Aberdeen Group - Home
The Red Zone in Security: Moving from Enablement to Use
Derek Brink
OCT 02, 2013 05:00 AM
A+ A A-

At the Trusted Computing Conference last week – where I had the pleasure of moderating a couple of panel discussions – the head of the NSA’s Information Assurance DirectorateDebora Plunkett, announced her intent to sign an advisory recommending the use of Trusted Platform Modules (TPMs) “later this week”.

I have been waiting for the official advisory to be published before I commented on it in this blog, but last week has come and gone, and this week is nearly over – and I haven’t been able to find it. So of course I’ll go ahead and comment anyway.

If you’re not familiar with the concept of trusted computing, download the research brief I wrote on Endpoint Security: Hardware Roots of Trust (June 2012) for additional information and deployment examples. The core idea behind trusted computing, driven by a heightened lack of trust in software, is to leverage hardware-based “roots of trust” at the endpoints and at the edge of the network – what some have referred to as “hardware anchors in a sea of untrusted software” – for a higher level of assurance. The Trusted Computing Group is an excellent resource for additional information on trusted computing standards and solutions.

Back now to the advisory. Reading directly from the draft in her keynote, Plunkett said that:

“All COTS [commercial off-the-shelf], IA [information assurance], and IA-enabled IT products acquired for the use to protect information on National Security Systems shall comply with the requirements of the NIAP [National Information Assurance Partnership] program in accordance with NSA-approved processes and where applicable the requirements of the FIPS [Federal Information Processing Standards] cryptographic validation program. In light of the fact that hardware and firmware-based security mechanisms can enhance the overall security of IA and IA-enabled IT products, TPMs should be used.”

If you can get past the alphabet soup of acronyms, this means that TPMs are recommended (not required) for many government agencies, starting in January 2015.

This news was met with enthusiasm by the Trusted Computing Conference attendees, many of whom have been working for more than a decade towards the vision of trusted computing. As I wrote in my blog Here, FIDO! If We Build Stronger Authentication, Will Consumers Come? (28 May 2013), my experience has been that visionary efforts like these follow a pretty typical pattern, and there’s usually a chicken-and-egg dynamic between vendors, application providers, and users before any of them finally get to adoption at scale … and many of them never do. So the news that a very large buyer (the US Federal government) would recommend adoption is a welcome and important signal.

But as I also noted, in my blog called IT Security in 2013: Consciously Incompetent (11 March 2013), there are many things in security that are necessary to bring about the change we want, but not sufficient by themselves to make it happen (“necessary but not sufficient” – that’s my undergraduate training in Applied Mathematics showing itself again). For example:

Greater awareness of security threats and vulnerabilities by management and business leaders doesn’t necessarily mean greater understanding, and more thoughtful, deliberate, risk-based decisions and allocation of resources

Likewise, greater awareness by end-users doesn’t necessarily mean a change in our behavior

Mandates for the issuance of smart cards, driven by compliance with Homeland Security Presidential Directive 12 (HSPD-12) in the US Federal government, has not necessarily led to the integration of IT security (end-user authentication) and physical access management (building security) based on common access cards

The mere presence of TPMs by default in millions of currently shipping enterprise-class PCs has not yet led to those capabilities being routinely activated and used by most enterprises

Similarly, a recommendation to use TPMs on systems used for national security starting in January 2015 is an important milestone for enablement … but will still take time to reach the objective of widespread use, even within the US Federal government.

For example, the US Census Bureau reports about 2.85M federal civilian employees as based on the 2010 census. Assuming that every one uses a system with an embedded TPM, and assuming a uniform rolling replacement cycle of 4 years, it would take until the end of 2018 to establish a ubiquitous base of about three million TPM-enabled systems. And deploying and using the applications that light these TPMs up is still what it takes to move the ball from the red zone to the goal line.

For me personally, I remain strongly positive about trusted computing and encouraged by the (pending) announcement, but realistic about what it means in terms of putting points on the board.

By the way, there is another fascinating topic in this area – Microsoft’s deepening support for TPMs in Windows 8.1, and the recent leaks from the German government regarding their concerns about this fact – which I will try to summarize in an upcoming blog.

[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment: