Wave Systems Corp. (fka WAVXQ)

[dude_danny]

Getting The TPM To Market Itself

https://www.trustedcomputinggroup.org/blog/

February 4th, 2008 by Rob Enderle
One of the difficulties with security technology is that it isn’t easily marketed. Unlike processors or graphics cards that increase performance buyers don’t want people to know they may have highly sensitive data on their systems, or communicate what they have protecting it. This combines the problem of having firms who are the most interested in security, and the more unlikely to want to become advocates, with the insurance style of selling where you have to make the risks seem eminent before you can get movement. However, there are advantages that can be communicated that people might advocate and let’s talk about those this week.

HP and the Thin Client Connection
Last week I was with HP and we were discussing the problems of marketing thin client computers and blade PCs which, particularly in their mobile form, are vastly more secure than any other type of personal computer because they don’t store much data and instead rely on much more secure remote resources.

The problem that was discussed was similar to the one facing the TCG in that the very customers that were using the technology were the least likely to want to talk about it. We are talking very secure government, military, healthcare, and financial services sites.
The idea that these folks would want to put any type of an indicator on their equipment that would market just how secure they were was widely derided by the large analyst firms in the room, and rightly so. Except if this made the hardware less likely to be stolen in the first place.

You see, the advantage that may be attractive to communicate isn’t that there is information in the box that is worth stealing, but that the box itself is worthless if stolen as the vast majority of thefts is to get the hardware and not the data. In the case of thin client laptops, there both the data AND the hardware is worthless and, without moving to thin clients, a system with a full TPM implementation could enjoy the same benefit.

Applied to the TPM
Implemented properly a TPM enabled and encrypted hard drive is a brick unless the user has the key and the key can be made revocable bricking the laptop. In fact enhancing this so that there was a solution that even when the hard drive was replaced by a thief the end result was still be a brick would likely even further enhance this value.

Now a sticker on the laptop indicating that it had technology that bricked it in plain sight would likely prevent most thefts in the first place and might increase the number of returns when lost as the product would have no use outside of its intended user. In addition, employees would become more likely to return products once their employment was terminated, and anyone gaining unauthorized access to the machines would be less likely to gain access to sensitive data.

The sticker could simply say “Warning This Laptop Is TPM Protected, if Lost or Stolen it Will Not Function, Please Notify _____” if found. Just seeing the sticker should get the thief to look for something else, and given this will actually be the case, the experienced thief is more likely to avoid this boxes.

The result would be a growing number of laptops and desktops that are advertising that their TPMs are turned on and functioning and increasing pressure on IT to make that happen.

The goal would be to come up with a common sticker and tie it to the activation of the related technology. If the sticker is used but the technology isn’t then the sticker loses credibility and the program fails so ensuring compliance, initially, is are important that getting broad coverage as you’d want to build credibility first.