Enterprise finally embraces TPM-based security

Enterprises are finally embracing TPM-based security systems, but why has it taken so long?

Enterprises are finally embracing security systems based on trusted platform module (TPM) chips built into computing devices, but why has it taken so long?

Since 2006, many computing devices have included TPM chips, but enterprises have been slow to embrace the technology in their information security strategies.

However, in 2012 the Trusted Computing Group (TCG), which published the TPM specification, claimed the technology had reached tipping point.

Steven Sprague, a founding-member of the TCG, told Computer weekly that claim was backed up because the number of PCs with TPM chips has crossed the 600 million mark.

He predicted further expansion of TPM use in Windows 8 would also drive the first mainstream adoption of TPM and a much broader spectrum of use.

This prediction has proven to be correct, according to Bill Solms, who succeeded Sprague as chief executive of Wave Systems in October 2013.

“The TPM’s time has come,” Solms told Computer Weekly, driven by the fact that individuals and companies are now far more aware of the need to defend against cyber threats and that mature TPM-based technologies are available to help address that need.

“There is a much greater awareness and understanding at a much broader level of cyber threats among business professionals and the general public than there was just two years ago,” he said.

In that time, Solms said cyber threats have gone from being an IT security issue to a business issue with high-profile data breaches in recent months contributing to an “acute awareness” in many organisations.

“This has put cyber security on the agenda of the board of directors who want to know what their information security teams are doing to ensure they are not the victim of the next breach,” he said.

Solms admits this has boosted interest in TPM-based systems, but said companies are much more interested in what they can do in terms of securing the enterprise, rather than underlying technology.

This in turn has prompted a change in the go-to-market strategy at Wave Systems. Rather than trying to educate customers about TPMs, the company is focusing on solving specific security problems.

“Based on my experience at Microsoft and Oracle, it is vital to ensure you understand the customers’ needs and present the combination of products and services that solves that problem.

“Adoption of TPM systems is being driven by use cases such as TPM-based virtual smart cards that can protect companies from attackers using stolen credentials from accessing their systems,” he said.

Because TPM-based systems combine user credentials with the device ID, user credentials will not work if they are being used on an unknown computing device.

“Stolen credentials are useless to attackers because they do not have access to the device or devices that have been associated with the credentials,” said Solms.

“Virtual smart cards are there to provide strong authentication which means it is extremely difficult for attackers to impersonate legitimate users even if attackers are inside corporate systems,” he said.

Wave Systems, which considers itself on the cutting edge of TPM management systems, invested early on in its TPM-based virtual smart card system the works with Windows 7, 8 and 8.1.

“By using the TPM chip in computing devices, virtual smartcards offer the same additional security as physical tokens but at a 50% to 75% lower cost because they cannot be stolen or lost,” said Solms.

Much of the savings come from the fact that most large companies expect to replace about a third of their physical smartcards or tokens every year.

“Virtual smartcards also work with applications and access controls that have been set up to work with physical smartcards, therefore no re-engineering is required,” he said.

The benefit of using TPM-based smartcards is that. once authenticated to the TPM in the computing device, users can access all applications and systems using biometric systems like fingerprint scanners.

What if employees use more than one device or cannot use their main device? Although the authentication relies on the TPM of a specific device, the Wave Systems virtual smartcard allows users to associate more than one device with their identity.

In office situations where a single device may be used by several employees, the system also allows multiple identities to be associated with a single device.

“And if a user’s device fails or is lost or stolen, setting up access from a new device can be done quickly and easily by system administrators,” said Solms.

TPM-based technology is well established, he said, and gaining traction due to a greater desire to protect IT endpoints, even though companies are not necessarily aware of the underlying technology.

But at the same time, Solms said awareness of TPM-based systems is growing because of the greater TPM support provided by Microsoft and other suppliers.

“For all these reasons the moment has come for TPM-based technologies, and I believe they are now perfectly positioned to make a big jump in adoption,” he said.

Given the growing demand for security at all levels including the end point, the widening deployment of TPM-enabled devices, increased support by Windows 8 and 8.1, and the fact that TPM is a security requirement for new kit for the US government and department of defence; it could be argued that TPM is coming of age and will now develop into maturity after being a nascent technology for so long.

Read more on Identity and access management products