Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

Trusted Computing, Take Two

http://www.darkreading.com/blog.asp?blog_sectionid=428&doc_id=160463&WT.svl=blogger1_4

JULY 31, 2008 | 10:30 AM -- A recent Dark Reading message board post in response to my previous blog was both articulate and intelligent. Nonetheless, I feel it missed the mark. (See Why Isn't Trusted Computing Taking Off?)

Here's what he/she said:


Perhaps it’s because trusted computing resolves just a small part of the data assurance problem. The ultimate goal is total control over business data flow, including regulation of data use by authorized users. A true trusted system protects data from all users on the systems... Information-centric security requires access authorization at the data-file level, post-authentication.

This is all true -- trusted computing does not solve all your data security woes. Still, I don’t think it claims to, nor do I think it needs to.

The Trusted Platform Module (TPM) chip built into so many desktop and laptop computers these days does indeed provide whole-disk encryption, should you wish to use it. This certainly slides into the data security category somewhere, and perhaps the confusion about trusted computing’s true purposes derives from there.

Whole-disk encryption doesn’t solve all of your data problems because while trusted computing can be used to authenticate users, devices, and applications during the start-up process, it sits back and leaves the post-authentication stuff to other security products. So if an authorized-but-naughty user starts emailing a bunch of confidential files to a competitor, the TPM won’t know. Further, if any data-hungry malware should come through the Internet to root through your databases, trusted computing won’t do a thing to stop it... until the next reboot, at which point the TPM chip will realize that this malicious application has not been whitelisted, and thus won’t be given the authority to run. So malware does get a shot at grabbing your data, but it only gets one shot.

Instead of thinking of trusted computing as a data security solution, I suggest thinking of it more as an endpoint security solution.

If your company has as many mobile workers toting laptops across the world as ours does, you're probably worried that one of those laptops will walk off or be left behind. And you’re probably worried that if that laptop wasn’t encrypted you’re going to get bashed by data breach disclosure laws (and morals) and have the news sites proclaim to the universe that you probably weren’t in compliance with other standards and regulations.

Whole-disk encryption via a TPM chip solves this problem.

You very well may also be considering a NAC solution, to both authenticate users before granting access to the network, and to check the “health” of the endpoint -- to make sure it’s equipped with up-to-date antivirus software and the like. Yet, by marrying NAC to The Trusted Networking Group’s Trusted Network Connect standards -- which build upon the TPM chip -- trusted computing can accomplish both these things, but it can also disallow a user access to the files stored on the endpoint machine, not just disallow access to the network. (However, I’m not certain how one deals with guest users -- their hardware might not have a TPM and might not be recognized. I’m looking into this.)

Further, as mentioned previously, trusted computing does what the typical antivirus software -- using blacklist systems -- cannot do, and bolsters your anti-malware protections. Further, since it only gives Web-borne malware one chance to do their worst, it makes bot code far less worrisome.

So while trusted computing doesn’t solve all your woes -- and indeed, what does? -- it seems to me that its contributions to endpoint security, anti-malware, compliance, and ROI efforts have earned the right to your consideration.