Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

A Matter Of Trust
Trusted Computing Raises The Bar For System Security Today & Tomorrow

http://www.processor.com/editorial/article.asp?article=articles%2Fp2702%2F09p02%2F09p02.asp&guid...

January 14, 2005 • Vol.27 Issue 2


While news of high-profile attacks and devastating new exploits has abated in recent months, system security remains a key concern for network administrators and CSOs. Keeping pace with the rapid evolution and escalation of security threats is a daunting challenge, and IT professionals continue to seek technologies that can enhance security without the frustration of additional management overhead. The Trusted Computing Group has worked aggressively to develop technologies and standards that can help to secure today’s computer systems. Although still a relatively new group, the TCG is emerging as a significant force in IT security. We spoke with Brian Berger, TCG marketing chair, about the current state of “trusted computing” and its future direction.



Building Blocks

Originally formed in 2003, the TCG now features 90 member companies that span
the computing industry, including component, system, software, and service vendors that embrace devices ranging from PCs to mobile devices, storage, networking, and server platforms. Unlike many other industry efforts, the TCG does not seek a single ubiquitous solution to security but rather to develop a range of technologies that can easily be adopted by the entire industry. Berger explains, “The Trusted Computing Group is enabling open and widely available building blocks and common interface stacks that the industry can adopt across multiple platform types and environments. With these open building blocks, the industry can address a range of security needs without compromising functional integrity, privacy, or individual rights.”

One unique hallmark of “trusted computing” is the use of hardware, in addition to software, to secure systems. Berger says, “Traditional security solutions rely solely on software that can be compromised.” Supporting a range of established standards and devices allows manufacturers to incorporate the elements most beneficial to a given system. “Trusted computing, at this juncture, works by providing secure hardware and software to deliver value to the platform user. The available platforms provided by the OEMs allow the platform owner to decide on all or some of the applications to work on the Trusted Platform. Included are the capabilities of a platform that has implemented products using the specifications,” he says.



Making It Work

Given the group’s approach to platform security, a PC can take advantage of TCG specifications at several levels, says Berger. “In the available platforms based on the TCG specifications, they [PCs] incorporate elements of hardware, software, and firmware.” One of the important issues to understand is that trusted computing standards are available now, and manufacturers are implementing compliant parts in many systems today, a factor that often goes unnoticed in the industry. “The objectives of the TCG are to provide open specifications that are vendor neutral across all computing platforms. For PCs, a Trusted Platform Module specification is available and widely implemented in millions of systems, and a software specification is also available,” notes Berger.

Manufacturers can also choose from a variety of products. TPMs (Trusted Platform Modules), the hardware heart of any trusted computing platform, are available from major chipmakers such as Atmel, Infineon, National Semiconductor, and STMicroelectronics. PC components from Fujitsu, HP, IBM, and Intel already incorporate TPMs (with the required firmware to support those chips), so all that’s left is the software, which is also appearing from HP, IBM, NTRU, Softex, Utimaco AG, and Wave Systems. Berger says, “A business can purchase a fully functional package today allowing capabilities that are solution focused. Examples of what can be done today with a TCG capable platform include data protection, multifactor authentication, secure email, digital signatures, and application/Web login security.”


No Rest For The Weary

Although trusted computing is now a reality on millions of systems, Berger remains frustrated by limited utilization of the technology, an issue that the TCG is actively addressing. “Awareness and understanding of the value delivered by these specifications and implementations is a challenge. As we continue forward with our marketing activities to educate the market on the value of TCG solutions, this impediment will diminish.”

The TCG has come a long way in a very short time, but Berger points to even more exciting development over the next few years. “We are planning and developing standards in several other areas that will be released to the market when completed. These include specifications for trusted computing implementation in servers, peripherals, storage, and mobile devices. We also are working to ensure endpoint integrity that utilized the security of trusted computing platforms and to ensure that all these systems will be interoperable.”

According to Berger, trusted networking standards are not far off. “TCG is also involved in a new effort, called ‘Trusted Network Connect,’ which is defining and promoting open solution architecture that will enable network administrators to enforce security policies for endpoint host connections to their multivendor networks.” When fully realized, a trusted network connect specification will determine the appropriate level of security and accessibility for users connecting to a network. Access is then based on the detected level of “security policy compliance,” such as full access, partial or directed access, or no access.

Ultimately, Berger says that administrators and IT staff are well served to use the capabilities offered by trusted computing platforms that are available today (and into the future). “Many IT [staff] and administrators are facing security requirements while implementing both policy enforcement and regulatory requirements. TCG-enabled platforms can help these organizations meet their objectives and solve [security] implementation problems using standards-based technology.”

by Stephen J. Bigelow