1. INNOVATIVE START
ON THE PATH TO A MORE
SECURE,
TRUSTWORTHY
ENTERPRISE
Practical Trusted Computing Solutions
You Can Deploy Today
How can you defend against the onslaught of attacks on your computers and networks? How can
you be sure your critical data is safe? Malware and software-based attacks are a grave threat that
traditional defenses can no longer counter. But trusted computing technologies can change the
game—offering enterprise IT managers the confidence that their computers and networks will
behave properly and are free from malware. Trusted computing solutions ensure trust by building
in security from the ground up. Trusted systems start with a hardware-based “root of trust”, such as
the Trusted Platform Module (TPM), that is safe from malware infection, and then build on that trust
to verify the security of software that is running on the machine.
INNOVATIVE START TOWARD A SECURE, 1
TRUSTWORTHY ENTERPRISE WHITE PAPER
2. Practical Trusted Computing Solutions You Can Deploy Today
While trusted computing is widely understood to theoretically provide new and powerful
foundational security capabilities, the full promise of trusted computing has not yet been realized.
Computers and networks remain vulnerable, and the vision of using the TPM to measure everything
running on your systems and protect access to your critical data and resources is not yet a reality.
So, should we wait for trusted computing to be able to do everything before beginning to use it?
Of course not. Trusted computing can address several common cybersecurity challenges that your
organization faces right now. As the grand vision is being worked on, many trusted computing
technologies have sprung up to advance everyday security.
The hardware foundations for trusted computing are already widely available. The TPM has shipped
on about a half a billion systems and continues to ship in large quantities. Companies like Intel
and AMD are building complementary technologies into their chipsets to improve the utilization
of the TPM and improve virtualization security. Microsoft recently revealed some details about
how the TPM and other trusted computing technologies will be better utilized in Windows 8 than
in any previous Windows release. Self-encrypting hard drives (SEDs), particularly those based on
the Trusted Computing Group (TCG)’s Opal standard, are now widely available. And many more
solutions that combine biometrics, smart cards and TPMs are popping up all the time.
INNOVATIVE START TOWARD A SECURE, 2
TRUSTWORTHY ENTERPRISE WHITE PAPER
3. Practical Trusted Computing Solutions You Can Deploy Today
The Emergence of the Extended Enterprise
Operations Center (EEOC)
Before we examine specific solutions, let’s define the characteristics of a solution that would be
worth deploying:
First, the solution must provide a real security benefit today. If it doesn’t do that,
what’s the point?
Next, it has to fit into the enterprise infrastructure. A great technology is only useful if it
can be used in a way that allows it to fit in with all the rest of the solutions we need and
already use.
Any solution also has to be economical. It’s difficult to measure the return on investment (ROI)
on a security technology, because you are usually measuring by trying to quantify the value of
ensuring some unknown future bad thing doesn’t happen. So, the price has to be right and
the benefit has to be tangible.
Lastly, of course, any solution we’re interested in has to be easy to use or it might not get
used at all.
There are, in fact, a number of practical trusted computing solutions available today that meet
the above criteria. These include solutions that provide secure network access control, trusted
configuration management, data-at-rest protection, machine identification, real-time health checks
and more. Three key solution areas in particular are worth exploring in more depth: local protection
of keys using the TPM, secure network management and health checking using Trusted Network
Connect (TNC) and encryption of your data-at-rest using SEDs or hardened software solutions.
INNOVATIVE START TOWARD A SECURE, 3
TRUSTWORTHY ENTERPRISE WHITE PAPER
4. Practical Trusted Computing Solutions You Can Deploy Today
TPM
Let’s start with the TPM. You’ve almost certainly got them on your enterprise machines, even if you
don’t know it. While the infrastructure is not in place yet to use the TPM to enforce comprehensive
security policies based on measurements of your software, the TPM does provide a convenient
place to protect critical secrets on your platform.
The most widely used solution that leverages the TPM is Microsoft’s BitLocker hard drive
encryption. BitLocker comes standard on certain versions of Microsoft’s Vista and Windows 7
Operating Systems (OS) and will be available with the new Windows 8 OS. The TPM is used to
protect the BitLocker encryption key when the machine is powered off and it will only release
the key if the correct password is entered and the pre-boot software has not been modified. This
ensures that no pre-OS root-kits are installed and if you’ve lost your machine, an attacker can’t just
boot into their favorite OS and steal your data.
It’s also easy to leverage the TPM to protect your VPN keys and secure other user authentication
solutions. PC-based solutions from companies like Wave Systems and Infineon, many of which are
part of the standard software packages that ship with commercial PCs, enable you to use the TPM
to protect the keys for any number of commercially available security solutions without modification
to those software packages. You just run the TPM software and you are protected from many
software-based attacks on your keys.
And while the commercial solutions for using the TPM for “machine identity” aren’t mainstream
yet, you should be on the lookout for these solutions soon. Technically viable solutions are
available now, but the concept of machine identity has not yet become common enterprise security
parlance. When you authenticate to your network using a VPN, for instance, you prove that you
know some user password and you might prove that you also have the right VPN key on your
machine, but you don’t identify which machine you have. Because malware can be used to steal
both your passwords and your software-based keys, an attacker can compromise a VPN using
a different machine, without detection. However, if you add a network access policy that your
machine has to be identified as well, you’ve created another barrier to entry, so the attacker can’t
penetrate your network using a machine that isn’t already known to the network.
INNOVATIVE START TOWARD A SECURE, 4
TRUSTWORTHY ENTERPRISE WHITE PAPER
5. Practical Trusted Computing Solutions You Can Deploy Today
TNC
Trusted Network Connect provides a great framework for enforcing your own preferred security
policies for managing access to your networks. In earlier instantiations of network access control
solutions, endpoint health was checked only when the endpoint asked to join the network. With
TNC, health checks can be performed continuously to dynamically respond to changes in endpoint
status or network requirements. The interesting thing about the name TNC is that there is nothing
inherently trusted about the protocol—it just provides a common framework for security checks on
client machines. The trusted part comes in if you use the TPM or some other check that gives you
assurance about the machines that are connecting.
But the fact that you don’t have to use TPM or any other specific technology is one of the big
reasons why you should use TNC. TNC allows you to leverage the security benefits from any
vendor that provides TNC compatible solutions and there are a lot of vendors that do it. With TNC-
based products like Juniper’s Unified Access Control (UAC), you can gate network access based
on the version and operational state of your software such as your Microsoft OS, or your Symantec
or McAfee anti-virus solution. Access can also be blocked if certain banned software packages
are running. By performing periodic health checks, you can catch changes to network-attached
computers in real-time and proactively protect your network.
One of the major benefits of TNC is that it enables you to gradually enhance trust over time. You
can integrate TNC first and then add new capabilities. Verification of machine identity using the
TPM could be required to gain access, or access could be based on any of a variety of other TNC-
enabled security checks. A number of vendors have recently integrated TNC into their products
and incorporated a variety of security capabilities into the shared TNC framework. One technology
that helps with this integration is TNC’s Interface for Metadata Access Points (IF-MAP), which is
implemented in products like Infoblox’s IF-MAP Orchestration Server. You could think of IF-MAP as
Facebook for applications. People use Facebook to keep track of what is happening in the lives of
their friends. IF-MAP makes it possible for interested applications to keep track of one another in
the same way. When an event occurs to an application, it can post information about it to IF-MAP.
Applications that subscribe to news from the poster are automatically informed of the update, and
they may react to it as a result. This creates an unprecedented opportunity to connect third party
software packages to automate network threat detection and response.
Examples of security products that integrate with TNC and/or IF-MAP include Lumeta’s IPSonar
product, which looks at network configuration and detects leaks, Hirsch Electronics’ Velocity
Security Management System, which combines physical building access control and network
access control, Great Bay’s Beacon Endpoint, which addresses problems like discovery—locating,
identifying and inventorying all of the endpoints in the network and Triumfant’s Resolution Manager,
which continuously monitors machine health and identifies and potentially repairs malware. Finally,
integrating TPM certificates for device authentication with products from companies like Wave
Systems enables a more trusted overall network security solution.
INNOVATIVE START TOWARD A SECURE, 5
TRUSTWORTHY ENTERPRISE WHITE PAPER
6. Practical Trusted Computing Solutions You Can Deploy Today
SEDs
Perhaps the easiest trusted computing solution to deploy is self-encrypting drives—drives
with built-in hardware-based encryption engines to encrypt data written to the drive. SEDs are
transparent to the user under normal circumstances. If you buy an SED off-the-shelf, it will work
seamlessly with whatever system you have. And there is an easy business justification for spending
a little extra on an SED: it provides you an easy mechanism for meeting data protection compliance
requirements. Ironically, SEDs also speed up your machine because the machine’s CPU is no longer
responsible for encrypting or decrypting data with every read and write action.
If you get an SED that is compatible with the TCG’s Opal standard, you also get standardized,
flexible, easy-to-use management capabilities. You can use products from vendors like WinMagic
and Wave Systems to set up access control policies for your SED. Then it is straightforward to
manage the lifecycle of the data on your hard drive.
With a few quick instructions, you can turn on encryption such that only someone with access to the
correct authentication credentials can decrypt the data. Furthermore, if you want to securely erase
the data on your SED, it’s amazingly easy. With the appropriate password, you can throw away
the encryption key for the data (which is always encrypted) and the data on the drive becomes
completely useless. It has the effect of simply starting you over with a brand-new hard drive.
As with TNC, the TPM can be added to provide additional security for SEDs. If authentication
to the drive requires the use of the TPM, you can ensure that if someone pulls the hard drive
out of your machine, they won’t be able to get access to the data. The TPM also makes local
authentication more secure.
INNOVATIVE START TOWARD A SECURE, 6
TRUSTWORTHY ENTERPRISE WHITE PAPER
7. Practical Trusted Computing Solutions You Can Deploy Today
How DMI Can Help
DMI has years of experience in applied research and implementation of trusted computing in
the enterprise, working in particular with agencies in the Department of Defense to advance the
state of the art. DMI is a full-service cybersecurity solutions systems integrator and a contributing
member of the Trusted Computing Group (TCG). We bring to bear seasoned veterans who know
the cyber threat environment, advanced cybersecurity technologies and tools like those we’ve
highlighted in this paper, and who understand enterprise needs. We encourage our clients to
leverage DMI’s cybersecurity skills and trusted computing expertise to assist them in assessing
their security posture and to design, implement and deploy solutions that integrate with their
existing infrastructure. We also provide clear business rationale for trusted computing solutions,
and develop plans for how trusted computing can be used to improve security, reduce cost, and
increase compliance. DMI also manages our clients’ day-to-day IT security. DMI’s Trusted Security
Operations Center (SOC) solutions include 24x7 operational support and our more advanced
offerings leverage all of the trusted computing technologies discussed above.
Conclusion
The technologies described here are some of the byproducts of the pursuit of a vastly more secure
future. The promise of trusted computing is grand, far-reaching and will take a long time to be fully
realized, but the interim steps along the way that will lead to that future are ready to be leveraged.
The TPM provides hardware-based security on standard enterprise machines. TNC provides health
checks and flexible policies for network access control. SEDs provide strong access control and
simplified management of your data-at-rest. And other solutions are ready now or just around
the corner. Go take a look at what’s out there. You’ll be surprised at how many practical trusted
computing solutions there are for your enterprise today and coming soon for use tomorrow.
INNOVATIVE START TOWARD A SECURE, 7
TRUSTWORTHY ENTERPRISE WHITE PAPER