By Sven Gossel, charismathics
While smart card use seems a widely accepted method to authenticate the user to the secured environment of the enterprise, people are questioning the sense of the Trusted Platform Module built onto PC motherboards. Companies bought it with practically any of the computers in use today, but hardly make use of it. Originally designed for Digital Rights Management, applications tend to be expensive and not always worth to be invested in. And handling is quite difficult. But there are other ways to use the TPM – when using software designed to enable other security features of the client operating system. And saving loads of budget, too.
In a regular enterprise environment, users need to be authenticated when accessing the company´s databases. A good 80% of the world´s work force may still use the good old username and password doing so. Confronted with more and more complex password policies, a culture of on-screen and below-keyboard post-it stickers has widely taken ground. The other 20% have invested in more secure ways to process the user logon in the morning: mostly PKI smart cards, but also using physical access memory cards with some sophisticated software add-ins. And even one-time-password tokens seem to have their market place. Although technically possible, and for some weird commercial reasons, the all available Trusted Platform Module (TPM) isn´t used for this at all.
At the same time, wireless networks are more and more replacing LAN cables in standard office environments. As such cable infrastructure is expensive, whereas meanwhile hot spots, repeaters are common and power line adapters in the consumer market are used as a cheaper alternative. Not everybody however knows that with the latest Windows operating system versions, the system administrators are able to configure those hotspots with the same security level typical of smart cards in their standard configuration. Thus, all the most recent WIFI firmware versions support the so-called 802.1X authentication (see picture), even inside the inexpensive hardware available in the electronic store around the corner. Those are enabled to accept a certificate based logon for all accessing computers – this way people could be empowered to leverage their smart cards in another way.
Alright – but why is this important? A smart card authenticates the user. A TPM however authenticates the machine. Whereas, when already having a smart card in your hands, such WIFI feature seems a straight forward way to also secure your hot spots, we need to think about all those 80% of users that do not have a smart card or other tokens. But what they have is most likely an unused TPM sleeping without “ownership” on their computer motherboards. Those mostly smaller enterprises fear the investment into a large scale PKI smart card scheme – not even to think about all the readers, USB sticks or new keyboards that need to be invested in. Hence, what if there is a way to make use of the TPM for this exact market not owning a smart card and what does it take to invest into such a scheme?
A TPM in practice is nothing different from a smart card wired to your motherboard. It may store its credentials in a different way, it carries little different firmware, its main purpose may still be dissimilar to what a smart card is designed for. And you may argue that it only represents a single factor authentication over a smart card being two-factor. However, logically the distinction in between the two is the authentication of a piece of hardware against the authentication of a specific user. And in a WIFI system, the first step is the authentication of the machine – the user logon is a separate logical step. Therefore, when authenticating against a WIFI hotspot, a TPM certificate is an even better way to move forward increasing the security of such infrastructure.
It remained being a burden to actually perform such a step. You needed TPM connector software that not only accesses your TPM to perform those operations. Moreover, this software also should not interfere with existing standard applications written for TPM hardware and should be interoperable with the TPM Security Stack (TSS). Last and ideally, it also needed to support other hardware related applications and their authentication, e.g. hard disk encryption software that usually is being controlled in pre-boot environments.
Such software would show that the biggest of all markets is not the 100% scheme that enables everything at the same time – companies are all too different, and all have individual security requirements. And they are of different size and budget. Software like this serves one of hundreds of niches that all need to be addressed, if IT security is not supposed to stay a privilege to bigger enterprises. And such solutions are available.
With its TPM connector to their Smart Security Interface, Charismathics now enables the millions of TPM machines in the field to get out of their sleep mode and enhance the security of IT systems without an immediate requirement for an investment into smart cards and other hardware. WIFI hotspots can be secured appropriately, LAN infrastructure can be made redundant. And – most of all: all those certificates can be handled by standard directory services. There is no need for TPM specific applications to this extent. And enterprises are offered a migration path into a full PKI scheme with a first step.
TPM vendors out there – say thank you.
Nice article. I would like to comment that much of this the industry should take serious notice. The TPM is shipped today in almost all business class PCs, more than 300M, and includes the necessary Software to enable and activate the TPM. In fact, most of the Software the OEM’s include in their base packages, free with your PC purchase, allows a user or organization to use their TPM with WIFI or VPN solutions already inside their enterprise.
The real value of this conversation is not about “what is a TPM”? The real conversation is once I use the capability of industry standard, peer vetted, and interoperable security, what do I get? The answer is deep and wide, not narrow. Yes, of course it’s obvious that machine authentication is the first step of hardware embedded security of the TPM. Layering machine authentication with user authentication, so now, known machines and known users are accessing data and networks in some real value to enterprises, cloud services and online applications. This is the security and access discussion that all organizations, governments and service providers need to take a clear look, and develop a long-term plan as the TPM is here to stay.
Why is network access so important? The organizations only want known users accessing company information, classic data protection. User’s want only their data accessed by those who are authorized, classic data protection and privacy. User’s need to demand the service providers enable hardware authentication for access so the user can have assurance that only they and those who are authorized can access their data. We can start to discuss health measurements, infected PC’s, and updated software as metrics of access. These are some of next features the TPM can provide real-time feedback so the service or the machine can make proper decisions based upon “rules”.
Data protection is a broad topic as well. This article tees up the concept of using commercially accepted standards for security. The data protection area is fragmented similarly to the authentication area. The appearance of encrypted hard drives or SED’s has created a choice for embedded hardware encryption that is also peer vetted, interoperable and industry standardized. The SED, a clear solution winner for data-at-rest, when used with TPM is a holistic solution that “just plain works”. All in all, we achieve the first layers of the hottest security topics: Data Access, Network Access and Data Protection on the client.
As a key supplier to the OEM’s for the TPM and SED software that has been shipped to end-users on 10’s of millions of PC’s, we see the adoption nd widespread use of these technologies as solutions vs. technological concepts. We have white papers, case studies, implementer’s guides and products that have been used for years on this category of capabilities. If enablement, encryption management, key management are interesting topics…. Reach out to me directly and I will help you with information.