169,207 223,006 736,429 781,675
Cost of sales -
services 30,955 8,902 87,752 30,295
Selling, general,
and administrative 3,785,985 4,127,595 16,375,372 15,222,896
Research and
development 2,126,563 2,870,625 11,702,776 10,557,937
Write-off of
impaired assets 447,128 - 447,128 -
----------- ----------- ----------- -----------
Total operating
expenses 6,559,838 7,230,128 29,349,457 26,592,803
----------- ----------- ----------- -----------
Operating loss (3,269,102) (5,354,809) (20,539,642) (20,285,843)
Net interest income
(expense) (25,437) 67,252 (9,572) 334,292
----------- ----------- ----------- -----------
Net loss (3,294,539) (5,287,557) (20,549,214) (19,951,551)
Accretion of non-cash
beneficial conversion
feature on Series J
and Series K Preferred
Stock (657,000) - (657,000) -
----------- ----------- ----------- -----------
Net loss attributable
to common stockholders (3,951,539) (5,287,557) (21,206,214) (19,951,551)
Loss per common share -
basic and diluted $ (0.07) $ (0.11) $ (0.38) $ (0.43)
=========== =========== =========== ===========
Weighted average number
of common shares
outstanding during the
period 58,707,897 49,699,460 55,379,118 46,660,794
WAVE SYSTEMS CORP. AND SUBSIDIARIES
Consolidated Supplemental Schedule
(Unaudited)
Three months ended Twelve months ended
12/31/08 12/31/07 12/31/08 12/31/07
------------ ----------- ------------ -----------
Total net revenues $ 3,290,736 $ 1,875,319 $ 8,809,815 $ 6,306,960
Increase (decrease) in
deferred revenue 433,484 (188,827) 1,195,019 (115,034)
------------ ----------- ------------ -----------
Total billings
(Non-GAAP) $ 3,724,220 $ 1,686,492 $ 10,004,834 $ 6,191,926
============ =========== ============ ===========
Non-GAAP Financial Measures:
As supplemental information, we provide a non-GAAP performance measure
that we refer to as total billings. This measure is provided in addition
to, but not as a substitute for, GAAP total net revenues. Total billings
means the sum of total net revenues determined in accordance with GAAP,
plus the increase or minus the decrease in deferred revenue. We consider
total billings an important measure of our financial performance, as we
believe it best represents the continued increase in demand for our
software license upgrades. Total billings is not a measure of financial
performance under GAAP and, as calculated by us, may not be consistent
with computations of total billings by other companies.
WAVE SYSTEMS CORP. AND SUBSIDIARIES
Consolidated Balance Sheets
(Unaudited)
December 31, December 31,
2008 2007
------------ ------------
Assets
Current assets:
Cash and cash equivalents $ 951,563 $ 3,714,030
Accounts receivable, net of allowance for
doubtful accounts of $16,364 and $-0-
at December 31, 2008 and 2007, respectively 1,701,829 1,165,385
Prepaid expenses 227,967 339,342
------------ ------------
Total current assets 2,881,359 5,218,757
Property and equipment, net 408,440 682,512
Other assets 139,975 136,587
------------ ------------
Total Assets 3,429,774 6,037,856
============ ============
Liabilities and Stockholders' Equity (Deficit)
Current liabilities:
Accounts payable and accrued expenses 7,655,834 3,253,320
Current portion of capital lease payable 63,537 -
Deferred revenue 1,484,044 289,025
------------ ------------
Total current liabilities 9,203,415 3,542,345
Long-term portion of capital lease payable 245,362 -
------------ ------------
Total liabilities 9,448,777 3,542,345
------------ ------------
Stockholders' Equity (Deficit):
8% Series I Convertible Preferred stock, $.01
par value. 220 shares issued and
outstanding (liquidation preference of
$968,000) in 2008 and -0- in 2007 2 -
Series J Convertible Preferred stock, $.01 par
value. 91 shares issued and outstanding
(liquidation preference of $364,000) in 2008
and -0- in 2007 1 -
8% Series K Convertible Preferred stock, $.01
par value. 456 shares issued and
outstanding (liquidation preference of
$1,276,800) in 2008 and -0- in 2007 5 -
Common stock, $.01 par value. Authorized
150,000,000 shares as Class A;
58,877,968 shares issued and outstanding in
2008 and 49,744,327 in 2007 588,780 497,443
Common stock, $.01 par value. Authorized
13,000,000 shares as Class B; 38,232 shares
issued and outstanding in 2008 and 2007 382 382
Capital in excess of par value 338,081,691 325,481,336
Accumulated deficit (344,689,864) (323,483,650)
------------ ------------
Total Stockholders' Equity (Deficit) (6,019,003) 2,495,511
------------ ------------
Total Liabilities and Stockholders' Equity
(Deficit) $ 3,429,774 $ 6,037,856
============ ============
Conference call: Today, March 12, 2009 at 4:30 P.M. EDT
Webcast / Replay URL: www.wave.com/news/webcasts
Dial-in numbers: 212-231-2903 or 415-226-5354
Contact:
Gerard T. Feeney
CFO
Wave Systems Corp.
413-243-1600
info@wavesys.com
Copyright © 2009 Thomson Financial. All rights reserved.
--------------------------------------------------------------------------------
Category Codes:
Massachusetts(R=USMA), North America(R=NAMR), United States of America(R=US), Americas(R=AMR)
Companies:
WAVE SYSTEMS CORPORATION(WAVX)
Related News Stories
• Wave's Q4 and Full Year Net Revenues Rose 75% to $3.3 Million and 40% to $8.8 Million -- Each Record Levels
• Wave Q2 2008 Revenues Rise 41% to a Record $2.0 Million on Continued Growth in Software License Sales
• Wave Q2 2008 Revenues Rise 41% to a Record $2.0 Million on Continued Growth in Software License Sales
• Wave Achieves Record Net Revenues of $1.9 Million and $6.3 Million for Q4 and Full-Year 2007, Respectively
• Wave Achieves Record Net Revenues of $1.9 Million and $6.3 Million for Q4 and Full-Year 2007, Respectively
• Wave's Q4 and Full Year Net Revenues Rose 75% to -2-
• Wave Q1 2008 Revenues Rose 32% to $1.7 Million on Continued Growth in Bundled PC OEM Software Royalties
• Wave Q1 2008 Revenues Rose 32% to $1.7 Million on Continued Growth in Bundled PC OEM Software Royalties
• Wave Announces Fourth Quarter and 2008 Results
• Wave Announces Fourth Quarter and 2008 Results