How to Deploy Trusted Systems “A Practical Guide”...“A Practical Guide” ... • Trusted...

Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #Slide #Slide #Slide #1111

How to Deploy Trusted Systems“A Practical Guide”

Brian Berger,EVP Marketing & Sales,

TCG Director www.trustedcomputinggroup.orgWave Systems Corp. www.wave.com


The Problem

• Weak Authentication – “the password nightmare”

• Poor Machine identity – who is really on my network?

• Phishing, Pharming, Spamming – Malware in general

• Poor IT administration and control

• Over 93M records containing sensitive personal information involved in security breaches between Feb 2005 and Sep

2006– source: Privacy Rights Clearinghouse / Chronology of Data Breaches

• Department of Justice network crime prosecutions reveals most attacks used stolen IDs and passwords; the average damage was more than $1.5 million per occurrence– source: Study conducted by Trusted Strategies, LLC

• Laptop losses and liability for personal records valued at over $1000.00 per record in liability for organizations.

PC Security is a Mess


The Industry has Responded

PC Security is undergoing a Revolution

Introducing Trusted Computing Group Standards:

• Standards Group of 170 Members has defined the building blocks for security and they are shipping

• Trusted Platform Module (TPM) HARDWARE Chip on the PC motherboard to protect Keys and Identities

• TPM is part of Microsoft Logo Compliance for Vista OS

• Multi-factor authentication built-in

• Provides secure log-on for everyone


The Solution: A Trusted Computing Foundation

• Trusted Computing is:– An Open, Vendor Neutral solution

– Interoperable across hardware vendors

– Significantly more efficient than existing security solutions

Sarbanes Sarbanes Sarbanes Sarbanes OxleyOxleyOxleyOxley

Network

Network

Network

Network

Security

Security

Security

Security

PasswordPasswordPasswordPasswordHasslesHasslesHasslesHassles

Machine

Machine

MachineMachine

Identity

Identity

Identity

Identity

VPNVPNVPNVPN

Tokens

Tokens

Tokens

Tokens


What is the Trusted Platform Module (TPM)

• RSA crypto– key generation, signature, encrypt, decrypt

• Secure storage– private keys

• Integrity measurement– Platform Configuration Registers (PCR)– A Core Root of Trust (CRTM)– Compromise detection– Tie key use to uncompromised environment

• Attestation– host based integrity/membership reporting


TCG: The “BIG” Picture

TCG

Standards

TCG

Standards

Applications•Software Stack

•Operating Systems•Web Services•Authentication•Data Protection

Storage

Mobile

Phones

Servers

Desktops &

Notebooks

Security

Hardware

Networking

Printers &

Hardcopy


The PCs are shipping…

0

50

100

150

200

250

2001

2002

2003

2004

2005

2006

2007

2008

2009

(In millions of units shipped)

Forecast of PC Shipments with TPM Chips(source: IDC July 2005)


…so what can they do for me?

• Authentication– TPMs can harden the process of authenticating users to network assets (multi factor authentication using Common Access Card and/or PIN/Password); and/or biometrics (fingerprint)

• Network Security– Through the Trusted Network Connect (TNC) standard, TPM enabled PCs can become trusted endpoints

– Authenticates the PC device to the network device

• Data Protection– File and Folder encryption with hardware security; or for legacy platforms that do not contain TPM chips today.

– Full Disk Encryption (“Trusted Drives”)

• Client Security– Boot/Login/Smartcard/Biometric integration

– Password management


Strong authentication Benefits

• Only authorized PCs on the network

• Multifactor authentication - Must steal the users laptop and PIN number to gain access

• Supports biometrics as a PIN replacement

• Leverages industry standard solutions for strong interoperability

• Offers dramatic cost savings and ROI vs proprietary security solutions

• Support WIN2k – WIN XP – WIN Vista with a common security model.


The Analysts


Security Spending Variance By Size Of Company

October 2006, Best Practices “The State Of Information Security Spending”


Security Spending Variance By Industry



North American And European Security Spending Trends 2004-2006



The Standards

Activities

Useful

Information


Market Status Update

• TPM PCs – approximately 20 Million shipped; 50 Million estimated for 2006, over 100M in 2007.

– Most branded commercial notebook and desktop PCs have TPMs

• TPM servers available

• TPM manufacturers

continue to emerge and drive efficiencies though

integration and cost

• Trusted Network Connect (TNC) Products shipping

• Use cases released for mobile & storage capabilities

– Storage proof of concept demonstration available

– Draft specification for Mobile Trust Module

• Applications available and shipping with PCs & Servers


Trusted DrivesTrusted Drives

Key Features and BenefitsKey Features and Benefits

• Encrypts all data directly on the drive

• Encryption speed matches the throughput of the drive interface

• No disc initialization, installation, or configuration needed for the highest convenience and ease of use and lowest cost

• Drives that are stolen, repurposed, or taken out of service remain protected

• Simple user and security ID keys make end of life and re-purposing instantaneous and secure

• Supports Trusted Platform Module security


Trusted Network Connect (TNC)

• A subgroup of Trusted Computing Group

– TNC compatible products being developed and shipped today

– Over 75 member companies support TNC

• An Open, Non-Proprietary Architecture for Endpoint Integrity and Access Control

– Enables the application and enforcement of security requirementsfor endpoints connecting to a network

– Interoperable interface specifications released

• A Suite of Standards to Ensure Interoperability

– Includes provisions for:

• Platform trust

• Collecting and measuring endpoint integrity indicators

• Requesting network access

• Communicating between clients and servers, and over network technologies


TNC Architecture

VerifiersVerifiers

tCollectorCollector

Integrity Measurement

Collectors (IMC)

Integrity Measurement

Verifiers (IMV)

Network

Access

Requestor

Policy

Enforcement

Point (PEP)

Network Access

Authority

TNC Server

(TNCS)

Policy Decision

Point

TSS

TPM

Int

Log.

Platform Trust

Service (PTS)

TNC Client

(TNCC)

Peer Relationship

Peer Relationship

(IF-TNCCS)

(IF-T)v

(IF-M)

Policy EnforcementPoint

Access Requestor

(IF-IMC) (IF-IMV)

(IF-PTS)

(IF-PEP)


TNC Architecture – Existing Support

Endpoint

Supplicant/VPN Client, etc.

Network Device

FW, Switch, Router, Gateway

Access RequestorPolicy Decision

PointPolicy Enforcement

Point

AAA Server, Radius,

Diameter, IIS, etc


Next Steps

• Make sure all your purchases of PCs have TPM 1.2

• Data at rest can be solved with secure drives

• Any Mobile users should have TPMs and all sensitive data access should leverage TPMs

• Wireless security is easily supported

• TNC – The NAC discussion can be rooted in Hardware, just ask for it!

Industry Standard Hardware Security is here to help secure the network, endpoints, data and authentication requirements

Turn it on!Brian BergerEVP Marketing & Sales, Wave Systems [email protected]

How to Deploy Trusted Systems “A Practical Guide”...“A Practical Guide” ... • Trusted...

Documents

Transcript of How to Deploy Trusted Systems “A Practical Guide”...“A Practical Guide” ... • Trusted...