Wave Systems Corp. (fka WAVXQ)

[Snackman]

Laptop Security on the Cheap
May 14, 2007

By John Moore, Channel Insider

http://www.baselinemag.com/article2/0,1540,2132153,00.asp

Papa Gino's Holdings Corp., which operates pizzerias and sandwich shops under the Papa Gino's and D'Angelo Grilled Sandwiches brands, wanted to lock down data on scores of laptops and PCs housed in corporate offices and scattered across 200 of its company-owned eateries. Chris Cahalin, manager of network operations at the Dedham, Mass., organization, which both runs restaurants and offers franchises for others, found the solution in silicon: the Trusted Platform Module chip.

Trusted Platform Module, also known as TPM, generates and stores encryption keys, and also houses passwords and digital certificates. The chip typically resides on a PC's motherboard. The Beaverton, Ore.-based Trusted Computing Group, which develops open standards for hardware-based security, developed the specification for the chip. Many hardware vendors embed the chip in at least some of their PC products.


At Papa Gino's Holdings, which has an estimated annual revenue of $270 million, the chips come with every Dell desktop and laptop the company buys; the chip's encryption helps protect restaurant, employee and customer data.

Cahalin employs Wave Systems' Embassy Trust Suite software in conjunction with TPM to enable pre-boot authentication. With pre-boot authentication, a Papa Gino's employee must swipe a finger on a biometric scanner before his or her PC or laptop will boot. The scanners are built into laptop models, while PCs use a USB biometric device. This security approach is designed to prevent unauthorized users from accessing data.

Cahalin recently discussed his security strategy with Baseline contributing writer John Moore.

Next page: Built-In Security

Trusted Platform Module is a relatively recent development. How did you get into TPM, and what do you perceive as the main benefits of going in that direction?

It's an interesting mind-set, that's for sure. I don't think people are used to the security being built in to the devices that they buy. When somebody buys a computer, they assume that they own that computer and they can trust that computer, which really is not the case. It really belongs to whoever was able to drop a rootkit on it.

One of the things that TPM does is it introduces integrity back into the environment so that the only one who's authorized to do something on any particular device is in fact the owner.

Just to walk you through a scenario: When somebody goes to their laptop, they've got built-in finger swipe with the Dell laptop. Then you bring the pre-boot authentication. That alone is a big step because they leave the laptop in the car or something and they get it stolen. You don't have to worry about somebody else being able to have access to the data on the laptop.

What other benefits do you see?

One of the side benefits and something we hadn't intended is that long, complex passwords are no longer an obstacle. The longer a password, the greater the chances are of forgetting that password.

Long, complex passwords are a nightmare for people to remember. This nightmare is passed along to the I.T. staff that support the end user. First, you need to track down someone to reset the password, and then entering a new long, complex password doesn't always go as smoothly as you'd like. The process costs roughly $30 on average in support costs per call. TPM-protected biometrics have allowed our team members to simply use their PC or laptop as a useful, secure toolbox again without worrying about how to access the tools inside.

And so, what's interesting is, by making laptops and PCs infinitely more secure, we've also made them infinitely easier to use. And that's not something that we thought about ahead of time, to be honest with you.

Did any particular event prompt you to look into TPM?

Really, the thing that caught our eye initially was that in our finance department, it's normal for folks to want to use something more than Windows file permissions to protect their work. And so, we had some employees who were using password protections on Excel and Word files, and were using third-party encryption packages.

Well, those are very difficult to recover from if at all if somebody forgets their password or they lose the encryption key. And so, we wanted to eliminate this ad-hoc security. We saw an opportunity, by having this open-standards platform, to be able to do that and centrally manage the process as well.

Did you have any security breaches prior to deploying Trusted Platform Module chips?

We had a case where somebody at home had their system compromised via the Blaster worm and then they connected to the network. Well, that was something that antivirus couldn't help you with. That was something that a firewall couldn't help you with.

Less than a handful of folks got impacted because of that, but it was a real wake-up call that said to us, "Guess what? You're putting a whole lot of faith in the fundamental integrity of the OS to protect you."

Have you had any breaches since?
No. Absolutely not.

How long have you had the TPM strategy in place?

We've been rolling it out since March 2005. Our budget is such that we can't just do a rip and replace. We just roll it out as we retire old equipment, basically.

Next page: Management Challenge

We've heard that one of the reasons TPM hasn't been more widely used, despite the potential to bolster security, is the management challenge. Do you use software to manage TPM across your laptops and desktops?

We use Wave Systems' Embassy Trust Suite, Dell Edition. What Embassy allows us to do is centrally manage the whole solution. We can have TPM keys that are escrowed onto an Embassy Key Management Server. You can easily recover keys.

What else can you do with the software and TPM?

One of the things folks do here is create what are called data vaults. All they need to do is use Windows Explorer to create a folder as they normally would, and then use Embassy Trust Suite's Document Manager to associate the folder with a vault name of their choice. The Embassy Suite product is tightly integrated into Microsoft Office. You can either click on a save-and-encrypt icon within the Office suite of products, or drag and drop a file into your data vault where it is automatically encrypted.

I.T. departments are watching their security budgets. How does the TPM chip factor into that?

One of the things that TPM allows you to do is implement state-of-the-art robust security at a very low cost. The hardware is already in your laptops that you buy today. All you've got to do is turn it on.

And have the means for managing it.
Exactly. For the cost of an antivirus seat, you now have far more security and integrity.

Does that mean you no longer need to use antivirus?

No. What I would love to see is antivirus become TPM-aware, so that users never have to worry about somebody trying to disable the antivirus, for instance.

Down the road, who knows? It's hard to envision how that will go.

What's the broader I.T. environment here? You have people with laptops accessing applications via a Citrix server. What are those applications?

It's a whole variety, really. It could be something as simple as Outlook, or it could be JD Edwards-type financials. What TPMs allow you to do is really have this sort of bulletproof integrity back in the system.

What do you see as the biggest threat now facing your organization in terms of security?

There's research that says it takes four minutes for a device to be compromised once it touches the Internet. So, the problem here is, if your device has lost integrity, any information that you put on there is potentially subject to manipulation.

Data integrity can only be guaranteed in a verifiably trustworthy environment. Only TPMs provide this level of trust. TPMs are a ubiquitous, inexpensive piece of open-standards hardware in laptops and desktops that establishes this verifiable level of data integrity.

I would think it would be a no-brainer for auditors to demand TPMs be turned on. Not to do so could be criminal negligence, in my opinion.

Based on your work with TPM and other security measures, do you have any words of advice for other technology managers?

I think just being aware that TPMs exist on laptops and desktops today is a good start. And I think that awareness has definitely increased. The second piece that folks need to be aware of is that there are applications that are pre-bundled on laptops and desktops today, so they could start to use this TPM right away at no additional cost.

And they can do some pretty cool stuff with that. They can do pre-boot authentication. They can protect their online identities, using TPM. All of that at no additional cost.

So, how critical is the Trusted Platform Module to your company's overall security strategy?

I'd say it's absolutely fundamental to security. You know, it's hard to stress enough that this perception of your laptop or desktop belonging to you is just totally untrue. The only way to introduce that reality is to make sure that the device has integrity. And the only way to do that is with this hardened