Fast, easy things to do with the Trusted Platform Module

Most enterprises today can easily determine exactly who is on their networks, prevent data loss and manage passwords using widely available tools and at little initial cost or ongoing maintenance, note security experts at the Trusted Computing Group.

However, many IT organizations are not using this technology, and are risking serious data breaches and negative impacts from such breaches, which are estimated to cost industry approximately hundreds of millions in lost business, fines, fees and lost goodwill. Seventy-three percent of breaches are from external sources, according to a 2008 Verizon report, and the same report notes that 52 percent of attacks were ranked “low” on attack difficulty.

Some simple security fixes are based on the Trusted Platform Module, a technology embedded into most newer enterprise PCs. The module, or TPM, protects digital keys, passwords and certificates against attacks or loss. When activated and used with widely available software provided by many PC and applications vendors, the TPM enables strong authentication and more effective password management, and it can safely store keys used for self-encrypting drives.

Who is using the TPM?

A large pharmaceutical company wanted to control what PCs could access the company network. Even though the company had a VPN in place, network operations could show that not all PCs connected to the network were actually authorized to be able to connect to the network.

The company turned to digital certificates protected by the TPM inside of its PCs as the answer. The VPN requires a digital certificate as authentication to log on to the network. The certificate is protected by the TPM on each company PC. The TPM software requires its own authentication before it will release the certificate the VPN requires.

As a result, the company knows that only company PCs can connect to the network (only company PCs have the certificate required, and that certificate is bound to the TPM in the PC). Further, the company knows that the only way to get the VPN certificate to be released is if an authorized company employee is at the keyboard when the VPN client is started. If a company PC is stolen, the certificate tied to that PC can be revoked. Now the company can show that all PCs connected to the network belong to the company or are otherwise explicitly authorized to be there.

The TPM can be used with biometrics or smart cards, and uses widely deployed Public Key Infrastructure, present in almost all email clients. The TPM also is supported by almost 20 VPN products, including those from leading vendors.

Don't miss