1 / 17

The Rise of Standards in Security

The Rise of Standards in Security. Roger L. Kay Founder and President k@ndpta.com. Agenda. Why standards? Arguments against Arguments for Examples of major deployments TPM forecast Conclusions. Why Standards?. Most important is universal agreement

Download Presentation

The Rise of Standards in Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Rise of Standards in Security Roger L. Kay Founder and President k@ndpta.com

  2. Agenda • Why standards? • Arguments against • Arguments for • Examples of major deployments • TPM forecast • Conclusions

  3. Why Standards? • Most important is universal agreement • Trusted Computing Group (TCG): best overall technical solution with broad backing • Microsoft — BitLocker • Intel — Core logic? • Long list of OEMs and applications • Acer, ASUS, Dell, Gateway, Fujitsu, Lenovo, HP, Intel, Mitsubishi, Motion, MPC, NEC, Samsung, Sony, Toshiba • white box, gaming, hard drives, embedded • Mostly commercial notebooks for now

  4. Two Arguments Against TCG • System dynamics do not promote development • No user pull; all vendor push • Shipments ≠ Deployments • Ecosystem doesn’t exist to support broad usage

  5. Natural Selection • What good is half a wing? • Insects, pterosaurs, birds, bats developed flight • A fin is a limb is a wing • Scales to feathers: warmth, display, protection, stealth • Answer: gliding —squirrel’s tail aids jumping • How do complex eye structures evolve? • Answer: from simple ones

  6. TPMs are Useful on Their Own • User authentication • Password management • File and folder encryption

  7. Slow Deployment • Some merit to shipments ≠ deployments • But deployments are rolling out • Education is bringing the value of TCG to light • Tools are proliferating

  8. Help is on the Way • Centralized remote deployment and management tools (e.g., Wave Systems’s ERAS) • TPM is used for platform access, data protection, secure messaging, and network security • Real time enforcement of employee policy through Active Directory • Ex.: If local TPM is informed of being removed from AD, user is cut off instantly • Standardized elements (e.g., MS and TPM) based on root of trust secure identities and access

  9. Real World Examples • Pharmaceutical company • Pizza franchise • Automobile rental • Health care in Japan • Government & regulatory

  10. Pharmaceutical Company • 20,000 seats • Who is connecting? • Vulnerabilities: trade secrets and legal liabilities • With VPN over public network, put TPMs on all clients • Access dependent on digital certificate • Verifies both user and machine • Hardware and software from Lenovo

  11. Pizza Franchise • Hundreds of seats • Stores communicate sensitive information to HQ over public network • TPMs secure passwords and certificates • Email, PIM, bank access, credit cards encrypted • Integrated into MS Office; single icon click • Multifactor for some; single for others • Hardware by Dell; software by Wave Systems

  12. Car Rental Firm • Tens of thousands of seats • Local caching of sensitive customer data between transmissions • Limited expertise and language barriers • Simple deployment scripts to enable TPMs • Three steps: • Encrypt cached data • Auth. user & system to server with PKI bound to TPM • Flush cached data after synchronization • HP hardware and software

  13. Japanese Health Care Projects • Obligation to preserve data; METI funded • Public network, home-based patients • Distributed care givers • Field workers, hospitals, labs, medical databases, nursing records • Differing levels of access require various auth. • Hitachi’s TPM-based system for home health care • IBM’s Trusted Virtual Domains • Fujitsu’s TNC deployment verifies HW and app config for session of broadband telemedicine

  14. Government & Regulatory • National Security Agency • Full drive encryption • TCG for compatibility • U.S. Army • Network Enterprise Technology Command now requires TPM 1.2 on new computers • F.D.I.C. • Promotes TPM usage to member banks

  15. TPM Shipment Forecast

  16. Conclusions • Vendors are pushing, but users are pulling, too • Real world deployments are taking off • Working with standardized elements is in everyone’s best interest • Root of trust can anchor larger elements • Once the platforms are in place, more elegant structures can be erected • Trusted computing is real and it’s here

  17. Questions?

More Related