Join the club: Changing the status quo for security

Today's essay is the second of two articles by Brian Berger, a director of the Trusted Computing Group. In his first article, Berger discussed the widely underused Trusted Platform Module (TPM) which can easily help secure systems. Here, he discusses the state of acceptance of the TPM.

* * *

Companies that make computing and network products should investigate and analyze the benefits they can provide consumers by incorporating the TPM in their new products. Several companies already have new products based on TCG standards including the TPM that demonstrate what can be accomplished. As a result, early adopters have already taken advantage of improved TPM-based security in these existing products for organization-wide implementation.

Since July 2007, the Department of Defense has explicitly required a TPM in all its new computers.

Government agencies outside of the U.S. are also embracing the TPM for improved security. Communications-Electronics Security Group (CESG), the United Kingdom's Government's National Technical Authority for Information Assurance (IA), has determined that the TPM can be used to protect security critical data at Business Impact Level 3 for Restricted classified data.

Governments that have not bought into the TPM include China, Russia, Kazakhstan and Belarus. Their rejection alone should be sufficient reason for most people in all the other countries to activate their TPM.<grin>

Companies that have acknowledged the TPM's value and are pioneering the implementation of TPM-based security include PricewaterhouseCoopers (PwC). PwC's next-generation authentication system will replace employees' software-based private-key certificates for hardware-based storage of new certificates using the TPM. With more than 35,000 employees already enjoying improved TPM security, PwC expects to have all of its 150,000 users converted in about a year.

PwC is not alone in its efforts. Other companies embracing the TPM and associated TCG standards that take advantage of the TPM include Boeing, BAE Systems, General Dynamics and Rockwell Collins.

With cloud computing growing rapidly, the need for improved security increases even further. TCG expects the TPM to play an important role to strengthen and complement the security services in any cloud operating system or hypervisor, especially with the strong authentication that the TPM enables. The Trusted Multi-Tenant Infrastructure Work Group is working on an open-standards framework for cloud computing security. However, some of the TPM's capabilities can already be used for cloud security.

In summary, having a high level of security does not normally get an organization in the news. In contrast, companies and government entities with vulnerable security frequently are in the headlines. So how much proof does it take to get us to activate and use the TPMs that are already in the organization? It's not like embracing a solution for global warming and doesn't require shelling out big bucks. You would think that anyone with proprietary information would do whatever it takes to protect unauthorized access to that information – before it appears on WikiLeaks.

* * *

Brian Berger is an executive vice president for Wave Systems Corporation. He manages the business, strategy and marketing functions that include product management, product positioning, marketing and sales direction for the company. Berger holds a key executive leadership position for the company to develop and implement the strategy for Trusted Computing. He has been involved in security products for the past 10 years including work with embedded hardware, client / server applications, PKI and biometrics. He has worked in the computer industry for over 20 years and has held several senior level positions in multinational companies. Berger holds three patents and has pending patents for security products and commerce transactions capabilities using security technology.

Trusted Computing Group is exhibiting at Infosecurity Europe 2011 – the No. 1 industry event in Europe – where information security professionals address the challenges of today whilst preparing for those of tomorrow. Held from t April 19-21 at Earl's Court, London, the event provides an unrivalled free education program, with exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit the conference Web site.

Learn more about this topic

PwC lauds Trusted Platform Module for strong authentication

Microsoft downplays Black Hat BitLocker, TPM hack

Trusted Computing Group eyes cloud security framework

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT