secure trustworthy enterprise

1INNOVATIVE START TOWARD A SECURE, TRUSTWORTHY ENTERPRISE WHITE PAPER

INNOVATIVE START ON THE PATH TO A MORE

SECURE,TRUSTWORTHYENTERPRISE

Practical Trusted Computing Solutions You Can Deploy TodayHow can you defend against the onslaught of attacks on your computers and networks? How can you be sure your critical data is safe? Malware and software-based attacks are a grave threat that traditional defenses can no longer counter. But trusted computing technologies can change the game—offering enterprise IT managers the confidence that their computers and networks will behave properly and are free from malware. Trusted computing solutions ensure trust by building in security from the ground up. Trusted systems start with a hardware-based “root of trust”, such as the Trusted Platform Module (TPM), that is safe from malware infection, and then build on that trust to verify the security of software that is running on the machine.

Practical Trusted Computing Solutions You Can Deploy Today


While trusted computing is widely understood to theoretically provide new and powerful foundational security capabilities, the full promise of trusted computing has not yet been realized. Computers and networks remain vulnerable, and the vision of using the TPM to measure everything running on your systems and protect access to your critical data and resources is not yet a reality.

So, should we wait for trusted computing to be able to do everything before beginning to use it? Of course not. Trusted computing can address several common cybersecurity challenges that your organization faces right now. As the grand vision is being worked on, many trusted computing technologies have sprung up to advance everyday security.

The hardware foundations for trusted computing are already widely available. The TPM has shipped on about a half a billion systems and continues to ship in large quantities. Companies like Intel and AMD are building complementary technologies into their chipsets to improve the utilization of the TPM and improve virtualization security. Microsoft recently revealed some details about how the TPM and other trusted computing technologies will be better utilized in Windows 8 than in any previous Windows release. Self-encrypting hard drives (SEDs), particularly those based on the Trusted Computing Group (TCG)’s Opal standard, are now widely available. And many more solutions that combine biometrics, smart cards and TPMs are popping up all the time.



The Emergence of the Extended Enterprise Operations Center (EEOC)Before we examine specific solutions, let’s define the characteristics of a solution that would be worth deploying:

First, the solution must provide a real security benefit today. If it doesn’t do that, what’s the point?

Next, it has to fit into the enterprise infrastructure. A great technology is only useful if it can be used in a way that allows it to fit in with all the rest of the solutions we need and already use.

Any solution also has to be economical. It’s difficult to measure the return on investment (ROI) on a security technology, because you are usually measuring by trying to quantify the value of ensuring some unknown future bad thing doesn’t happen. So, the price has to be right and the benefit has to be tangible.

Lastly, of course, any solution we’re interested in has to be easy to use or it might not get used at all.

There are, in fact, a number of practical trusted computing solutions available today that meet the above criteria. These include solutions that provide secure network access control, trusted configuration management, data-at-rest protection, machine identification, real-time health checks and more. Three key solution areas in particular are worth exploring in more depth: local protection of keys using the TPM, secure network management and health checking using Trusted Network Connect (TNC) and encryption of your data-at-rest using SEDs or hardened software solutions.



TPMLet’s start with the TPM. You’ve almost certainly got them on your enterprise machines, even if you don’t know it. While the infrastructure is not in place yet to use the TPM to enforce comprehensive security policies based on measurements of your software, the TPM does provide a convenient place to protect critical secrets on your platform.

The most widely used solution that leverages the TPM is Microsoft’s BitLocker hard drive encryption. BitLocker comes standard on certain versions of Microsoft’s Vista and Windows 7 Operating Systems (OS) and will be available with the new Windows 8 OS. The TPM is used to protect the BitLocker encryption key when the machine is powered off and it will only release the key if the correct password is entered and the pre-boot software has not been modified. This ensures that no pre-OS root-kits are installed and if you’ve lost your machine, an attacker can’t just boot into their favorite OS and steal your data.

It’s also easy to leverage the TPM to protect your VPN keys and secure other user authentication solutions. PC-based solutions from companies like Wave Systems and Infineon, many of which are part of the standard software packages that ship with commercial PCs, enable you to use the TPM to protect the keys for any number of commercially available security solutions without modification to those software packages. You just run the TPM software and you are protected from many software-based attacks on your keys.

And while the commercial solutions for using the TPM for “machine identity” aren’t mainstream yet, you should be on the lookout for these solutions soon. Technically viable solutions are available now, but the concept of machine identity has not yet become common enterprise security parlance. When you authenticate to your network using a VPN, for instance, you prove that you know some user password and you might prove that you also have the right VPN key on your machine, but you don’t identify which machine you have. Because malware can be used to steal both your passwords and your software-based keys, an attacker can compromise a VPN using a different machine, without detection. However, if you add a network access policy that your machine has to be identified as well, you’ve created another barrier to entry, so the attacker can’t penetrate your network using a machine that isn’t already known to the network.



TNCTrusted Network Connect provides a great framework for enforcing your own preferred security policies for managing access to your networks. In earlier instantiations of network access control solutions, endpoint health was checked only when the endpoint asked to join the network. With TNC, health checks can be performed continuously to dynamically respond to changes in endpoint status or network requirements. The interesting thing about the name TNC is that there is nothing inherently trusted about the protocol—it just provides a common framework for security checks on client machines. The trusted part comes in if you use the TPM or some other check that gives you assurance about the machines that are connecting.

But the fact that you don’t have to use TPM or any other specific technology is one of the big reasons why you should use TNC. TNC allows you to leverage the security benefits from any vendor that provides TNC compatible solutions and there are a lot of vendors that do it. With TNC-based products like Juniper’s Unified Access Control (UAC), you can gate network access based on the version and operational state of your software such as your Microsoft OS, or your Symantec or McAfee anti-virus solution. Access can also be blocked if certain banned software packages are running. By performing periodic health checks, you can catch changes to network-attached computers in real-time and proactively protect your network.

One of the major benefits of TNC is that it enables you to gradually enhance trust over time. You can integrate TNC first and then add new capabilities. Verification of machine identity using the TPM could be required to gain access, or access could be based on any of a variety of other TNC-enabled security checks. A number of vendors have recently integrated TNC into their products and incorporated a variety of security capabilities into the shared TNC framework. One technology that helps with this integration is TNC’s Interface for Metadata Access Points (IF-MAP), which is implemented in products like Infoblox’s IF-MAP Orchestration Server. You could think of IF-MAP as Facebook for applications. People use Facebook to keep track of what is happening in the lives of their friends. IF-MAP makes it possible for interested applications to keep track of one another in the same way. When an event occurs to an application, it can post information about it to IF-MAP. Applications that subscribe to news from the poster are automatically informed of the update, and they may react to it as a result. This creates an unprecedented opportunity to connect third party software packages to automate network threat detection and response.

Examples of security products that integrate with TNC and/or IF-MAP include Lumeta’s IPSonar product, which looks at network configuration and detects leaks, Hirsch Electronics’ Velocity Security Management System, which combines physical building access control and network access control, Great Bay’s Beacon Endpoint, which addresses problems like discovery—locating, identifying and inventorying all of the endpoints in the network and Triumfant’s Resolution Manager, which continuously monitors machine health and identifies and potentially repairs malware. Finally, integrating TPM certificates for device authentication with products from companies like Wave Systems enables a more trusted overall network security solution.



SEDsPerhaps the easiest trusted computing solution to deploy is self-encrypting drives—drives with built-in hardware-based encryption engines to encrypt data written to the drive. SEDs are transparent to the user under normal circumstances. If you buy an SED off-the-shelf, it will work seamlessly with whatever system you have. And there is an easy business justification for spending a little extra on an SED: it provides you an easy mechanism for meeting data protection compliance requirements. Ironically, SEDs also speed up your machine because the machine’s CPU is no longer responsible for encrypting or decrypting data with every read and write action.

If you get an SED that is compatible with the TCG’s Opal standard, you also get standardized, flexible, easy-to-use management capabilities. You can use products from vendors like WinMagic and Wave Systems to set up access control policies for your SED. Then it is straightforward to manage the lifecycle of the data on your hard drive.

With a few quick instructions, you can turn on encryption such that only someone with access to the correct authentication credentials can decrypt the data. Furthermore, if you want to securely erase the data on your SED, it’s amazingly easy. With the appropriate password, you can throw away the encryption key for the data (which is always encrypted) and the data on the drive becomes completely useless. It has the effect of simply starting you over with a brand-new hard drive.

As with TNC, the TPM can be added to provide additional security for SEDs. If authentication to the drive requires the use of the TPM, you can ensure that if someone pulls the hard drive out of your machine, they won’t be able to get access to the data. The TPM also makes local authentication more secure.



How DMI Can HelpDMI has years of experience in applied research and implementation of trusted computing in the enterprise, working in particular with agencies in the Department of Defense to advance the state of the art. DMI is a full-service cybersecurity solutions systems integrator and a contributing member of the Trusted Computing Group (TCG). We bring to bear seasoned veterans who know the cyber threat environment, advanced cybersecurity technologies and tools like those we’ve highlighted in this paper, and who understand enterprise needs. We encourage our clients to leverage DMI’s cybersecurity skills and trusted computing expertise to assist them in assessing their security posture and to design, implement and deploy solutions that integrate with their existing infrastructure. We also provide clear business rationale for trusted computing solutions, and develop plans for how trusted computing can be used to improve security, reduce cost, and increase compliance. DMI also manages our clients’ day-to-day IT security. DMI’s Trusted Security Operations Center (SOC) solutions include 24x7 operational support and our more advanced offerings leverage all of the trusted computing technologies discussed above.

ConclusionThe technologies described here are some of the byproducts of the pursuit of a vastly more secure future. The promise of trusted computing is grand, far-reaching and will take a long time to be fully realized, but the interim steps along the way that will lead to that future are ready to be leveraged. The TPM provides hardware-based security on standard enterprise machines. TNC provides health checks and flexible policies for network access control. SEDs provide strong access control and simplified management of your data-at-rest. And other solutions are ready now or just around the corner. Go take a look at what’s out there. You’ll be surprised at how many practical trusted computing solutions there are for your enterprise today and coming soon for use tomorrow.



About DMIDMI is a leading IT solutions and business strategy consulting firm. DMI provides services and solutions in Strategic Consulting, Desktop Management, Network Management, Enterprise Applications, and Cybersecurity. We are one of the fastest growing companies in the industry, with over 500 employees and 50 civilian, defense, and intelligence agency clients. The hallmark of our business is dedication to exceptional customer service and we’re proud of our Dunn and Bradstreet Open Ratings quality and satisfaction rating of 94/100. Our record of repeat business is enviable by any standard. DMI is headquartered in Bethesda MD, with satellite and project offices throughout the world.

At DMI, we focus on “enterprise transformation”—the strategic application of innovation to create newfound economies, efficiencies, savings, and value for our government and commercial clients and their customers. We offer market-making thought leadership and the proven ability to deliver solutions to the most vexing problems facing enterprises today.

We have a dedicated Innovation Office designed to seek and bring new concepts and technologies to our clients. In the summer of 2011, we opened a state-of-the-art DMI Innovation Center in the heart of Washington, D.C. At the DMI Innovation Center you can learn, experience, and get your hands dirty with an increasing array of new technologies and solutions like many of those described above. See secure mobility in action. Learn what’s possible with Trusted Computing. And soon, experience the future of integrated, automated cybersecurity monitoring operations. You are cordially invited.

For more information on practical trusted computing solutions, contact DMI: Ari Singer, Director, Trusted Computing Solutions, [email protected], 240.744.3041.

DMI One Rock Spring Plaza6550 Rock Spring DrBethesda, MD 20817

DMInc.com [email protected]

©2012 Digital Management, Inc. All right reserved.

secure trustworthy enterprise

Documents