Trusted Computing Group

Security experts have for years noted and proven the vulnerability of software-based approaches to securing data. To harden software solutions, millions of tokens are in use. Now, we know that tokens and One-Time-Passwords (OTP's) are not secure either. Last week's report of a network intrusion at Lockheed Martin, where access to highly confidential and sensitive data on key government programs is maintained, further highlights the problems associated with token dependency by all organizations.

Here at the Trusted Computing Group, we have taken a different approach to securing client systems, data and networks: an approach based in hardware. The Trusted Platform Module, or TPM, was developed several years ago as a baseline specification and has been implemented by a number of vendors in dedicated silicon and as part of other chipsets. More than 500 million systems have shipped and include the TPM, which has been ratified by ISO, IEEE and Common Criteria. TCG offers a compliance program to help ensure chips based on its specifications support it accurately.

Even the U.S. and British governments are fans and users of the TPM, along with other TCG specifications. The TPM is recommended by CESG, the British information assurance agency and by the NSA in the U.S.

So, this inexpensive, widely available and installed in every business today, security approach is the solution to many of today's hacks, attacks and intrusions, right? Unfortunately, many enterprise IT departments still have not implemented the widespread usage of the TPM - despite it being right on the systems they own, purchase and manage. We guess that many enterprises have a lot of existing infrastructure and relationships with options such as tokens, despite their vulnerabilities. We suspect that enterprises might not know about the available and effective tools such as software that sets and manages the TPMs remotely and easily. IT staff might not know they can use TPMs as part of a strong multifactor authentication approach, layering security.

Who in the commercial world is using TPMs? Typical of security, it's challenging to get companies to talk openly about their security solutions. PwC, one of the world's consulting giants, is using the TPM to protect its systems and information.

At this point, perhaps it is time for enlightened thinking about security and adopting a better way to secure data - a way that has already been proven and is not expensive or difficult to use. Otherwise, we are sure to see the continued flood of breaches and attacks on systems that are structurally insecure and vulnerable.