This just showed up in my in box from Dark Reading: Sorry for the formatting.
Installed inside hundreds of millions of endpoints
worldwide, the hardware authentication
chips built around the Trusted Platform
Module specification have long been billed as
a security panacea. But even after proliferation
of TPM hardware, the vast majority—
99%, by some estimates—are left turned off.
Critics say the inflexible and costly nature
of deploying hardware-based authentication
will keep TPM from ever catching on in
a major way. But TPM advocates believe getting
TPM use to a meaningful inflection
point is simply a matter of more education—
so that organizations know they’ve already
deployed the hardware necessary to
vastly improve security.
Developed by the multivendor Trusted
Computing Group consortium, TPM is a cryptographic
processor that can store crypto
keys that enable platform authentication. Ideally,
a person logs into his device, and that device
logs him into all his services, says Stephen
Sprague, CEO of Wave Systems, which specializes
in TPM consulting. Compared with people-
oriented techniques such as passwords,
authentication “is dramatically easier to use
when you make it on machines because you
don’t have all the problems associated with
people,” he says. “There’s no personally identifiable
information. It’s machine-identifiable
information."
For more than four years, the Trusted Computing
Group has evangelized TPM as member
vendors ramped up production of TPM
chips. Today, nearly all business-class endpoint
devices such as laptops and desktops
come equipped with TPM.
Tracking the use of these chips, however, is
an inexact science; there’s no real mechanism
to count how many TPMs are turned on.
Sprague says the industry consensus is that
no more than 1% to 2% of TPM chips are being
used.
A few encouraging TPM use cases cropped
up last year—PricewaterhouseCoopers started
deployment on 30,000 of its 150,000 user base.
But it’s clear that the crypto chips aren’t making
a dent in the authentication and security
market. ”Ninety percent of the time when we
walk in the door we’re educating the CIO, the
CISO, and the procurement people that they
actually have something already in the box,
and they go, ‘Really? On everything we have?’”
Sprague says.
But TPM’s problems go beyond lack of
awareness. The hardware-based authentication
model is too restrictive in this age of consumerized
IT, Gartner analyst John Pescatore
wrote in a recent blog post, as employees
choose their own hardware, and even software.
“Trusted Computing that focuses on
user lockdown is aiming way, way behind the
duck,” he wrote.
Desktop virtualization can be more cost-efficient
and effective to secure endpoints than
dedicated hardware, since you can centrally
patch, manage antivirus software, and maintain
PC images, says Adrian Lane, CTO of Securosis.
A hardware approach, he says, is
harder to break, but it costs more, is harder to
manage, is inflexible, and “gets old really fast.”
Still, many organizations have TPM chips just
waiting to be used. ”If the average IT security
department did nothing in the next year but
turn on their TPMs and use them,” consultant
Sprague says, “they’d do more for cybersecurity
than any other investment they could
make.” —Ericka Chickowski (editors@darkreading.com)
darkreading.com
AI
