Why is corporate adoption of the trusted computing standard still very low when over 70% of new computing devices have built-in trusted platform modules (TPMs)?
From a security manager's perspective, the Trusted Platform Standard and modules offer the ability to do some remarkable things, technically enforcing the application of encryption, copyright licensing, policies on the use of unauthorised software and the like, writes Hord Tipton, CISSP-ISSEP, CAP, CISA, executive director at (ISC)2. Some modules even allow the administrator to monitor what individuals are doing on their PCs, what data is being accessed and where it is going. But as with all elements of good security practice, it never comes down to the technology alone. There is significant opposition to the application of the Trusted Computing Standard. Users do not like control being imposed on their PCs, particularly if they do not have a good appreciation for why the controls are in place. Any IT department implementing this standard today must be prepared for the barrage of complaints from people that are used to having more freedom. There are also concerns about the monitoring capabilities, with arguments about the right to privacy and anonymity. Monitoring places a significant amount of power into the hands of the administrators, who could be tempted to abuse it. This is another issue to be addressed that has nothing to do with the technology. You also have to trust the manufacturer of the TCM chip. Once keyed at the factory, changes cannot be made.
Finally, implementing the modules requires skill. It is not as simple as enabling an option. Administrators applying these controls incorrectly risk putting their machines and ultimately their entire network at risk. If a mistake is made it can be hard to undo as the modules operate at both software and the hardware level. Upgrades become more complex because licences are bound to the original machine, while some issues of interoperability are hampering acceptance. Over time, I have confidence that the benefits of the Trusted Computing Initiative will be hard to argue against for many environments; the skills will develop, checks and balances can avoid abuse, and users perception will undergo an adjustment as security awareness and corporate resolve develops. As is the case with everything in security, its use will be a judgement call based on an analysis of risks, and rewards, and all of the costs.