The Trusted Computing Group, a not-for-profit organization formed in 2003 by HP, IBM, Intel, Microsoft, and other IT heavyweights, is developing standards for securing systems and data from external attacks and physical theft.
The fruits of the group's efforts are most visible in its Trusted Network Connect standards, the basis for network access control technology offered by almost every IT vendor except Cisco, which prefers to have networks operate primarily on Cisco technology. Another of the group's successes has been the Trusted Platform Module, a microcontroller affixed to a PC's motherboard that's used to store encryption keys, passwords, and digital certificates separate from the hard drive. TPMs have been embedded in more than 40 million PCs shipped since 2003.
Advocates say trusted computing is the future of security. "Ten years from now, you won't have a user name and password," says Steven Sprague, CEO of Wave Systems, which is on the Trusted Computing Group's board. "You will authenticate the human being to the machine, and the machine will authenticate you to the network."
Sprague and others predict the TPM's capabilities will be expanded so it becomes the first component in a "chain of trust" by storing logon and password information about a PC's authorized user, as well as by defining the types and versions of applications that should be running on the PC. Any inconsistencies between the TPM's directory and what's found on the PC would keep the PC from booting. Critical applications and capabilities such as e-mail, Web access, and local protection of data are thereby made much more secure, says Tony Redmond, VP of security and CTO of Hewlett-Packard Services.
Working groups within the Trusted Computing Group are looking for ways to create TPM chips that can be used on peripherals and storage devices. The goal is to give devices the ability to pass a user's credentials automatically so the user doesn't have to authenticate to every application, network, and Web site throughout a workday. Devices based on the Trusted Computing Group's new Mobile Trusted Module specification should start showing up by the middle of next year.
But trusted computing is hardly a quick fix. It could take eight or nine years to transform the IT infrastructures to the point where people can identify themselves from wherever they log on to the network, Redmond says. Another key is the emergence of operating systems that acknowledge the presence of TPMs, something Microsoft's Windows Vista promises to do. There are several groups working on Linux and other open source code to leverage TPM capabilities.
MORE THAN VIRTUALLY SAFE
Virtualization software, which carves up the assets of a PC or server into smaller virtual machines, is seen as a way to consolidate hardware and software, but its security implications are undeniable. For example, the hypervisor that's used to manage these virtual machines is in charge of the system before the system is; it gets loaded early and can make sure any software being loaded is free of security problems and provide alerts when the software behaves erratically.
| |
Forty million PCs sport the Trusted Computing Group's TPM microcontroller | |
By the middle of next year, Intel and Symantec will offer security for vPro that defends against malware specifically designed to shut down a computer's security defenses, such as antivirus and anti-spyware applications. Symantec's Virtual Security Solution will use vPro's hardware-assisted virtualization capabilities to contain any malware threats on a given virtual machine within the PC, so that other virtual machines can't be infected.
But the hypervisor can become a new place for attackers to hide malware, warns Paul Kocher, president of Cryptography Research. "Virtualization has huge benefits from a management perspective, but it creates as many problems as it solves," he says. "You can move a firewall to a virtual layer, but it's not clear that this makes the firewall more effective at protecting the PC."