How to improve pharmaceutical data management with the TCG TPM

This article analyses various ways in which the Trusted Computing Group's Trusted Platform Module (TPM) could be used to enhance data security for pharmaceutical companies.

Modern globalised businesses need to be as cost-effective as possible to compete, and that normally entails outsourcing non-core functions and working with specialised business partners. It also means those businesses have to share more information with partners, which in turn creates potential for data leakage or data theft.

Ideally, organisations should be sure that their valuable data is not being copied, processed, transferred or stored in locations without its consent. But, at present, most businesses would find it difficult, if not impossible, to validate the computer processing environments of their partner organisations on a regular basis, and therefore must accept the assurances from the partner that their data is secure, as well as the accompanying risk.

One technical solution to the problem has been advanced by the Trusted Computing Group, an industry standards body backed by some of the world's most powerful technology companies, including Hewlett-Packard Co., Microsoft and Intel Corp. The group proposes that a hardware component called the Trusted Platform Module (TPM) be included on the motherboard of a computer, which could offer built-in protection and also provide evidence of trustworthiness to any other computing environment connecting to it.

In their article Data sharing using the Trusted Platform Module, Stephen Khan and John Austen consider how the TPM could be used in the pharmaceutical industry, which often needs to share extremely valuable and sensitive data with partner organisations, and which could benefit greatly from the approach.

They describe how the TCG TPM operates, and also provide some background on the growing threat of organised crime that uses the Internet and corrupt employees to steal pharmaceutical information.

They suggest ways in which the TPM could be implemented to aid secure pharmaceutical data management, and they also identify several barriers that need to be overcome before such secure management via TPM can become a reality. These include the potential cost of the endeavour, and the fact that TPMs are currently restricted to client PCs rather than servers, where most valuable information is stored.

About the authors:
Stephen Khan has extensive information security experience within large-scale mission-critical business environments, having held a number of information security roles. His current research interest is in cloud security focusing on what it means for a global enterprise in terms of risks, privacy, compliance and how the cloud changes overall enterprise security architecture.

John Austen is the course director for the Royal Holloway Diploma in Information Security. He was head of the Computer Crime Unit, New Scotland Yard, until September 1996. He was a career detective for 30 years, investigating the first major UK computer crime in 1976 and founding the Computer Crime Unit in 1984, the first of its type in the world.

The article is based on a thesis written in the Information Security Group at Royal Holloway University of London.It is one of nine that is publishing exclusively in 2010 as part of its close collaboration with RHUL, which is in its third year.

Read more on IT risk management