Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Encryption standards are here - but not for flash or tape
http://www.theregister.co.uk/2009/01/30/tcg_encryption_standards/
By Chris Mellor
Posted in Storage, 30th January 2009 15:11 GMT
Multi-vendor standards for self-encrypting storage devices are emerging through the Trusted Computing Group. But flash and tape drives are not included in them.
The new TCG specifications mean that drives which encode their contents can be interoperable with key managers and trusted platform modules and be interchangeable in storage arrays. Lose these drives or have them stolen and your data will be safe.
The Trusted Computing Group is a not-for-profit industry standards organization formed to develop, define, and promote open standards for hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices. Its primary goal is to help users protect their information assets (data, passwords, keys, etc) against theft and external software attacks.
It has issued three new standards covering PC clients, data centres and storage interfaces:
- Opal is a security subsystem class specification (https://www.trustedcomputinggroup.org/specs/Storage/Opal_SSC_FAQ_final_Jan_27_3_.pdf) for storage devices in PCs and notebooks
- The Enterprise security subsystem class specification (https://www.trustedcomputinggroup.org/specs/Storage/TCG_Enterprise_SSC_Specification_FAQ_Final.pdf) applies to data centres
- The Storage Interface Interactions Specification (https://www.trustedcomputinggroup.org/specs/Storage/Storage_Interface_Interactions_Specification_FAQ.pdf) (SIIS) applies to a storage device's interaction with access protpcols such as SCISI, ATAPI, PATA, SATA, Fibre Channel and SAS
- A fourth standard issued late last year covers optical storage (https://www.trustedcomputinggroup.org/specs/Storage/TCG_Optical_Storage_FAQ_final_Oct_15_2008.pdf).
All the hard disk drive manufacturers - Hitachi GST, Fujitsu, Samsung, Seagate, Toshiba and Western Digital - support this. Indeed, Robert Thibadeau, the chair of the TCG's Storage Work Group, is a chief technologist at Seagate Research in Pittsburgh, Pennsylvania, although he is on long-term leave as a professor in the School of Computer Science at Carnegie Mellon University.
Thibadeau is quoted in the TCG press release, saying: "TCG’s approach to Trusted Storage gives vendors and users a transparent way to fully encrypt data in hardware without affecting performance so that data is safe no matter what happens to the drive."
These new standards will be widely welcomed - but they do not cover flash drives, neither USB thumb nor solid state drive (SSD) formats, nor tape drives. The TCG has various working groups, including mobile device and hard copy groups, but it does not have dedicated flash or tape groups.
The remit of the storage working group focusses on dedicated storage systems, which obviously include flash and tape technology devices. Also the various interfaces covered in the SIIS effort include ones used for tape drives but neither the Opal not the Enterprise specifications specifically cover flash and tape media drives.
An overview of the Enterprise specification says it enables the encryption of all user data on media and gives the example of Full Disc Encryption – FDE - a Seagate term.
There is no mention of any equivalent FTE - full tape encryption - and no mention of self-encrypting LTO4 tape drives. The LTO Consortium is not a member of the TCG although LTO Consortium members HP and IBM are. The third LTO Consortium member, Quantum, is not a member of the TCG. With the LTO consortium not being in the TCG there is no guarantee that LTO4 tape drives will be compliant with the Enterprise specification, potentially putting any tiered storage system combining disks and LTO4 tape at a disadvantage.
The TCG members' list doesn't include IMFT, Mtron, SanDisk or STEC who all make flash-based solid state drives.
The absence of a tape and flash media focus is a little puzzling as there is an TCG optical storage workgroup and its purpose (https://www.trustedcomputinggroup.org/specs/Storage/TCG_Optical_Storage_FAQ_final_Oct_15_2008.pdf) is: "to provide a set of specifications that enable the implementation of Trusted Optical Storage. Using standards-based encryption techniques and methodologies, the new optical specifications will allow users to create, edit, and share optical discs, with protection against theft or loss. An authority will be available to ensure interoperability among device manufacturers."
Substitute 'flash' or 'tape' for the word 'optical' and the omission of any flash and tape media focus from the TCG becomes more apparent.
The TCG believes the new specifications represent one of the most effective ways to ensure data is secure against virtual and physical attacks. There is an apparent and obvious gap waiting to be filled here, as lost and stolen flash drives and tape cartridges account for many of the terabytes of the data at risk circulating in the unknown and untrusted seas around the seamier edges of the information society. ®
Good for vPro = good for Wave:
http://au.sys-con.com/node/824417
Intel is building a SaaS platform "that will soon blanket Europe," according to the financial blog Seeking Alpha.
Intel reportedly confirmed that the widgetry involved its own Multi-Site Director along with managed services software from privately held Ottawa-based N-able Technologies.
Multi-Site Director lets IT consultants and resellers monitor, optimize and troubleshoot customers' PCs, laptops, servers and networks remotely.
The blog says Intel is asking a flat monthly for privilege and that it's bound to drive demand for its vPro hardware (the stuff that supports remote management).
It's supposed to be starting in Germany and the UK, where N-enable coincidently has offices, and will drive the scheme across Europe by late this year or next.
http://www.wavesys.com/news/press_archive/08/081103_Intel.asp#
Wave EMBASSY® Software Now Available on Intel® Desktop Boards Featuring iTPM
Lee, MA — November 3, 2008 — Wave Systems Corp. (NASDAQ: WAVX; www.wave.com) announced today that an OEM version of its EMBASSY® Trust Suite (ETS) is now bundled with motherboards featuring Intel® vPro™ technology with an integrated Trusted Platform Module (iTPM). The Intel® Desktop Boards DQ45CB and DQ45EK are designed for PCs manufactured primarily by white box distributors, providing users with embedded hardware for improved data protection and strong, multi-factor authentication for network access.
Intel’s Integrated Trusted Platform Module (iTPM) acts as a tamper-resistant storage vault for user credentials. Working in tandem, the iTPM and EMBASSY® software protect digital certificates by securing the user’s private cryptographic keys within the chipset hardware. This functionality is designed to be used in place of external tokens or smart cards and can improve user access control, while reducing overhead expenses. Additional new features for the Intel Desktop DQ45CB and DQ45EK include advanced, pre-boot authentication and single-sign on.
Hard Drive Makers Settle on Single Encryption Standard
Shane McGlaun (Blog) - January 29, 2009 10:10 AM
http://www.dailytech.com/Hard+Drive+makers+Settle+on+Single+Encryption+Standard/article14091.htm
And so they forged the encryption of power, one encryption to rule them all
With reports of sensitive and, at times, top-secret information being lost on the hard drives of notebook computers, keeping data safe is one of the most important things for business and consumers today. One problem is that hard drive makers often used their own encryption format, which made things confusing for the consumer.
ComputerWorld reports that hard drive makers have now agreed to use the same encryption method for full-disk encryption (FDE) that can be used across all brands of hard drives and SSDs. When FDE is enabled, the computer requires a password before it will boot and all data on the drive is encrypted.
The final specifications for the encryption standard were published this week by the Trusted Computing Group (TCG) and cover specs for FDE in notebooks, desktop and server applications. Robert Thibadeau from Seagate said, "This represents interoperability commitments from every disk drive maker on the planet. We're protecting data at rest. When a USB drive is unplugged, or when a laptop is powered down, or when an administrator pulls a drive from a server, it can't be brought back up and read without first giving a cryptographically-strong password. If you don't have that, it's a brick. You can't even sell it on eBay."
Settling on one single encryption standard will allow all drive makers to build security into all products, which will lower the cost of production and make it easier for user to secure the data on their computers.
This is big news for enterprise environments where a standard encryption protocol means less configuration and less hassle during installation along with less management down the road. The specifications allow encryption to be set by administrators and can’t be turned off by end-users.
One very important factor is that modern FDE has come a long way and now only marginally effects read-write speeds of hard drives. Writing data to an encrypted drive is almost as fast as writing data to a non-encrypted drive. The companies that are members of the TCG include Fujitsu, Hitachi GST, Seagate Technology, Samsung, Toshiba, Western Digital, Wave Systems, LSI Corp., ULink Technology, and IBM.
Analyst Jon Oltsik from Enterprise Strategy Group said, "In five years time, you can imagine any drive coming off the production line will be encrypted, and there will be virtually no cost for it."
The three specifications for FDE includes the Opal spec for outlining minimum requirements for a storage device in a PC or laptop. The Enterprise Security Subsystem Class Specification is aimed at drives in data centers where minimum security configuration is needed during install. The final spec is the Storage Interface Interactions Specification, which details how the specifications interact with other standards for storage interface.
The specification supports PATA and SATA, SCSI SAS, Fibre Channel, and ATAPI. The three larger members of the group -- Seagate, Fujitsu, and Hitachi -- are already producing drives that support the standard. The specifications call for vendors to choose to use either AES 128-bit or AES 256-bit keys depending on the level of security wanted. The group points out that neither of these standards has been broken.
--------------------------------------------------------------------------------
Security-storage device specifications finalized
http://news.cnet.com/8301-17938_105-10151332-1.html
According to the Privacy Rights Clearinghouse, since January 2005 there have been more than 252 millions records containing sensitive personal information compromised because of security breaches in the U.S.
Most of these breaches were because of the loss of computer equipment, more specifically the hard drive. When a laptop is stolen, chances are the information contained on its hard drive is worth a lot more than the value of the computer itself. And thousands of laptops are stolen each year.
For this reason, the Trusted Computing Group released Tuesday its final versions of three storage specifications designed to enable stronger data protection, including:
The Opal specification outlines minimum requirements for storage devices used in the PC client and enterprise markets. It outlines for vendors the required and optional TCG capabilities and specifies how to activate and customize the trusted storage device.
The Enterprise Security Subsystem Class Specification focuses on storage devices used in data centers and high-volume applications, where high performance is required. The specification defines encryption of data on media and enables support for strong access control to support organizational security.
Finally, the Storage Interface Interactions Specification specifies how the TCG's existing Storage Core Specifications interact with other specifications and standards for storage interfaces and transports. In short, it enables interoperability of trusted drives with existing hardware.
This is especially important as currently storage hardware vendors have already been using proprietary self-encrypting methods on hard drives. For example, Seagate uses Full-Disc encryption while Hitachi uses Bulk Data Encryption.
According to TCG, so far, most major storage vendors have announced their support, either fully or in part, to the group's new set of specification. These vendors include: Hitachi, Seagate, Toshiba, and Fujitsu.
Trusted Computing Group’s Storage Work Group releases latest storage specifications
http://www.wwpi.com/ctn-headlines/6595-trusted-computing-groups-storage-work-group-releases-latest-storage-specifications
Tuesday, 27 January 2009 11:39 Editor
The Trusted Computing Group (TCG) released final versions of three storage specifications that will enable stronger data protection, help organizations comply with increasingly tough regulations and help protect important information from loss and theft.
The Privacy Rights Clearinghouse estimates that in the United States alone 251,154,519 records have been lost or stolen since January 2005*. Some 12.000 notebook PCs are lost or stolen in airports in the United States, with only 33 percent recovered by owners.**
Said Robert Thibadeau, chair, Trusted Computing Group Storage Work Group, "Lost and stolen data costs industry and consumers hundreds of millions of dollars, not to mention loss of credibility, legal issues and lost productivity. TCG's approach to Trusted Storage gives vendors and users a transparent way to fully encrypt data in hardware without affecting performance so that data is safe no matter what happens to the drive."
TCG's Storage Work Group has been working on specifications to add security to PC and data center storage devices. These final specs, known as the OPAL Security Subsystem Class Specification for PC clients and the Enterprise Security Subsystem Class Specification for data center class storage, now are available with an additional specification, the Storage Interface Interactions Specification, that focuses on interactions between these storage devices and underlying SCSI/ATA protocols.
Both storage device specifications give vendors a blueprint for developing self-encrypting storage devices (e.g., hard drives) that lock data, can be immediately and completely erased and can be optionally combined with the Trusted Platform Module, or TPM, on most commercial PCs for safekeeping of security credentials.
Companies supporting this announcement include software vendors CryptoMill, ULINK Technology, Wave Systems and WinMagic and HDD vendors Fujitsu, Hitachi, Toshiba, Seagate Technology and Western Digital.
Microsoft's metered pay-as-you-go patent.
It's Trusted Computing Mark Two but worse
FSM Columnist: TrustedGary Richmond 2009-01-27 0
http://www.freesoftwaremagazine.com/columns/microsofts_metered_pay_you_go_patent_its_trusted_computing_mark_two_worse
This time, Microsoft may have outdone themselves with a proposed patent of such breathtaking hubris that it makes their previous FUD pale by comparison. If it comes off it will either be a licence to print money (Redmond’s version of Quantitative easing?) or the biggest Pyrrhic victory in the history of computing since Steve Jobs refused Bill Gates and hardware vendors a licence to use Apple’s OS and software.
When you first read about Microsoft’s proposed patent you are suffused with the glow of righteous anger but before you get carried away, stop. Stop and think. This patent might just be, to mix my metaphors, a Trojan Horse and the straw that breaks the Camels’ back. Windows users seem to possess a high pain tolerance (I only lasted until Windows ME before I broke and confessed to anything and everything) but this just might tip some of them over the edge. As homeless refugees they could be receptive to seeking asylum in the Republic of Unixland. Let’s find out why.
What’s in a number?
Stallman called cloud computing a trap and “worse than stupidity”
Here’s a number: 20080319910. It obviously isn’t a geometric progression or a Fibonacci series, but it may turn out to be very significant. It’s a patent number and it is a Microsoft patent application. It was filed back in June 2007 but published on Christmas Day 2008. Simply put, Microsoft want to patent pay-as-you-go computing. If, like me, you have switched to a non-contract mobile phone, you are familiar with the concept; however what Microsoft is proposing is not charging for a net or phone connection per se, but for renting a discounted/subsidised computer and being charged for using it and the software at the other end. There seems to be three levels of charge:
(1) metered charging by the hour for using software
(2) one-off charge
(3) charging structure based on hardware usage utilized for specific software tasks
Richard Stallman warned about “cloud computing” calling it “worse than stupidity”. He was thinking about Google services like Gmail and Google Docs, which at least have the virtue of being free (as in cost); but such usage raises questions about ownership, interoperability and access. Microsoft wants to charge for it. However, that looks positively benign when compared with item three. Charging for software as a service is not new: FlexGo was launched by Microsoft in 2006 and targeted at countries in South America and the Third World where GNU/Linux poses a real challenge. It was father to Pay as You Go (PAYG), its bastard offspring. As the minstrel from Duluth said, you don’t need to be a weather vane to know which way the wind blows. What is really disturbing about this patent application is Microsoft’s ambitions for hardware control to facilitate this pay as you go model. The Devil is in detail.
All your data are us, and now your hardware too
If you thought that details of trusted computing were grim the patent to impose a charging structure on a PC’s hardware relative to software usage would tax the greatest genius of Jesuitical causitry. If you were impressed by the talents of now defunct investment bankers to leverage profit from packaged sub prime pyramid schemes then Microsoft’s wheeze would earn them a place on the board of Lehman Brothers.
Redmond are up to their twin obsessions: “security” and vendor lock in
So, you’re paying fees to access software, you’re paying to use the hardware on the computer too. That’s bad but it gets a whole lot worse when you read on and discover that Redmond are up to their twin obsessions: security and vendor lock in. The patent envisages a security module embedded on the computer chaining that machine and the user to a specific supplier (“The security module is discussed in more detail with respect to FIG. 5, but briefly, each security module 28, 30, 32 may have a processor, a secure memory, and a cryptographic function, implemented in hardware or software, for supporting metering operations, value add packet processing, and self-sanctioning of pay-per-use computers not in compliance with their contractual terms” as the patent terms it).
Cryptographic encryption and hardware lock down are central to pay per view:
Initial configuration of pay-per-use computers 12, 14, 16 may involve not only the installation of keys binding the pay-per-use computers 12, 14, 16 to the fulfillment center 26, but also installation of keys used for internal configuration and communication of scalable internal resources that set operation in a particular mode. Additionally, software or firmware in the pay-per-use computers 12, 14, 16 may be installed or activated
It is clear from this that Microsoft would have effective control over your machine. For the “metering agent” to function requires a degree of control that virtually renders the user hardware configurations obsolete and irrelevant:
the metering agent may manage setting a performance level for its associated component, in this case, the disk drive 205, and may also measures usage of the component, when required. Performance level in the disk drive 205 may be set by tuning one or more of cache size, data transfer rate, available disk space, etc. To accomplish this, the metering agent 228 may take steps appropriate to the performance level being controller. If cache size is controlled, affecting overall read and write speed, the metering agent 228 may control a setting that manages cache memory allocation, similar to the way a BIOS controls overall memory configuration in a computer. That is, during operation, the controller 206 may receive configuration data information responsive to an event and the metering agent 228, in the role of the BIOS, may supply the configuration data according to the current performance level setting. The event that triggers such a programming of the controller may be the receipt of a new performance level setting at the metering agent 228
Even the technologically challenged will have a vague notion that the processor might just be rather central to a computer and the metering agent has plans for that too:
The processor 204 may include instruction memory 221, such as microcode, and may have one or more cores 222, 224, 226, for executing program instructions. The processor 204 may include metering agent 220. A metering agent embedded in a processor, such as processor 204, may have more implementation options than a metering agent used in other components. Because the processor 204 has so much control of computer operation, scalable use may be based on instruction set, memory used, execution speed, etc.
Nothing is spared. Memory is next:
The memory 208 may implement scalable performance in several ways, such as limiting the memory size or limiting the memory speed. The metering agent 230 may trap address commands above a certain address, slow the data clocking rate, or use a combination of both. Memory size limit changes may be restricted to restarts because an on-the-fly change in memory size may cause system instability, but dynamic page swapping algorithms may remove this restriction. Alternatively, or in combination with the memory 208, a bus controller (not depicted) associated with memory access may implement similar measures to restrict memory access.
the summary reveals the fundamental purpose behind this patent from Hell
The list of targeted hardware goes on: video controllers, graphic cards to mention two. You get the idea, but I’ll refrain from listing any further components for reasons of space and unnerving the reader. Suffice to say, upgrading/hacking a computer with this configuration will make the howls of protest from Vista users look like a whimper. The patent is very detailed and the summary reveals the fundamental purpose behind this patent from Hell:
In summary, the system and methods described above allow use of an entirely different business model for manufacturing and collecting revenue from a computer asset. Rather than creating highly customized, but still overbuilt, computers for an individual user, a standard model can be created. Improved component and system-level yields already make many performance-related product grade-outs obsolete, allowing cost-effective sale of a computer with very high maximum performance levels. Because the computer user is only charged for the performance level and features actually used, the user can select to modify the performance to suit his or her needs and budget. Although the cost of ownership over the life of the computer may be higher than that of a one-time purchase, the payments can be deferred and the user can extend the useful life of the computer beyond that of the one-time purchase machine. A security mechanism that enforces payments may also be supported by the security module 202 and is discussed elsewhere.
It’s the hardware man, Microsoft digs the hardware
Given the extraordinary degree of control mooted by this pay as you go model, you wonder what the fate would be for external storage devices and their associated USB ports and other bus-powered peripherals. What happens if you upgrade components or remove or clone the hard drive to another unrestricted computer? If Microsoft have their way it would be fast forward to the past with something close to dumb terminals and mainframes.
The best line in this patent application is the claim that metered pay as you go will help the user to extend the life of their computer and so save money! And there was I thinking that Microsoft were only interested in squeezing out yet more financial pips. I could have told them that GNU/Linux users have been doing that for years by customising distros that could run on a toaster with 640KB of memory. Surely it is only a matter of time before Microsoft apply for a patent to extract blood from a stone—and you’ll be paying for it.
I’m tempted to say that this idea needs to be strangled at birth, but perhaps I’m being a little hasty. Why kill the Goose that might lay the golden egg. Never interfere with someone hell bent on committing commercial suicide and treating its customer’s computers like their personal property. Then again, we might flatter ourselves that in addition to always being on the lookout for new revenue-raising opportunities Microsoft’s patent application might be a pre-emptive move to deal with the challenge of free and open software—especially if netbooks are the coming thing and Vista run on them like a tractor in a swamp. They can’t extend Windows XP indefinitely for commercial reasons. GNU/Linux is not so constrained. We could take the patent as a kind of back handed compliment.
are we moving towards the Henry Ford school of computing: any colour you like as long as it’s black?
Of course, it’s not compulsory. If this patent ever escapes into the wild it might appeal to businesses obsessed with lowering Total Cost of Ownership (TCO) but for the average user it would reduce them to digital Helots. Besides, with hardware vendors tied even more tightly to Microsoft, what sort of computers are going to be made?
Are manufacturers going to produce two classes of machine, one for Microsoft metered Pay as You Go motherboards with compromised hardware and another without? Or are we moving towards the Henry Ford school of computing: any colour you like as long as it’s black? It is not suprising therefore that some people have already been doing back of the envelope calculations to cost a user profile based on the software they would access online, especially games.
It seems, and this is the good news, that it would be cheaper to build your own computer with off the shelf components every few years to keep up to speed rather than effectively rent your machine from Microsoft to counteract obsolescence. People who do that are invariably users of free software. Games will seem particularly expensive as they are processor and graphic card intensive and Microsoft appear to be following a kind of parallel to those ISPs who want to introduce traffic shaping to throttle bandwidth (bad news for BitTorrent which many in the free software community rely on for distribution of GNU/Linux ISOs).
Can’t pay, won’t pay
I would give a King’s ransom to see the reaction on Richard Stallman’s face as he reads this patent over his breakfast cereal
And what happens if Microsoft hike the costs and it becomes a case of can’t pay, won’t pay? You walk away but can you take all your data with you? Who owns it? If you fall on hard times and can’t pay, this patent would give Microsoft the ability to disable you machine and lock you out of your own files. Combined with the control freakery of trusted computing Microsoft seem determined to make computing as pleasurable as a root canal. They would turn users into their personal ATMs.
That financial metaphor is not perhaps as far fetched as it sounds. PAYG is predicated on a prepaid or billed account, so when Microsoft plead that they only want to help poor people in the Barrios of Brazil or the slums of Delhi to access affordable computing, what they really mean is that they want access to their credit cards—a common possession of course in the Third World.
I am not a technical expert and I’m not a patent lawyer either. This patent needs their expert eyes. The combined skills of the Free Software Foundation (FSF), Lawrence Lessig and Eben Moglen are needed to put it under the forensic cosh. (I am particularly interested in what it would mean for Novell’s IP tie-up with Microsoft.) I would give a King’s ransom to see the reaction on Richard Stallman’s face as he reads this patent over his breakfast cereal. He might need the Heimlich manoeuvre. In the meantime we all need to re-acquaint ourselves with what free computing really means and why it matters so much by reading Stallman’s essays and Lawrence Lessig’s books too. Again.
Of course (and I kept the best for last), all of this has been rendered hypothetical as the patent has been rejected by the US Patents & Trademarks Office. In a letter to Microsoft the terminology of the patent was deemed to be “fuzzy” and certain ideas rejected as already having been patented (worrying in itself -and, which ones?). That’s a relief but Microsoft can appeal and initial rebuffs have never deterred it before. Like Churchill’s description of the Soviets they will probe and probe until they find an open window and invite themselves in. Breaking and entering. It’s what they do and like Arnie, they’ll be back.
Windows users are an irrationally loyal lot for whatever reason but if a patent like this ever gets off the ground in some re-jigged format and doesn’t precipitate mass defections to free software and free operating systems like GNU/Linux then it will be a frosty Friday in Hell before it ever becomes the year of GNU/Linux on the desktop.
Interoperability key to electronic health overhaul
http://www.nextgov.com/site_services/print_article.php?StoryID=ng_20090112_4187
As congressional leaders work on language to incentivize a nationwide system of electronic health records into a stimulus package and upcoming healthcare legislation, Booz Allen Hamilton and the Federation of American Hospitals today urged that lawmakers find ways to enhance the flow of health data and communications among patients and providers. They want Congress to get this done instead of focusing only on the adoption of electronic medical records.
The groups warned in a report that health IT efforts cannot occur in a vacuum -- and even when data is electronic, it is not automatically shared "outside of organizational or network firewalls, or across organizational boundaries." Concerns about interoperability were a major component of health IT discussions on Capitol Hill last year, and various proposals were incorporated into bills that came before both chambers.
Attention to eliminating paper-based records in areas such as prescriptions, lab results and medical imaging is critical as more attention is paid to facilitating electronic health systems, the report stated. The organizations called for reforming payment systems; defining, implementing and creating standards for a national health information exchange; fast-tracking a nationwide e-prescribing network; and assuring availability of pharmacy, lab and imaging histories at the point of care.
To create a "patient-centered" healthcare system, individuals must be granted consistent, secure, and timely access to their health records and the ability to communicate with clinicians about it, the report said. The document suggests creating a voluntary authentication system whereby individuals can choose a unique personal identifier for purposes of care and research.
The report follows the unveiling of a bill Friday, sponsored by Sens. Debbie Stabenow, D-Mich., and Olympia Snowe, R-Maine, that is likely to be the first of many health IT bills. The measure would create a grant program for healthcare providers to help cover costs for the purchase, lease or installation of software and hardware. Grants would be targeted toward "safety-net" providers that see a high percentage of Medicare, Medicaid, and State Children's Health Insurance Program beneficiaries and rural providers.
The senators also sent a letter to President-elect Obama encouraging him to incorporate their proposal in the upcoming recovery package. Legislative strategies for advancing health IT will be discussed Thursday when Sen. Barbara Mikulski, D-Md., will chair a Health, Education, Labor and Pensions Committee hearing on the topic.
Mobile VoIP and “The Cloud”
Soon we’ll be able to pick any phone or mobile device and have full access to our applications, services, and information. This will happen without the need to remember different userIDs or Passwords, as is possible today in most every laptop installed with a Trusted Platform Module or the “TPM”. More on that next month. . .
http://www.tmcnet.com/voip/1208/mobile-voip-and-the-cloud.htm
Over the years it has been called “Grid Computing”, “On Demand”, “Distributed Computing” and “Software as a Service” however I think that unless you are Larry Ellison we call it “Cloud Computing”.
Microsoft (News - Alert) has abandoned trying to fix Vista and replaced it with the Azure Cloud Services Platform, Amazon has already proven the value of Cloud Computing with the Elastic Web and Google (News - Alert)’s Application Engine launched like a rocket. I think I’m in pretty good company when I say that Cloud Computing has arrived.
That said we still have a way to go before we cut the cord and move cloud based applications into the mobile world. With Apple and RIM significantly restricting applications on their mobile platforms this leaves only OpenMOKO and Android as potential platforms that provide the development community the necessary openness to ensure competitive access to the mobile platform.
Information is only valuable if we can access it when we need it the most and that seems to be more often at the end of a cell phone. It is no wonder why the presentation of the iPhone (News - Alert)’s display and interface became such a hit. It was not just the disintermediation of the carriers’ grip on applications and services available over the wireless network, it was the presentation of content and applications that drove rapid acceptance. As more mobile devices with great displays and better user interfaces appear, the developer community will move quickly to support the untethered with maturing Cloud-based applications. We already see such great examples as Salesforce and LinkedIN
I will no longer be concerned about backing up my files or where a particular report is or even trying to remember in which contact manager my address book is stored. Soon we’ll be able to pick any phone or mobile device and have full access to our applications, services, and information. This will happen without the need to remember different userIDs or Passwords, as is possible today in most every laptop installed with a Trusted Platform Module or the “TPM”. More on that next month. . .
For more information on Grid Computing see the Open Grid Forum (OGF) at www.ogf.org. IT
4X, one other thing to consider......
While it's recognized over a twelve month period, Wave banks the entire revenue up front and has it available to spend.
FM
XXX, you're right!
I'm a west coaster! I've removed it.
thanks
Root inside: researchers claim crack for Intel's vPro
By Jon Stokes | Published: January 07, 2009 - 09:11AM CT
Two security researchers based in Poland claim to have cracked Intel's vPro—specifically the trusted execution technology (TXT) part formerly known as LaGrande. Little is currently known about the crack, which the team will fully unveil at the forthcoming Black Hat conference in Washington. They have revealed that it involves two stages, and that an attacker can use it to "compromise the integrity of a software loaded via an Intel TXT-based loader in a generic way."
The first stage of the attack [PDF] is apparently based on "an implementation flaw in a specific system software," specifically the part that loads trusted code into memory. The second stage exploits the design of the current release of TXT.
The researchers, who work for a group called Invisible Things, claim to have found more than one implementation flaw that can enable the first stage of the attack, and Intel will be releasing information to the developer community on how to make your applications immune to it. The design-based exploit will presumably be addressed in a later release of TXT.
Right now, few people are actually using TXT, so the impact on Intel's customer base should be pretty minimal, if any. But it has to bother the company that an exploit was even found at all.
vPro is a critical link in Intel's larger vision for networked computing. At this past IDF, I talked with Intel's Andy Tryba about the company's vision of widespread remote tech support—instead of walking my aunt through a troubleshooting session over the phone, Intel would like to see me remotely and securely log into her machine and fix it. Or, Apple could remotely and securely log into her machine, if she's a Mac user.
Obviously, such a support scenario would need a lot more than just vPro, and Tryba acknowledged that. vPro is only a building block out of which which a company like Apple or Best Buy, or a third party software developer, could build a complete remote support solution. But of course, that building block has to be secure before users will feel comfortable handing over the keys to their machine to a faceless corporation (or to their nephew).
With so few details of the attack made public, it's difficult to assess its potential impact. In a statement to InfoWorld, Intel merely indicated that they're working with Invisible Things on addressing the issue.
Network access control: Hot technology for 2009
http://www.networkworld.com/supp/2009/outlook/hottech/010509-nine-hot-techs-nac.html
After the shakeout
By Neal Weinberg , Network World , 01/05/2009
Network access control has been a hot, fun topic for the past couple of years.
Epic standards battles pitted Cisco against Microsoft, each having its own terminology and approaches. And who could forget the Trusted Computing Group, which, with its own architecture, acted as a wild card?
Then there was the horde of third-party vendors offering to handle a company's NAC needs if it didn't want to wait for Cisco and Microsoft to deliver on their promises.
Last year was a turning point for NAC, however. The standards battles appear to have been resolved, and everything looks like it's falling into place. Customers apparently decided to wait for Microsoft to deliver its NAC products - and that left many third-party vendors out in the cold. A lot of them went under, including Caymas Systems and Lockdown Networks.
And because Network Access Protection (NAP, Microsoft's version of NAC) comes with Vista and Windows Server 2008, deciding to go with Microsoft has become a no-brainer for many customers. NAP represents a clear choice, rather than a technology that requires extensive research, RFPs, product tests and evaluations, and so forth.
NAP even proved itself in a recent product evaluation Forrester Research performed to determine which NAC tools would solve real-world deployment problems. Microsoft came in first, followed by Cisco and Juniper Networks.
This year the questions for customers will be where do we deploy NAC, and how many NAC features do we turn on? Most customers today are using NAC just to control guest access. That's important, but the technology can do more. On the pre-admission side, it can scan user devices, determine whether they are clear of viruses, check to see if patches have been updated and quarantine the device if security conditions aren't met. On the post-admission side, it can make sure that a clean machine remains that way, and that users access only those parts of the network to which they have authorization.
These important functions are ones that every IT exec should be implementing.
Secure Magazine
new edition: http://www.silicon-trust.com/publications/secure15.pdf
2009: Year of mergers, platform changes and conservation
http://www.tgdaily.com/html_tmp/content-view-40728-128.html
Large companies, in an effort to contain costs, are already requesting corporate configurations of Netbooks, which need things like fingerprint readers and trusted platform modules to comply with security requirements. Even IBM is behind this platform.
The Downside of Laptop Downsizing
December 22, 2008 —
http://www.itworld.com/small-business/59650/downside-laptop-downsizing
ComputerWorld has a nice article that points out some reasons that the new netbook craze may be a bad choice for some companies (Small Laptops Pose A Big Security Risk). This is a good warning to companies, especially those larger companies regulated by various federal and ethical rules, that smaller laptops may lose some critical security support.
Of course, the rules for the new mini-laptops should be the same as those for your other laptops: use a label service to track lost ones, use encryption if any customers records are stored there, and be careful accessing your company network using wireless.
The problems come with some of the features left out to keep both the size and price as tiny as possible. Since they're aimed at consumers, most netbooks don't include a hardware chip called TPM for Trusted Platform Module that helps with encryption. Larger and more expensive laptops with TPM support encryption for the disk and for the entire system, often with biometric support like a fingerprint reader. These fully equipped laptops may be larger, but not all that more expensive. HP offers encryption and biometrics on their small business laptops starting at $629.
Larger companies should have in place rules and policies to enforce better user security behavior. My concern is for the smaller companies buying these because they're cheaper and easier to carry. Don't be seduced by the low price and pay a huge penalty for storing critical business information on an easily lost, not well protected little laptop. The money you save with the purchase will be long forgotten when explaining to customers why their account information disappeared along with your netbook.
Executive outlook: What's hot in 2009
http://www.embedded-computing.com/articles/id/?3686
"Security of devices, data, and network access is one of the industry's biggest problems and biggest opportunities. Trusted Computing Group is working to expand industry knowledge regarding the usage of the Trusted Platform Module (TPM), which is not only in virtually all enterprise PCs, but also in many servers and most new embedded PC hardware. We are also looking beyond devices to the data on them by enabling self-encrypting hard drive technology for true data-at-rest solutions in many enterprise PCs and other non-PC devices. In addition, the network, which is frighteningly vulnerable to data loss and breach in many organizations and for end users, also benefits from the TPM".
Brian Berger
Board Member and Marketing Work Group Chair, Trusted Computing Group
www.trustedcomputinggroup.org
Executive Vice President, Marketing and Sales, Wave Systems
www.wave.com
Leaders call for bolder security agenda
12/12/08
By Wyatt Kash
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=47732
A variety of existing measures could significantly improve the security of government information technology systems in the next two years, but agencies must look at IT security vulnerabilities as a threat to agency missions, not just their networks, if needed security improvements are to be made, experts said at a cyber security conference in Washington this week.
The scope and sophistication of attacks on public and private networks continues to escalate at alarming rates, said Melissa Hathaway, senior advisor and cyber coordination executive for the Director of National Intelligence.
“We’re facing the dangerous combination of known and unknown vulnerabilities, strong adversary capabilities and we have weak situational awareness,” Hathaway said, speaking at a conference on cyber space challenges held by the Armed Forces Electronics and Communications Association. Insider threats to government networks, in part from phishing schemes and other unauthorized access, have increased 52 percent during the past 18 months, she said.
“We’re at an inflection point,” she said, noting that at least the attention being devoted to cyber attacks has resulted in a new level of public and private sector cooperation and support for finding ways to combat the problem. But “we have a long way to go,” Hathaway said in developing greater situational awareness, defending against attacks, managing risks in the global supply chain, educating the public, and working with the private sector to improve deterrence.
Many of the solutions already exist, said Bob Gourley, chief technology officer of Crucial Point LLC.
“We can improve security by two orders of magnitude within the next 24 months,” he said, referring to the number of network intrusions, by doing a better job with identity management, authentication, insider threat modeling and analysis, digital rights management, and speeding up collaborative efforts.
At the same time, Gourley acknowledged that the need for standards and that cumbersome procurement processes represent significant hurdles that still must be overcome. The real risk of not moving faster on security matters goes beyond the government’s networks, said Mischel Kwon, director of operations for the U.S. Computer Emergency Readiness Team at the Department of Homeland Security.
“We use technology differently than we did five years ago --even two years ago,” she said. “It’s an integral part of our mission. With that change, [so have] the attacks changed. We need to think of them not as attacks on our systems but attacks on our missions,” she said.
Kwon stressed the importance of developing new tools, new tactics and new techniques “to detect, to mitigate, and then reflect” on the nature of the attacks. “We need to think about what information assurance changes” and changes in policy and technology we need to support a “complete feed back loop” otherwise “we will continue to play whack-a-mole” with network intruders.
Civilian agencies, more broadly, also need to follow the types of procedures commonly used by the defense and intelligence communities for protecting their computer networks, particularly as information sharing becomes more essential to government operations, said Lt. Gen. Keith Alexander, director of the National Security Agency.
“We have to get the same processes and procedures into Homeland Security and other agencies, so they know their [network systems] are secure; and when those [networks] touch Defense, we know they're secure," he said.
At the same time, much also needs to be done between the public and private sector, said Bob Lentz, deputy assistant secretary of Defense for information and identity assurance.
“If I had a scorecard on public-private partnerships, there wouldn’t be very high scores,” he said.
He itemized several areas where improvements are needed. One is the need for research and development of leap-ahead types of technologies. Another is the need to establish more thorough standards, protocols and specifications, even if it means that industry must sacrifice a certain amount of proprietary work. He also said more work must be done to improve the acquisition process in government, which he described as “broken.” Additional efforts must also be made in improving the architecture of systems.
“People really understand we’ve got to work together, we can’t just try to work together,” he said.
Is Obama's Mac a National Security Risk?
Maybe he should get a Dell E-series!!!
http://www.darkreading.com/blog/archives/2008/12/is_obamas_mac_a.html
Storage device news highlights
http://www.yec-usa.com/blog/?p=89
Posted in December 2nd, 2008 by rwinters in Uncategorized
Just a quick overview of some of the more interesting events going on in the storage technology world:
Western Digital purchases Fujitsu’s HDD division, and now owns roughly 25-30% of the 2.5 inch market.
SSD’s continue to grow in performance, with OCZ, Intel, MTron, and Samsung leading the way. But at the same time many major issues still remain, especially issues with fragmented free space. Causing these drives to slow down by 80% after only six months of use. Many software companies such as Diskeeper are scrambling to create defragmenting software that can allieviate these issues.
FDE (Full Disk encryption) hard drives have been around for some time, but recently seagate began providing Dell with new generation FDE drives that Dell will offer in it’s notebooks. These drives will be near impossible to recover if the user forgets the password, or the firmware becomes corrupted. While these drives do make your data safe from notebook theft, it makes your data less safe from HDD failure.
Many new Hitachi GST drives are coming with drive stickers that do not cover the center lid screw. This means that you can remove the lid without any trace of doing so. This is bad for Hitachi and for data recovery companies. This means that any user, or low quality data recovery company can open these drives and wreak havoc upon them and as long as there is no visual damage no one would know. Hmmmm.
Intel and Hitachi GST announced that they are jointly developing SAS and Fibre channel enterprise SSD drives that are planned to ship in 2010.
Mundo.. that's old news:
Last February to be precise:
http://www.infineon.com/cms/en/corporate/press/news/releases/2008/INFAIM200802-047.html
Seeing is Trusting—Trust in Optical Storage
Tom Coughlin
Coughlin Associates
http://images.vertmarkets.com/crlive/files/downloads/37bb1286-65c1-4433-88f4-f978d9188a41/SeeingIsTrustingTrustInOpticalStorage.pdf
Optical discs are a major source of entertainment content and also a popular way to share,
transport and back up data files. Security of optical discs has been problematic with
inconsistent approaches to data encryption. News reports show the vulnerability of
unprotected content on optical discs being compromised when discs with sensitive data
are lost or stolen.
Putting Trust into Storage Devices
The Trusted Computing Group (TCG) is creating specifications for data storage devices
with on-board encryption. The embedding of the encryption key within the storage
device provides good data protection since the encryption key never leaves the storage
device. Several hard disc drive products from Seagate Technology, Hitachi Global
Storage Technology and Fujitsu incorporate on-board data encryption for laptops and
even PCs. Encrypted laptop hard disc drives prevent access to the data on the drive if the
laptop is lost or stolen. Efforts are underway to add such on-board data encryption to
other storage devices such as magnetic tape, flash memory and optical discs.
Device level encryption can be extended into enterprises using various key management
techniques. Key management allows central control of content access using encryption
keys located in various storage devices and systems within an enterprise. These key
management standards are being developed by members of the TCG and working with
other standards groups, particularly a subgroup of the IEEE 1619 standards group.
Management of encryption keys in various storage devices will be an important element
in enterprise encryption key management.
TCG Optical Storage Subgroup
The Optical Storage Subgroup of TCG provides a set of specifications that enable the
implementation of Trusted Optical Storage. Using standards-based encryption techniques
these optical specifications allow users to create, edit and share optical discs with
protection against theft or loss and subsequent exposure of the recorded data to
unauthorized users. As part of its charter, this group will create an authority that will be
available to ensure interoperability among device manufacturers. Participating in the
Optical Storage Subgroup are optical disc drive manufacturers, software vendors and
designers of custom integrated electronic components. Storage, security management
and storage integration vendors also participate in the subgroup.
The Trusted Computing Group Optical Storage Subgroup has created a Trusted Optical
specification. The Optical Storage Subgroup specification enables implementation of
Trusted Optical Storage. The new specification encrypts user data on standard recordable
optical discs. It provides access control to support organization security policies with
strong n-factor authentication and full disc encryption (FDE).
Trusted Optical Storage is implemented in optical drives using conventional optical
media (currently CDs and DVDs). This means that the encryption is done at the logical
data level rather than at the physical level. The TCG Optical Storage Security Subsystem
class can be implemented externally where an optical drive that doesn’t match the
specification is integrated into TCG compliant devices. It can also be implemented using
a TCG compliant ASIC. Trusted Optical Storage can also be integrated into the optical
device controller. These approaches will develop over time resulting in greater
integration of encryption inside the optical drive.
The initial Trusted Optical Storage specification compliant products will utilize a USB to
SATA bridge device where the encryption is performed on the bridge circuitry to provide
data encryption. This is an example of the external implementation described above.
These products offer 2048-bit RSA secure channel for data in-flight and use 128- and
256- bit AES encryption on the stored content.
At a recent TCG meeting, secure optical storage was demonstrated utilizing this
encryption on rewritable optical media. The bridge device can be added to any optical
disc recorder (CD or DVD) to make it a Trusted Optical Storage Device. These products
will be shown publically at the Trusted Computing Group booth at the 2009 Storage
Visions conference (www.storagevisions.com) as well as at the 2009 Consumer
Electronics Show (www.cesweb.org). The just released specification can be obtained
through the Trusted Computing Group at www.trustedcomputinggroup.com.
Applications and Extension to Blu-Ray
Optical encrypted drives are initially targeted for applications such as government
agencies, military data sharing, health records and financial service information. These
industries are driven by the need to meet data security requirements including potentially
embarrassing data security breach notifications. Extending the reach of TCG
specifications to optical disc systems allows enterprises greater flexibility in creating
compliant storage infrastructure with little or no additional storage management
complexity or cost.
As is the case with encrypted hard drives, optical disc encryption is expected to spread to
a much greater population of optical drives giving users the capability of a secure way of
backing up and protecting their data on removable optical discs. This will be easier to do
and done at lower cost as the encryption technology becomes embedded inside the optical
drives rather than implemented using an external bridge circuits.
The Optical Subgroup of TCG is also working with the Multimedia Commands working
group within the ANSI/INCITS T10 (SCSCI) standards committees to make sure that any
required specification changes are dealt with in publicly available standards.
At present, the Trusted Optical initiative and initial products only cover “red“ laser CD
and DVD products. The TCG Optical Subgroup is expected to extend this to “blue” laser
Blu-ray products in 2009. The initial products for Blu-ray write once drives will also use
a USB to SATA bridge device to perform the encryption. Blu-ray write once and
rewritable devices have recently become available. As these higher capacity optical discs
become more common with increasing volume and lower prices, encryption will provide
a better way to protect the greater amount of data and content.
About the Author
Tom Coughlin, President, Coughlin Associates is a widely respected storage analyst and
consultant. He has over 30 years in the data storage industry. Tom is also the author of
Digital Storage in Consumer Electronics: The Essential Guide, which was published by
Newnes Press in March 2008. Coughlin Associates provides market and technology
analysis (including reports on several digital storage technologies and applications and a
newsletter) as well as Data Storage Technical Consulting services. Tom is the founder
and organizer of the Annual Storage Visions Conference, a partner to the annual
Consumer Electronics Show as well as the Creative Storage Conference that was recently
held during the 2008 NAB. Tom is also a contributor to the Trusted Computing Group,
writing articles and blogs on this technology. For more information, go to
www.tomcoughlin.com.
Pentagon wants smart cards in play
http://www.gcn.com/online/vol1_no1/47645-1.html/?s=dailyNL
11/24/08
By Doug Beizer
Sponsored By
Defense Department officials are taking steps to make Common Access Cards the single identity credential for authenticating federal employees, members of the military and contractors when they enter federal buildings or other restricted areas.
A request for information about making CACs the main credential for physical access was announced on the Federal Business Opportunities Web site.
CACs are now used for visual identification and access to computer systems. The cards are also used with public-key infrastructure tools for signing and encrypting e-mail messages.
“The CAC is now moving in a new direction, identified as the single identity credential for authenticating federal employees, contractors, military and other CAC-eligible personnel for physical access control systems,” the RFI states.
The Pentagon Force Protection Agency wants to deploy a physical access control system at the Pentagon that would confirm identities using a smart card-based system.
DOD officials want input from industry before a potential contract is announced and asked for information about companies’ experience with testing or installing readers.
They also want to know which card readers on the General Services Administration’s approved list can support existing smart cards.
Officials also want companies to describe their plans for developing middleware for card readers so they can identify various generations of CACs and explain how readers will interpret the data elements on the cards.
DOD officials plan to develop an alternative smart card for people who are not eligible to receive a CAC. CACs and alternative cards must store unique identity data, digital certificates and biometric information.
Hitachi's new drive
http://www.ciol.com/Technology/Storage/News-Reports/Hitachi-intros-half-terabyte-mobile-hard-drive/251108113066/0/
The drive is also expected to be the first in the industry to meet the forthcoming Storage Security specification established by the Trusted Computing Group (TCG), an organization focused on developing open industry standards for security hardware and software. The TCG Storage Security specification, targeting consumer and commercial applications, is intended to discourage HDD/system theft, as well as prevent data access after HDD/system disposal.
iPods, iPhones and the Enterprise Data Clampdown
http://www.technewsworld.com/story/65248.html?wlc=1227542919
"Alas, the iPod lacks several critical security features that are common to laptops like full-disk encryption -- especially hardware-based encryption using the Trusted Platform Module, which most business notebooks have today -- anti-virus and anti-phishing protection, and network access control (NAC) components that are becoming the enterprise standard for tapping into the corporate LAN," Beckman explained.
It's rare that an enterprise IT department would let a worker bring in a personal notebook from home and tap into the company's main WiFi system without first insisting on a slew of device checks and configurations. However, iPhones and iPod touches in some ways have similar functions as notebooks. What's the best policy regarding them?
It's a safe bet that most enterprise employees don't haul their personal laptops into the workplace. However, with the ever-increasing capabilities of iPods and iPhones these days, are workers introducing new issues for IT security?
The Apple (Nasdaq: AAPL) iPod touch now comes with a whopping 32 GB of storage space and built-in WiFi capable of attaching to nearly ubiquitous corporate wireless networks. The iPhone doesn't currently have as much storage space, but it too has WiFi. While most organizations should be running relatively secure wireless networks, is there still a security risk?
More importantly, what are the best policies and strategies? Is there a simple answer policy for a corporate IT department to implement in regard to iPods? There appear to be three options:
No iPods anywhere in this office, no exceptions. Those things are the devil!
Bring 'em on. iPhones, iPods and other personal media players pose no real risk. Sync them to your desktop, surf the Web on our network, whatever. Just remember to get your work done, too.
The best policy lies somewhere in between ...
Try Option 3
"There isn't a technology in the world that doesn't present some sort of additional risk," Rich Mogull, an independent security consultant and publisher of Securosis.com, told MacNewsWorld.
"Right now, the risk of a network-connected iPod or iPhone is fairly minimal since it isn't really set up to allow downloading of large amounts of data locally. In fact, many organizations are even allowing remote access to internal Web-based applications over these devices," he said.
However, Mogull's general advice is to only allow managed devices on the network.
Ah, but What About Hacked iPods?
If employees have truly nefarious intent, it may be difficult to stop them from finding a way to steal corporate or customer data. A modified iPod or iPhone, it turns out, could be leveraged to inflict considerable pain and suffering.
"A WiFi-enabled iPod or iPhone is in every way equal to a notebook computer from a security standpoint. It can attach to the LAN (local access network), open file shares, remotely control computers using screen-sharing utilities, download gigabytes of data to take offsite, and once jail-broken, it can run a bash shell and virtually any hacker program in existence, including network scanners, cracking tools, and packet sniffers," Mel Beckman, a California-based system administrator and security expert, told MacNewsWorld.
Notebook computers, however, are used in the enterprise all the time, and increasingly with wireless networks. If modern iPods are essentially equal to notebooks in the need for security, how might they be any more problematic than a notebook?
"Alas, the iPod lacks several critical security features that are common to laptops like full-disk encryption -- especially hardware-based encryption using the Trusted Platform Module, which most business notebooks have today -- anti-virus and anti-phishing protection, and network access control (NAC) components that are becoming the enterprise standard for tapping into the corporate LAN," Beckman explained.
"The most sensible workaround I've seen is setting up a separate 'guest' WiFi network for iPods that sequesters iPods from the rest of the LAN. Of course, this limits the iPod's utility as an IT tool, but until the iPod has enterprise-class security features, I don't see how any organization can justify adhoc iPod access," he added.
It's More of a Storage Device Issue
While a WiFi-enabled iPod or iPhone might present issues to networks that aren't locked down, the bigger issue, Mogull says, comes from storage devices in general. A USB thumb drive can be just as problematic as an iPod.
"There is likely less risk of an iPhone -- because of the lack of local file management -- on the wireless LAN than connected to a laptop or a desktop where you can store larger amounts of data," Mogull said.
"My recommendation is to allow these devices to be used, unless you are in a high-risk, high-security industry, and to use Data Loss Prevention/Content Monitoring and Protection (DLP/CMP) to restrict what content can go onto 'any' portable storage device," he added.
Data Loss Prevention
DLP is also sometimes referred to as "Data Leak Prevention," and it's a set of policies and software/hardware solutions that run on end-user workstations or servers in enterprises that can identify and prevent data from being copied to external devices like iPods or thumb drives.
Rob Ayoub, industry manager of network security technologies for Frost & Sullivan, told MacNewsWorld that he's been seeing more companies take a closer look at determining which documents and materials their employees could walk away with.
"The higher security industries that have traditionally cared most about security have been the first to move in this area, and it's going to take time for the proper safeguards to be put in place in the rest of the world," Ayoub said, noting that most small and medium-sized businesses have yet to seriously address the issues with effective policies or safeguards.
Some companies have simply implemented no-tolerance policies that ban the devices from the office -- but those companies might also run into quality-of-life issues with their employees. Workers might resent having to leave their cell phones behind just because they happen to have WiFi. Given the ease with which one can stash a phone or iPod in a purse or pocket, many might flout such rules.
"It's like any other 'paper' policy ... without some sort of technology to enforce it, you're not going to get anywhere, and I think that's a big reason in why we're starting to see technologies in data leak prevention that really lock down the ports," Ayoub said.
"And depending on the company, they can go from keeping people from copying data ... to not even being able to plug a device into a PC at all," he explained.
"And the good side of DLP solutions is, with protections in place, employees can bring their devices in, listen to them at the office, and the company isn't worried that their employees are going to walk off with data -- and I think this is where most companies are headed," he added.
trustco, hopefully by now you've seen the relevance...
now, back to backing up your argument. I guess you just can't which leads me to conclude your posts should be considered irrelevant.
trustco, why are you hiding behind iHub's curtain? You made some fairly strong statements.. why won't you debate them?
.NET similarities prove golden for Silverlight
http://www.sdtimes.com/_NET_SIMILARITIES_PROVE_GOLDEN_FOR_SILVERLIGHT/About_NET_and_RIA_and_SILVERLIGHT_and_XAML_and_MICROSOFT/33063
November 19, 2008 — SD Times is talking to developers about what they look for in rich Internet application platforms. Here, developers talk about why the symmetry between .NET and Silverlight 2 make using Silverlight easier.When Microsoft’s Silverlight media player streamed 2,200 hours of live coverage of the 2008 Olympics in Beijing this summer, developers took notice.
NBC’s Olympic website streamed more than 70 million videos, or 600 million minutes’ worth, over the games’ two-week duration via Microsoft’s rich Internet application (RIA) and media platform. According to Microsoft, Olympic exposure has resulted in unprecedented beta deployments for version 2 of Silverlight, and some big customers have gone live with it. Among the companies that have adopted Silverlight for website media are Blockbuster, CBS College Sports, Hard Rock Cafe and Toyota.
“We looked at [Adobe] Flash and some other platforms, but we saw Silverlight as a viable solution, and what made it even more [appealing was that the Olympics went] with it,” said Raymond Bridgelall, CBS College Sports’ manager of streaming services and product development.
From a development standpoint, Microsoft focused on providing more symmetry with the .NET platform in Silverlight version 2, released in mid-October. The software giant’s RIA offering now includes a cross-platform subset of the .NET framework so that users can deploy multiple programming languages to build applications. At the same time, Microsoft executives said, developers can learn just one language and one common programming model for building .NET applications on the desktop and Silverlight applications in the browser. Thus developers have greater freedom in how they structure projects.
Some .NET developers have called Silverlight a natural progression in the .NET space. Rockford Lhotka, principal technology evangelist for Minnesota-based IT consulting firm Magenic, has created a Silverlight version of CSLA .NET, an open-source .NET development framework for simplifying the production of Windows Forms, Web Forms, Windows Presentation Foundation (WPF) and Web Services.
Lhotka, who authored the books “Expert VB Business Objects” and “Using CSLA .NET 3.0,” said developers with C# or Python programming expertise and with WPF applications experience can leverage those skills when using Silverlight, whereas Adobe Flash and Flex require a different skill set.
Many Flex developers have said that a background in Java can be helpful when learning Flex’s ActionScript language because the languages have similar object-oriented characteristics. In Silverlight’s case, C# and Visual Basic can serve as that prerequisite.
“I wasn’t interested in investing that much time learning something new when there is a really compelling technology that requires less effort on my part,” Lhotka said. “It amazes me how much of the .NET functionality is in Silverlight. We’ve been able to build pretty much everything we wanted to build for business applications, and Silverlight has virtually all the functionality we’ve been looking for.”
Lhotka said he uses Visual Studio to develop Silverlight applications, just as he does for .NET development. Silverlight thus lets him work in a familiar development environment using C# and Visual Basic.
Additionally, Lhotka’s previous work with WPF, which uses Extensible Application Markup Language, shortened his learning curve for Silverlight, which likewise uses XAML. One caveat: Silverlight’s XAML implementation is not exactly the same as WPF’s, so developers with experience in both need to determine the differences. But that won’t be a concern for developers who are still working with Web Forms or Windows Forms and haven’t yet moved to WPF, Lhotka said.
Meanwhile, Microsoft released the Silverlight XAML Vocabulary as part of the Silverlight version 2. The offering provides specs and documentation to help Silverlight users read and write XAML.
Microsoft also focused on crisper video in Silverlight 2. For CBS College Sports, “one of the advantages of going with Silverlight is that all our content is Windows Media-based,” said Bridgelall. “Because of the Windows Media back end that we have here [for] live events streaming, we needed something that integrated seamlessly in terms of our schools and internally.”
CBS College Sports runs more than 275 official athletic websites for such institutions as the University of Alabama, Notre Dame, Texas A&M and the University of Southern California. Silverlight is being used to stream live sporting events and on-demand content for approximately 11,000 live school events per year. Down the line, CBS College Sports will look to add high-definition and picture-in-picture capabilities, Bridgelall said.
When developing its live-event streaming capabilities, Bridgelall said, CBS College Sports benefited from the use of Microsoft Expression Blend, a design tool that lets developers and designers see the same information when working on a website project. “The designer basically has the tools to see what the developer sees,” he said.
SUBHED: Data binding and debug
Bridgelall said CBS College Sports hadn’t run into any difficulties using Silverlight, though he added that the operation’s deployment of the platform was still fairly new.
Lhotka, who has logged more time with Silverlight, said its asynchronous communications with the server could be a problem for developers who use traditional Web Forms and thus might be unaccustomed to dealing with asynchronous server calls, which can influence how a developer creates the user interface and writes business logic.
“I suspect that people who have been doing a lot of AJAX development will have an easier time adapting … because AJAX is already asynchronous,” Lhotka said.
He added that his team had encountered some incomplete features and bugs because it had worked with beta versions of the software. Most of those issues should have been resolved with the release of Silverlight 2, he said.
One of the “pleasant surprises” for Lhotka, meanwhile, was that Silverlight deploys transparently, so after the runtime was installed, his applications deployed and worked out of the gate.
Some developers who have used Flex have noted that the Adobe platform provides strong debugging capabilities via its Eclipse-based IDE. They also have praise for Flex’s data binding capabilities.
Lhotka said debugging in Silverlight is comparable to debugging .NET applications. XAML has its own data binding technology, Lhotka added, asserting that “the XAML data binding experience is the best data binding technology Microsoft has done yet.”
But he noted that WPF offers some data tabulating capabilities that are lacking in Silverlight. “Looking beyond 2.0, I hope [Microsoft continues to improve Silverlight’s] data binding and give it more parity with WPF,” Lhotka said. “That’s probably the biggest thing I hope for."
Microsoft's Morro Could Mean No Tomorrow for Symantec, McAfee
http://www.ecommercetimes.com/story/Microsofts-Morro-Could-Mean-No-Tomorrow-for-Symantec-McAfee-65212.html
In a move that could threaten the livelihoods of security software makers Symantec (Nasdaq: SYMC) and McAfee , Microsoft (Nasdaq: MSFT) has announced it will offer free antivirus software some time in the second half of 2009.
The free software, codenamed "Morro," will replace Microsoft's current security offering, Windows Live OneCare, a suite of services that costs consumers about US$50 per year.
Morro will be designed to protect PCs against viruses, malware and spyware.
"Dating back to 2002 and 2003, when we launched the Trustworthy Computing memo, our goal was to get more users protected on Windows PCs," Amy Barzdukas, senior director of product management at Microsoft's online services and Windows division, told the E-Commerce Times. "Making the move to Morro as a no-cost core antimalware solution is really the next step to trying to get more customers more protected."
Showdown With Symantec, McAfee
Antivirus companies that charge customers for their software will likely see Microsoft's move as a competitive threat. Symantec's stock was down 7.2 percent to US$11.51 in mid-day trading on the Nasdaq National Market. McAfee stock was down 4.2 percent to $27.35.
"My initial reaction was that some of the virus and malware vendors may have their noses out of joint if this is offered free," Don Retallack, an analyst with Directions on Microsoft, told the E-Commerce Times. "Anything that's free and easy to use will help with the security of PCs. Microsoft sees hundreds of millions of PCs every month with patches. It's likely to increase the security of people's PCs."
While the number of viruses causing problems has actually decreased, other forms of malware are on the rise, Retallack said, citing Microsoft's latest semiannual security intelligence report, released a few weeks ago.
"If Microsoft can help on any of those things, it will do their customers some good," he said.
Hard on PCs
One of the chief reasons PC owners are often hesitant to install antivirus software on their computers is that it can significantly slow down the speed of other applications. Only computers with the most powerful -- and most expensive -- microprocessors can run antivirus software with little to no overall slowdown in processing speeds.
"In general, the more scanning you have to do, the more affected is the speed of the PC," Retallack said. "There are some strategies that Microsoft has used in the past where they can avoid scanning everything every time a PC is accessed by outside software. They can scan it as it comes through the firewall to make sure it's safe, but that would be difficult to implement."
Protecting consumers' PCs is also more difficult than protecting enterprise PC networks, because with consumer-owned computers, there's a wider variety of types and capabilities.
"Generally, enterprises control networks much more strictly than consumers do," Retallack added.
Microsoft's goal in developing Morro is to build it from the ground up with performance in mind, Barzdukas said.
"I'm not prepared to discuss the details today, other than to say that it is our goal is to make it as lightweight as possible on people's systems," she said.
The End of OneCare
Morro will be available as a free download. Unlike other core software elements released by Microsoft over the years, Morro will not be bundled with the Windows operating system.
"Morro will remain completely separate from Windows," Barzdukas said. "It's an opt-in service."
Current OneCare subscribers will be protected for the length of their subscriptions. Once Morro is available, OneCare subscribers will be given the option to move over to the new software or to go to a third party, she said.
trustco,
You had a couple requests to provide links/arguments for the positions you've stated. I see you haven't responded. Why not? I'm interested to hear what you've got to say.
trustco, I'd be interested to hear your supporting arguments... what I've read so far hasn't convinced me, but I'm all ears.
FM
Simple hardware approaches to secure laptops
http://blogs.techrepublic.com.com/security/?p=662
Date: November 17th, 2008
Author: Paul Mah
Category: Encryption, Risk Management, Security
Tags: Laptop Computer, Notebooks, Hardware, Notebooks & Tablets, Paul Mah, Hard Drive, Disk Drive, USB Flash Drive, Encryption, Seagate Momentus Full Disk Encryption
Users are increasingly buying laptops and netbooks, attracted by their portability and low prices. The inevitable result is more employees bringing personal laptops into the office, where they are used to access and store corporate data. Here are some ways to mitigate the risks of data breaches.
————————————————————————————————
As evidenced by cases of mega data breaches of late, properly securing portable computers is problematic even for bigger organizations. In addition, the advent of low cost laptops and netbooks has resulted in a proliferation of such devices as consumers flock to them. The inevitable result is that these users will demand to be allowed to use these machines to access work-related data and networked systems. Indeed, shipments of laptops have already overtaken that of traditional desktops, further increasing the urgency of this issue.
There is no doubt that some very fancy - and expensive - enterprise-grade solutions exist. But in a time of economic uncertainty, the pertinent question has to do with how a corporation can quickly and easily enhance the security of these personal laptops with a limited budget.
I look at a few easy-to-deploy hardware-based solutions here.
Full disk encryption with Trusted Platform Module
One obvious solution for a company sourcing for new laptops would be to specifically request hardware with full disk encryption (FDE) hard disks that are secured by an on-board Trusted Platform Module (TPM) chip. The combination of hardware-based encryption coupled with a hardware-anchored authentication mechanism makes it an unbeatable combination in terms of security.
It must be pointed out though, that FDE does nothing to mitigate the risk represented by service personnel with temporary access to a system. This is best exemplified by the case of Hong Kong-based actor Edison Chan who had service personnel pinch a whole bunch of scandalous photos showing him being intimate with various actresses when his personal laptop was sent in for servicing. The scandal cut short his acting career in Hong Kong. As such, any FDE-related only makes sense if servicing is done by in-house IT personnel.
However, I must say that it is not all that likely for the security administrator to be fortuitous enough to encounter this “perfect” combination of hardware in a laptop at this point in time, which moves us to the next option.
FDE hard disk drive
Recent developments have seen a major vendor shipping its third generation of FDE hard disk drives that are also sold directly to consumers. The newest Seagate Momentus FDE is unique in that it comes in two modes: one is targeted at the enterprise with a firmware that works with special management software, such as McAfee’s ePO to configure and manage drives.
On the other end, there is a BIOS mode, where a BIOS-level password is used to authenticate the user before the computer is started. This opens the door for organizations to easily retrofit Momentus drives into existing laptops. The obvious advantage here is that the encryption is OS-independent, with the hard disk drive writing at full speed.
As such, if budget permits, swapping out the standard hard disk drive in laptops with Seagate’s Momentus FDE in BIOS-level protection mode makes perfect sense. In the case of budgetary constraints, or where users are not agreeable to such a move though, the next hardware-based solution would be to get users to rely on encrypted flash drives.
Encrypted flash drives
A more moderate and less invasive approach here would be to issue out personal flash drives with an on-board authentication and encryption. What it means is that all data on these flash drives are encrypted on-the-fly as they are copied in. They will only be “unlocked” and made accessible upon furnishing the correct password.
Now, encrypted flash drives have been around for a while. The IronKey might be one such option for your consideration, though similar devices are now widely available on the market. It is important to note that many cheaper variants might not actually offer hardware-based encryption, or have blatant gaps in their authentication mechanism that effectively nullify their security mechanism.
Obviously, user training will be required, especially since the drive capacities for such specialized flash drives are still relatively low at between 4GB to 8GB. However, I believe it will be relatively easy to train even novice users to recognize that only data on the encrypted flash drive should be considered secure. Another added advantage would be that users will become more conscious of following backup procedures as well, making it the best compromise between options.
NCAA Div II Volleyball Selection Show Available Online
(11-14-08) WEST HAVEN, Conn. - The 2008 NCAA Division II Women's Volleyball Championship selection announcement will be available live online Sunday night through NCAA.com.
The announcement takes place at 10 p.m. (Eastern) Sunday, Novemeber 16 on www.NCAA.com. To view the show Microsoft Silverlight software is required. For instructions on downloading Microsoft Silverlight visit http://www.cstv.com/ot/sl2_faq.html#system and follow the instructions that are listed there.
The Chargers, who were ranked first in this week's NCAA Division II East Regional rankings, are in a tight battle with Dowling College for the top seed in the East. With only the conference tournaments remaining, the top seed in the East Region will most likely earn the opportunity to host next week's NCAA Division II Women's Volleyball Championship (Nov. 20-22).
UNH travels to Pace University Friday afternoon to take on Le Moyne College in the first round of the Northeast-10 Conference Championship tournament, while Dowling takes on Queens (N.Y.) in the East Coast Conference tournament semifinals tonight.
TPM 1.2 specifications moves forward to become ISO/IEC standards
By Claire Vishik, Intel Corporation
In 2007, TCG submitted TPM v.1.2 to JTC1 (ISO/IEC Joint Committee 1). TCG had been previously approved by JTC1 as a PAS (publicly availably specification) submitter, which enables TCG to submit it’s specifications to JTC1 for consideration to become formal international standards. In July 2008, JTC1 member countries voted to approve the transposition of the TPM 1.2 specifications as ISO/IEC standards, and after completion of the comments resolution process in October 2008, TPM 1.2 is on track to become international standards. Publication is expected in H1 of 2009 as ISO/IEC 11889, Parts 1-4.
The acceptance of TPM1.2 specifications by JTC1 is a testimony of the importance of the technology and global value of TCG’s contribution to Trusted Computing. Adherence to international standards is encouraged by many governments and valued by technology developers, therefore, ratification by JTC1 is a very good news for those interested in Trusted Computing or working in this area.
The TPM (Trusted Platform Module) is a hardware component that can securely store artifacts used to authenticate the platform (your PC or laptop). These artifacts can include passwords, certificates, or encryption keys. A TPM can also be used to store platform measurements that help ensure that the platform remains trustworthy. Authentication (ensuring that the platform can prove that it is what it claims to be) and attestation (a process helping to prove that a platform is trustworthy and has not been breached) are necessary steps to ensure safer computing in all environments.
Trusted Platform Modules can be implemented as discrete or integrated components. TPM 1.2, the specification that will become the ISO/EIC standard, is used in PC, laptops, and servers. TCG is also developing specifications to be used in mobile phones, storage devices, and for ensuring trustworthiness of networks. More information on the TPM is available on the TCG site at https://www.trustedcomputinggroup.org/groups/tpm/.
This entry was posted by Claire Vishik on Thursday, November
go-kite:
October 11, 2008 was an important day for TCG. That's when delegates from around the world gathered in Cyprus to approve the Trusted Platform Module (TPM) 1.2 specification as an ISO/IEC international standard. TCG also established a liaison relationship with the relevant ISO/IEC committee to continue TCG's contribution to this standards area. Take a look at Claire Vishik's note on the TCG blog for details about the upcoming publication of this standard.
Getting to this point required lots of hard work and coordination between many dedicated individuals in TCG. Here's why it's such an exciting development for the organization. TCG's membership consists of about 140 companies, including many of the major players in the IT industry. So a TCG standard carries significant influence all by itself. But when the major countries of the world vote to endorse our work, it adds an extra level of importance. Recognition as an international standard is powerful encouragement for companies and governments everywhere to adopt our TPM specification as the foundation of trusted computing.
Scott Rotondo
TCG President & Chairman
Better reporting!
http://www.itwire.com/content/view/21669/1103/
“Seagate is pleased to be teaming with industry leaders to simplify security management for our customers and providing our OEM and channel customers with the world’s fastest self-encrypting hard drive.”
Then Seagate explains its deal with McAfee to simply the management of secure notebooks, and noting that “businesses of all sizes and shapes are turning to hard drive-based encryption solutions to protect the important information that ensures their competitive edge.”
McAfee isn’t the only provider of notebook hard drive security software for the enterprise – the press release notes that “SECUDE International, Wave Systems and WinMagic Data Security” are also working with Seagate
Securing Data with a Combination of PC Tools and Trusted Storage
This is a great article from Michael Willet of Seagate
http://www.wwpi.com/top-stories/6337-securing-critical-business-data-with-a-combination-of-pc-tools-and-trusted-storage
Establishing Trust in Data Security
To implement increased security throughout the enterprise, the Trusted Computing Group (TCG) takes advantage of the expertise of over 130 member companies involved in hardware, components, software, services, networking, mobile phones, and storage devices. TCG’s efforts have already resulted in standards for many diverse, but linked areas, in the enterprise. The foundation for establishing trust is a hardware component called the Trusted Platform Module (TPM).
The TPM is typically a microcontroller, but the same capability can be implemented in an application-specific integrated circuit (ASIC) such as an Ethernet controller. To provide improved security, over 70 million enterprise-level desktop and PC computers already have a TPM. This number is expected to grow to over 200 million in 2009.
TCG specifications use the TPM as a hardware foundation for establishing trust. By design, the TPM will reliably behave in the expected manner as designed, a basic definition of trust. The TCG specifications build trust upwards from this hardware-based root of trust. An end product built around the use of the TPM for security is called a Trusted Platform.
For a Trusted Platform, three conditions must exist. First, all software and hardware components must be known and identifiable. Second, the expected operation of the platform must be established. Finally, consistent behavior must be verified or attested to at every level. The TPM provides the basis to satisfy all three of these criteria.
In addition to protected storage for cryptographic keys and certificates, the TPM provides unambiguous identity as well as shielded locations for operations that are free from external interference, as well as a means for reporting its status. To enable secure storage of data and digital secrets, the TPM includes asymmetrical key-pair generation using a hardware random number generator (RNG), public key signature, and decryption. Keyed-Hashing for Message Authentication (Hash Message Authentication Code), Secure Hash Algorithm, an execution engine, and cryptographic processor are elements of the TPM. The latest version of the TPM, called TCG 1.2 or TPM version 1.2, has added functions including transport sessions, a real-time clock, locality, save and restore context, direct anonymous attestation, volatile store, and delegation. The initial and added functions make the TPM a highly useful tool for increasing security in many enterprise applications.
Unlike proprietary hardware security systems, TCG’s open-standards-based TPM has flexibility and strong security support from third party certification. The security can be quantifiably measured using, for example, Common Criteria Evaluation Assurance Levels (EAL) 3+, 4+, and even 5+. Based on internal firmware that does not require programming, the TPM provides a turnkey solution.
Trusted Computing
With the TPM in its computers, corporations have been able to implement higher security for password management, single sign on, email security, data protection and other applications.
The philosophy behind secure sign-on and email security involves the TPM. Companies with distributed locations can safely use computers with built-in TPMs and appropriate application software designed to access and control the TPM’s operation, called the TCG Software Stack or TSS. Using the TSS, communications with the TPM can occur either locally or remotely, allowing application vendors to write programs that employ the TPM’s security features.
Using this capability and available third-party software, corporate personnel at remote company locations, such as stores, can transmit to and manage the TPM and their credentials. With the right server software, employees can create and verify their own digital certificates and securely encode and decode messages as well as safely save and encrypt files. Working with the TPM, additional software applications isolate contact information, passwords, bank access codes, and credit card numbers. Multi-factor authentication can allow some users a single-step authentication process, while others with different classifications may require at least a dual-factor authentication.
Trusted Storage
With the re lease of TCG Storage Architecture Core Specification Version 1.0 Revision 0.9, TCG’s Storage Work Group (SWG) extended TCG’s trust-establishing standards into storage. To develop the specification, the SWG considered the common use cases of enrollment, connection, protected storage, locking and encryption, logging, cryptographic service, and firmware downloads. A key management application note developed by the SWG’s Key Management Services Subgroup provides an essential process to simplify how keys are handled for self-encrypting drives. In addition, the SWG is defining a Security Subsystem Class (SSC) for laptop storage, data center drives, and optical storage.
The core specification can optionally use the capability of the platform TPM and the insight of industry experts from leading storage companies to implement self-encrypting drives (SED), solving the major problems that have plagued previous (software) encryption efforts, such as complexity, interoperability, scalability, decreased system performance, and fear of lost keys. Figure 1 shows how data centers can reduce the complexity of encryption by handling the encryption inside the storage units. In this situation, four encryption keys are eliminated from the data center by using self-encrypting drives.
Trusted Mobility
In addition to portable computers, today’s highly mobile workforce has handheld, wireless products capable of sending and receiving email and storing sensitive data as well as interfacing to the corporate network. These devices have, or will soon have, the ability to make transactions for numerous use cases. Because of their small size, these highly portable products are even more susceptible to loss or theft than a portable PC.
To take into account the unique requirements of mobile units with wireless connectivity, TCG announced the Mobile Trusted Module (MTM) specification in September 2006. Based on existing and anticipated applications for mobile security, this open-industry specification provides integrity, authentication, identity, and security functions. The security for these functions is cost-effective, reasonably implemented, interoperable, and transparent to users.
Wireless products operate in a mobile infrastructure that involves stakeholders, including the user/owner, the device manufacturer, the network service provider, and others, such as enterprises and third parties. To address the needs of these groups as well as the regulations and restrictions regarding cellular products, developers of the MTM specification considered several use cases. These involved security enhancements in the areas of platform integrity, device authentication, SIMLock/device personalization, secure software downloads, mobile ticketing and payment, user data protection and privacy, and more.
As cell phones become smarter, these portable wireless devices take on more of the characteristics of the PC and, as a result, eventually will be targets of attacks and malware similar to those for PCs. TCG’s MTM specification uses trusted engines to manipulate data and relies on software and TPM commands to provide increased protection against these attacks. The specification defines how roots of trust can be established for measurement, reporting, storage, and verification functions. The security also protects the data in the event that the device is lost or stolen.
A Trusted Network
With a highly mobile workforce and different levels of network users, network access is another aspect that administrators must consider in their overall effort to protect the enterprise. Without the appropriate protection, any entry point becomes a potential weak link for unauthorized access. TCG’s Trusted Network Connect (TNC) provides standards-based network access control (NAC) and another example of hardware-based security.
The highly mobile worker can become a victim of a software attack and unknowingly pass a virus or other malware to the network. An authorized network user with an infected computer can create a deceptive or lying end-point. Using software to avoid a lying end-point poses a serious challenge, since software can be attacked by the same viruses it is designed to thwart. With the TPM, critical software and firmware components, including the BIOS, are checked during the boot process. Making these measurements before the software runs and storing information on the TPM isolates the measurements from modification efforts for improved security. When the user connects the PC to the network, the stored measurements are sent to the TNC server where they are checked against the server’s list of acceptable configurations. If the sent data does not match the network requirements, the computer is quarantined as an infected end-point.
The TNC specification also provides options for network administrators to configure different levels of network access. Unlike proprietary NAC approaches, the standards-based access is interoperable.
The Trusted Enterprise
With TCG’s industry-developed and approved specifications, the entire enterprise can be protected. This is TCG’s goal. Figure 2 shows the linkage that exists between the diversified entities within and external to the enterprise.
Fujitsu/Hitachi: a first for drives!
http://www.echannelline.com/usa/brief.cfm?item=15967
The drive is also expected to be the first in the industry to meet the forthcoming Storage Security specification established by the Trusted Computing Group (TCG), an organization focused on developing open industry standards for security hardware and software. The TCG Storage Security specification, targeting consumer and commercial applications, is intended to discourage HDD/system theft, as well as prevent data access after HDD/system disposal. The Travelstar 5K500.B will be shipping worldwide in December. The Travelstar E5K500.B will be available by the end of the first quarter, 2009.
VH, aren't you sick of Papa Gino's???
I wish we could get some announcements from Michigan State (or was it U of M?) or Chicago Bridge and Iron. I'm surprised nobody but internet mentioned the fact that SKS referenced Archer-Daniels-Midland during the conference call.
We need more names!