yesido

 Home :: Profile :: Archives :: Friends

Crypto chip: How the TPM bolsters enterprise security

Who's using the TPM and why? Drivers for using the TPM are very consistent across industries. For example, one financial services company has computed that the cost of lost data far exceeds the cost of losing a machine.

So that's an easy CFO decision to make. Then on the private side, the driver is often laws or regulations. For law firm clients, it's attorney/client privilege.

For others, it's complying with data privacy regulations. Or if you're a utility, it's really been about controlling access to competitive information and preventing losses. Finally, if you're a government agency, such as the National Security Agency (NSA), which utilises the TPM on its laptops, you simply cannot allow sensitive, confidential, or top secret information to be stored in unencrypted format, as numerous data-loss episodes at the Veterans Administration, Boeing, and other organisations have demonstrated.

How does a TPM work with hardware- and software-based full-disk encryption? Surveying data-at-rest options comes down to a conversation about software versus hardware approaches. And hardware-based approaches completely encrypt the data on the drive in minutes per machine, versus hours per machine in the software world.

Obviously, this has total cost of ownership  and management implications. Also, with hardware there's no impact on machine performance, because the hardware handles the cryptography.

Remember that in an enterprise context, simply having full-disk encryption isn't sufficient. You also have to verify it's active, effective, and in the event the machine is lost or stolen, demonstrate that it complied with security policies.

Accordingly, by using Trusted Platform management software (for hardware FDE and TPMs), if an employee loses a laptop, the IT department can prove that all data on the drive was encrypted, and that the encryption couldn't have been deactivated. At that point, even if the lost or stolen data was confidential, regulated, or contained personally identifiable information, there's no data breach notification requirement.

Will a TPM alone fully encrypt a hard drive? No, the TPM enhances software-based encryption tools by speeding the encryption process and also securing archives with strong authentication.

In addition, the TPM works with any hard drive that has the ability to be fully encrypted, which means the fully encrypting drives now reaching the market, such as from Seagate.

The TPM will also work with the forthcoming Intel chipset, codenamed Montevina, which will enable encryption with any type of software or hardware solution that supports TPM. Also going forward, TCG is creating standards for tape, flash and even optical disks with on-board hardware encryption.

Is a particular combination of encryption technology and TPM avocated? No, because different companies have different data protection requirements. Accordingly, the TPM isn't locked into any one approach. That means you can use the TPM to secure file and folder-level encryption, both on clients and within workgroups, all the way up to whole-disk encryption. 

How can IT managers begin experimenting with the TPM? First, just try it out. For example, the Microsoft website has excellent instructions for how to enable BitLocker drive encryption. Several other TCG members have solutions that enable full-disk, directory and file-and-folder encryption solutions.

From there, the most efficient and effective way to adopt the TPM is to activate it, and add TPM tools to your enterprise client build. Another best practice: have end users set their own TPM password, and back this with security policies that mandate TPM use, plus an awareness campaign. This, by the way, is the approach used by the NSA.

file encryption


Posted on 2008-Jul-10 at 12:26

<- Last Page :: Next Page ->