How to Deploy Trusted Systems “A Practical Guide”...“A Practical Guide” ... • Trusted...
Transcript of How to Deploy Trusted Systems “A Practical Guide”...“A Practical Guide” ... • Trusted...
-
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #1111
How to Deploy Trusted Systems“A Practical Guide”
Brian Berger,EVP Marketing & Sales,
TCG Director www.trustedcomputinggroup.orgWave Systems Corp. www.wave.com
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #2222
The Problem
• Weak Authentication – “the password nightmare”
• Poor Machine identity – who is really on my network?
• Phishing, Pharming, Spamming – Malware in general
• Poor IT administration and control
• Over 93M records containing sensitive personal information involved in security breaches between Feb 2005 and Sep
2006– source: Privacy Rights Clearinghouse / Chronology of Data Breaches
• Department of Justice network crime prosecutions reveals most attacks used stolen IDs and passwords; the average damage was more than $1.5 million per occurrence– source: Study conducted by Trusted Strategies, LLC
• Laptop losses and liability for personal records valued at over $1000.00 per record in liability for organizations.
PC Security is a Mess
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #3333
The Industry has Responded
PC Security is undergoing a Revolution
Introducing Trusted Computing Group Standards:
• Standards Group of 170 Members has defined the building blocks for security and they are shipping
• Trusted Platform Module (TPM) HARDWARE Chip on the PC motherboard to protect Keys and Identities
• TPM is part of Microsoft Logo Compliance for Vista OS
• Multi-factor authentication built-in
• Provides secure log-on for everyone
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #4444
The Solution: A Trusted Computing Foundation
• Trusted Computing is:– An Open, Vendor Neutral solution
– Interoperable across hardware vendors
– Significantly more efficient than existing security solutions
Sarbanes Sarbanes Sarbanes Sarbanes OxleyOxleyOxleyOxley
Network
Network
Network
Network
Security
Security
Security
Security
PasswordPasswordPasswordPasswordHasslesHasslesHasslesHassles
Machine
Machine
MachineMachine
Identity
Identity
Identity
Identity
VPNVPNVPNVPN
Tokens
Tokens
Tokens
Tokens
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #5555
What is the Trusted Platform Module (TPM)
• RSA crypto– key generation, signature, encrypt, decrypt
• Secure storage– private keys
• Integrity measurement– Platform Configuration Registers (PCR)– A Core Root of Trust (CRTM)– Compromise detection– Tie key use to uncompromised environment
• Attestation– host based integrity/membership reporting
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #6666
TCG: The “BIG” Picture
TCG
Standards
TCG
Standards
Applications•Software Stack
•Operating Systems•Web Services•Authentication•Data Protection
Storage
Mobile
Phones
Servers
Desktops &
Notebooks
Security
Hardware
Networking
Printers &
Hardcopy
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #7777
The PCs are shipping…
0
50
100
150
200
250
2001
2002
2003
2004
2005
2006
2007
2008
2009
(In millions of units shipped)
Forecast of PC Shipments with TPM Chips(source: IDC July 2005)
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #8888
…so what can they do for me?
• Authentication– TPMs can harden the process of authenticating users to network assets (multi factor authentication using Common Access Card and/or PIN/Password); and/or biometrics (fingerprint)
• Network Security– Through the Trusted Network Connect (TNC) standard, TPM enabled PCs can become trusted endpoints
– Authenticates the PC device to the network device
• Data Protection– File and Folder encryption with hardware security; or for legacy platforms that do not contain TPM chips today.
– Full Disk Encryption (“Trusted Drives”)
• Client Security– Boot/Login/Smartcard/Biometric integration
– Password management
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #9999
Strong authentication Benefits
• Only authorized PCs on the network
• Multifactor authentication - Must steal the users laptop and PIN number to gain access
• Supports biometrics as a PIN replacement
• Leverages industry standard solutions for strong interoperability
• Offers dramatic cost savings and ROI vs proprietary security solutions
• Support WIN2k – WIN XP – WIN Vista with a common security model.
-
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #10101010
The Analysts
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #11111111
Security Spending Variance By Size Of Company
October 2006, Best Practices “The State Of Information Security Spending”
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #12121212
Security Spending Variance By Industry
October 2006, Best Practices “The State Of Information Security Spending”
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #13131313
North American And European Security Spending Trends 2004-2006
October 2006, Best Practices “The State Of Information Security Spending”
-
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #14141414
The Standards
Activities
Useful
Information
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #15151515
Market Status Update
• TPM PCs – approximately 20 Million shipped; 50 Million estimated for 2006, over 100M in 2007.
– Most branded commercial notebook and desktop PCs have TPMs
• TPM servers available
• TPM manufacturers
continue to emerge and drive efficiencies though
integration and cost
• Trusted Network Connect (TNC) Products shipping
• Use cases released for mobile & storage capabilities
– Storage proof of concept demonstration available
– Draft specification for Mobile Trust Module
• Applications available and shipping with PCs & Servers
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #16161616
Trusted DrivesTrusted Drives
Key Features and BenefitsKey Features and Benefits
• Encrypts all data directly on the drive
• Encryption speed matches the throughput of the drive interface
• No disc initialization, installation, or configuration needed for the highest convenience and ease of use and lowest cost
• Drives that are stolen, repurposed, or taken out of service remain protected
• Simple user and security ID keys make end of life and re-purposing instantaneous and secure
• Supports Trusted Platform Module security
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #17171717
Trusted Network Connect (TNC)
• A subgroup of Trusted Computing Group
– TNC compatible products being developed and shipped today
– Over 75 member companies support TNC
• An Open, Non-Proprietary Architecture for Endpoint Integrity and Access Control
– Enables the application and enforcement of security requirementsfor endpoints connecting to a network
– Interoperable interface specifications released
• A Suite of Standards to Ensure Interoperability
– Includes provisions for:
• Platform trust
• Collecting and measuring endpoint integrity indicators
• Requesting network access
• Communicating between clients and servers, and over network technologies
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #18181818
TNC Architecture
VerifiersVerifiers
tCollectorCollector
Integrity Measurement
Collectors (IMC)
Integrity Measurement
Verifiers (IMV)
Network
Access
Requestor
Policy
Enforcement
Point (PEP)
Network Access
Authority
TNC Server
(TNCS)
Policy Decision
Point
TSS
TPM
Int
Log.
Platform Trust
Service (PTS)
TNC Client
(TNCC)
Peer Relationship
Peer Relationship
(IF-TNCCS)
(IF-T)v
(IF-M)
Policy EnforcementPoint
Access Requestor
(IF-IMC) (IF-IMV)
(IF-PTS)
(IF-PEP)
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #19191919
TNC Architecture – Existing Support
Endpoint
Supplicant/VPN Client, etc.
Network Device
FW, Switch, Router, Gateway
Access RequestorPolicy Decision
PointPolicy Enforcement
Point
AAA Server, Radius,
Diameter, IIS, etc
-
Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #20202020
Next Steps
• Make sure all your purchases of PCs have TPM 1.2
• Data at rest can be solved with secure drives
• Any Mobile users should have TPMs and all sensitive data access should leverage TPMs
• Wireless security is easily supported
• TNC – The NAC discussion can be rooted in Hardware, just ask for it!
Industry Standard Hardware Security is here to help secure the network, endpoints, data and authentication requirements
Turn it on!Brian BergerEVP Marketing & Sales, Wave Systems [email protected]