Google, Twitter and Trust in the Cloud

by Brian Berger, Wave Systems Corp.

This week brings yet another round of security incidents, including the news that some confidential business documents from Twitter were accessed via Google’s apps service, delivered through the cloud. Here at Trusted Computing Group, we continue to be amazed at how users and enterprises do not use commonly available and inexpensive solutions to enable trust – trust that would help prevent many security leaks and protect data. 

 

For example, if users enabled their Trusted Platform Modules, or TPMs, to protect critical information including their log-in information, attacks would be thwarted. The TPM protects user credentials with a secret that is stored in the TPM. The ability to release a credential to website requires the user to authenticate to the TPM to release credentials to given services. The TPM is included now in most every enterprise notebook and desktop PC along with various software applications to enable it and manage it.

 

The second and maybe more interesting opportunity is for web service providers to recognize machine authentication as a useful and mandatory action for allowing users to gain access to services in which they subscribe. As an example, a user could authenticate to their credentials protected by the TPM, the machine could authenticate to a service, and the service provider could then attest that the machine asking for access is a authorized machine with an authorized user. This would provide higher assurance for the ecosystem participants, who would like to have both their access and credentials authorized by both the user and service provider who provides a service.

 

All of us do this every day in the real world when we physically buy a good or service. Everyone in the physical world provides some level of authentication when they acquire some sort of good or service. We should do the same in the digital world. The cable TV market figured this out a long time ago. They decided that set-top boxes should have an authentication token and credential to enable the consumer to get services to an authorized machine. Cable providers also determined that the service was controlled by the consumers ability to pay for that service. What do we have? a service that works when requested, the service provider is pleased because authorized users receive the service, and the ecosystem is satisfied.

 

The PC is a enormously powerful device that can work just like a cable box or a services platform for users and providers to have a trusted relationship to eliminate the third party who is trying to disrupt, steal and cause service interruption for consumers who just want what they want: a platform that provides services on demand, when they want them.

 

Categories: Authentication, Data Protection, Network Security

Comments:

I, as a consumer, would love to adopt the method and look forward to having my secrets protected in hardware on my PC, and have assurance my secrets are safe when doing business on the web, either personal or corporate business; and have assurance my VPN connection password is protected in hardware. Bring it on! I think I'm not alone and if some consumer Internet businesses--banks, especially, but also my health care provider, insurance company, phone company, mortgage company, even Yahoo, Google or Twitter-- would differentiate and market themselves as TPM-security and authentication enabled, I'd jump on board and do business a lot more freely! Again, I say, bring it on! Where are the businesses making themselves TPM-secure, because I'll jump on board in a heartbeat.

Matt Quelle - July 16, 2009

If what you are saying is so useful, they why isn't anyone doing it? Lot's of things look good on paper, but in practice it is a different story. So what is the story here? You write a convincing blog, but there must be all kinds of reasons that no one is adopting your method.

Bill Bassaloney - July 16, 2009

* Required Fields