The Security Ledger is a new, online publication that’s serious about reporting on security and “The Internet of Things.” While we’ve had tremendous success in our first six months of operation, any new endeavor involves some risk. That’s why I’m thrilled to have had the backing of some forward-looking sponsors: Qualys and Veracode. And today, I’m happy to add a new name to that list: The Trusted Computing Group (TCG).
For those of you who aren’t familiar with TCG, its best known as the group behind the Trusted Platform Module (TPM) secure, cryptographic chip that ships with almost every modern desktop and notebook PC. The TPM assures a hardware-based root of trust on compliant system, allowing TPM-equipped systems to securely generate cryptographic keys that can authenticate each endpont for use in secure, online transactions and communications.
But TCG actually does a lot more. As a security beat reporter, for example, I got familiar with the group in the process of covering the “NAC” – or Network Access Control” space. That technology was all about vetting the security of endpoints before admitting them to enterprise networks. It was a space that screamed out for cross industry standards, with every vendor and their sister foisting similarly-scoped, but incompatible standards for doing end point assessment and provisioning. TCG’s Trusted Network Connect was the first vendor neutral, open architecture for doing that.
Today, TCG is at the nexus of a lot of interesting stuff that’s brewing around online identity and securing embedded devices, critical infrastructure and the rapidly expanding universe of devices. At the RSA Conference, TCG members demonstrated a wide range of applications for TCG technologies including the TPM, TNC and TCG’s Opal-based self encrypting drives. As an example, I chaired a panel on the applications of TPM and emerging specifications around secure BIOS and secure boot against advanced persistent threat (APT) attacks.
Long and short: the TPM contains several PCRs (Platform Configuration Registers) that allow a secure storage and reporting of security relevant metrics. These metrics can be used to detect changes to previous configurations and derive decisions how to proceed. Microsoft’s BitLocker Drive Encryption is one example of this, and Windows 8 brings on-by-default support for TPM on TPM enabled systems.
Other RSA-related news included a demo by a firm called Asguard Networks that used TCG’s IF-MAP standard to create independent and isolated VPN overlay networks to secure communications between industrial control systems, while Microsoft, Juniper Networks and Infoblox used TNC specifications for endpoint identification, device profiling and network access control for securing a BYOD environment.
So, if you haven’t done so already, point your browser over to the Trusted Computing Group’s web page and check them out. And be sure to give them a big “thanks” for supporting independent reporting on security through their sponsorship of The Security Ledger!