-
Copyright© 2005-2006 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #1111
How to Deploy Trusted Systems“A Practical Guide”
Brian Berger,EVP Marketing & Sales,
TCG Director www.trustedcomputinggroup.orgWave Systems Corp.
www.wave.com
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #2222
The Problem
• Weak Authentication – “the password nightmare”
• Poor Machine identity – who is really on my network?
• Phishing, Pharming, Spamming – Malware in general
• Poor IT administration and control
• Over 93M records containing sensitive personal information
involved in security breaches between Feb 2005 and Sep
2006– source: Privacy Rights Clearinghouse / Chronology of Data
Breaches
• Department of Justice network crime prosecutions reveals most
attacks used stolen IDs and passwords; the average damage was more
than $1.5 million per occurrence– source: Study conducted by
Trusted Strategies, LLC
• Laptop losses and liability for personal records valued at
over $1000.00 per record in liability for organizations.
PC Security is a Mess
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #3333
The Industry has Responded
PC Security is undergoing a Revolution
Introducing Trusted Computing Group Standards:
• Standards Group of 170 Members has defined the building blocks
for security and they are shipping
• Trusted Platform Module (TPM) HARDWARE Chip on the PC
motherboard to protect Keys and Identities
• TPM is part of Microsoft Logo Compliance for Vista OS
• Multi-factor authentication built-in
• Provides secure log-on for everyone
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #4444
The Solution: A Trusted Computing Foundation
• Trusted Computing is:– An Open, Vendor Neutral solution
– Interoperable across hardware vendors
– Significantly more efficient than existing security
solutions
Sarbanes Sarbanes Sarbanes Sarbanes OxleyOxleyOxleyOxley
Network
Network
Network
Network
Security
Security
Security
Security
PasswordPasswordPasswordPasswordHasslesHasslesHasslesHassles
Machine
Machine
MachineMachine
Identity
Identity
Identity
Identity
VPNVPNVPNVPN
Tokens
Tokens
Tokens
Tokens
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #5555
What is the Trusted Platform Module (TPM)
• RSA crypto– key generation, signature, encrypt, decrypt
• Secure storage– private keys
• Integrity measurement– Platform Configuration Registers (PCR)–
A Core Root of Trust (CRTM)– Compromise detection– Tie key use to
uncompromised environment
• Attestation– host based integrity/membership reporting
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #6666
TCG: The “BIG” Picture
TCG
Standards
TCG
Standards
Applications•Software Stack
•Operating Systems•Web Services•Authentication•Data
Protection
Storage
Mobile
Phones
Servers
Desktops &
Notebooks
Security
Hardware
Networking
Printers &
Hardcopy
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #7777
The PCs are shipping…
0
50
100
150
200
250
2001
2002
2003
2004
2005
2006
2007
2008
2009
(In millions of units shipped)
Forecast of PC Shipments with TPM Chips(source: IDC July
2005)
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #8888
…so what can they do for me?
• Authentication– TPMs can harden the process of authenticating
users to network assets (multi factor authentication using Common
Access Card and/or PIN/Password); and/or biometrics
(fingerprint)
• Network Security– Through the Trusted Network Connect (TNC)
standard, TPM enabled PCs can become trusted endpoints
– Authenticates the PC device to the network device
• Data Protection– File and Folder encryption with hardware
security; or for legacy platforms that do not contain TPM chips
today.
– Full Disk Encryption (“Trusted Drives”)
• Client Security– Boot/Login/Smartcard/Biometric
integration
– Password management
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #9999
Strong authentication Benefits
• Only authorized PCs on the network
• Multifactor authentication - Must steal the users laptop and
PIN number to gain access
• Supports biometrics as a PIN replacement
• Leverages industry standard solutions for strong
interoperability
• Offers dramatic cost savings and ROI vs proprietary security
solutions
• Support WIN2k – WIN XP – WIN Vista with a common security
model.
-
Copyright© 2005-2006 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #10101010
The Analysts
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #11111111
Security Spending Variance By Size Of Company
October 2006, Best Practices “The State Of Information Security
Spending”
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #12121212
Security Spending Variance By Industry
October 2006, Best Practices “The State Of Information Security
Spending”
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #13131313
North American And European Security Spending Trends
2004-2006
October 2006, Best Practices “The State Of Information Security
Spending”
-
Copyright© 2005-2006 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #14141414
The Standards
Activities
Useful
Information
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #15151515
Market Status Update
• TPM PCs – approximately 20 Million shipped; 50 Million
estimated for 2006, over 100M in 2007.
– Most branded commercial notebook and desktop PCs have TPMs
• TPM servers available
• TPM manufacturers
continue to emerge and drive efficiencies though
integration and cost
• Trusted Network Connect (TNC) Products shipping
• Use cases released for mobile & storage capabilities
– Storage proof of concept demonstration available
– Draft specification for Mobile Trust Module
• Applications available and shipping with PCs & Servers
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #16161616
Trusted DrivesTrusted Drives
Key Features and BenefitsKey Features and Benefits
• Encrypts all data directly on the drive
• Encryption speed matches the throughput of the drive
interface
• No disc initialization, installation, or configuration needed
for the highest convenience and ease of use and lowest cost
• Drives that are stolen, repurposed, or taken out of service
remain protected
• Simple user and security ID keys make end of life and
re-purposing instantaneous and secure
• Supports Trusted Platform Module security
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #17171717
Trusted Network Connect (TNC)
• A subgroup of Trusted Computing Group
– TNC compatible products being developed and shipped today
– Over 75 member companies support TNC
• An Open, Non-Proprietary Architecture for Endpoint Integrity
and Access Control
– Enables the application and enforcement of security
requirementsfor endpoints connecting to a network
– Interoperable interface specifications released
• A Suite of Standards to Ensure Interoperability
– Includes provisions for:
• Platform trust
• Collecting and measuring endpoint integrity indicators
• Requesting network access
• Communicating between clients and servers, and over network
technologies
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #18181818
TNC Architecture
VerifiersVerifiers
tCollectorCollector
Integrity Measurement
Collectors (IMC)
Integrity Measurement
Verifiers (IMV)
Network
Access
Requestor
Policy
Enforcement
Point (PEP)
Network Access
Authority
TNC Server
(TNCS)
Policy Decision
Point
TSS
TPM
Int
Log.
Platform Trust
Service (PTS)
TNC Client
(TNCC)
Peer Relationship
Peer Relationship
(IF-TNCCS)
(IF-T)v
(IF-M)
Policy EnforcementPoint
Access Requestor
(IF-IMC) (IF-IMV)
(IF-PTS)
(IF-PEP)
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #19191919
TNC Architecture – Existing Support
Endpoint
Supplicant/VPN Client, etc.
Network Device
FW, Switch, Router, Gateway
Access RequestorPolicy Decision
PointPolicy Enforcement
Point
AAA Server, Radius,
Diameter, IIS, etc
-
Copyright© 2005-2007 Trusted Computing Group - Other names and
brands are properties of their respective owners. Slide #Slide
#Slide #Slide #20202020
Next Steps
• Make sure all your purchases of PCs have TPM 1.2
• Data at rest can be solved with secure drives
• Any Mobile users should have TPMs and all sensitive data
access should leverage TPMs
• Wireless security is easily supported
• TNC – The NAC discussion can be rooted in Hardware, just ask
for it!
Industry Standard Hardware Security is here to help secure the
network, endpoints, data and authentication requirements
Turn it on!Brian BergerEVP Marketing & Sales, Wave Systems
[email protected]