Trusted Computing Group

On Friday, April 15, 2011, the United States announced its National Strategy for Trusted Identities in Cyberspace (NSTIC), which details a series of recommendations for online security and privacy for both consumers and businesses. This new effort was unveiled at the Chamber of Commerce. A video is available at http://www.uschamber.com/webcasts/release-white-houses-national-strategy-trusted-identities-cyberspace-nstic.

Why the effort? Well, according to the FBI, cybercrime affected 117 million United States citizens in the last two years. We are all awash in data breach notifications, so much so that some pundits worry there will be "data breach notification fatigue". Data breaches cost businesses $7.1 million per event, notes the Ponemon Institute.

Among the NSTIC's recommendations are to streamline the many usernames and passwords held by users. To make log-in easier, most people re-use their usernames and passwords, which makes it exponentially easier for those names and passwords to be compromised. NSTSIC is building on established standards, including the Trusted Computing Group's Trusted Platform Module. The TPM creates a secure, invulnerable space in a PC or other device to provide protective storage of passwords, keys and certificates. As suggested by the NSTIC, users would log into their PCs, authenticate themselves once, and then access multiple credentials that are not stored "in the clear". Users don't have to recall or re-enter a multitude of names and passwords.

The TPM, if you don't know, estimated at over 500M shipped, is currently available in most enterprise and many small business PCs. It's also being used in non-PC devices, such as copiers, set-top boxes and industrial systems, to enable additional security and prevent unauthorized access and control changes to the system, such as rogue software installations.

TCG member Wave Systems is among the trusted identity providers showing how the NSTIC recommendations can be implemented. More information on their role is available at http://www.wavesys.com/news/?latest.

TCG has long advocated that users look to the TPM to provide strong, hardware-based security. Now, they have another reason to use available security.