informa
News

TPM Authentication Is Out There, But Not Widely Used

Trusted Computing Group's hardware authentication technology pervasive, but rarely 'switched on'
Installed within hundreds of millions of endpoints worldwide, the hardware authentication chips built around the Trusted Platform Module (TPM) specification have long been billed by some as a security panacea. But even after widespread proliferation of TPM hardware, the vast majority -- 99 percent by some estimates -- are left turned off.

Critics say the inflexible and costly nature of deploying hardware-based authentication within environments increasingly infiltrated by consumer devices will keep TPM from ever catching on in a major way. But TPM advocates believe it is simply a matter of further educating organizations that they already have deployed the hardware necessary to vastly improve security in order to build TPM use to a meaningful inflection point.

Developed by the multivendor Trusted Computing Group (TCG) consortium, TPM is a cryptographic processor that can store crypto keys that enable platform authentication. "It shifts the focus to a device-centric model for security -- authentication is based on the device. In the perfect world, a user logs into their device, and the device logs them into all the services to which they belong," says Stephen Sprague, CEO of Wave Systems, a firm that specializes in TPM consulting. "Within the identity space there has been an enormous amount of work done around people. [Authentication] is dramatically easier to use when you make it on machines because you don't have all the problems associated with people. There's no personally identifiable information -- it's machine-identifiable information."

For more than four years TCG has evangelized TPM as member vendors ramped up production of TPM chips starting. TCG estimates that OEMs have shipped well more than 300 machines with TPM chips. Today nearly all business-class endpoints come already equipped with TPM.

"TCG as a standards organization enables the building blocks for the supplier community to commercialize. The supplier then builds commercial businesses around these. In the case of TPM, the semiconductor and PC OEMs have commercialized the distribution of these building blocks. Now the ISVs and end users are deploying the capabilities of the trusted platform," says Brian Berger, chair of marketing on the TCG board.

Tracking the use of these chips, however, is an inexact science because no real mechanism exists to count how many TPMs are turned on. According to Sprague, the industry consensus is that no more than 1 to 2 percent of TPM chips are actually being used.

While this year has seen some encouraging TPM use cases crop up -- for example, PricewaterhouseCoopers recently started rolling out deployment on 30,000 of its 150,000 user install base -- it's clear that the crypto chips are not yet making a dent in the authentication and security market. According to Sprague, one of the biggest inhibitors is lack of awareness.

"They have no knowledge that it exists in the box," Sprague commented about low usage rates. "Ninety percent of the time when we walk in the door we're educating the CIO, the CISO, and the procurement people that they actually have something already in the box, and they go, 'Really? On everything we have?'"

But some analysts say the microscopic usage points to deeper problems than lack of awareness. For example, Gartner analyst John Pescatore recently wrote in a blog post that the hardware-based authentication model is too restrictive in this age of consumerized IT. "In the commercial environment trends like consumerization are pushing in the opposite direction -- more and more frequently business will be done from hardware running applications where both are chosen by the user. Trusted Computing that focuses on user lockdown is aiming way, way behind the duck," he wrote.

And according to Adrian Lane, analyst/CTO of Securosis, desktop virtualization and cloud computing for securing endpoints and users are more cost-efficient and effective than depending on dedicated hardware. "[It's] cheap, fast, easier to manage, and much more flexible in capacity. Desktop virtualization is inherently more secure as I centrally patch, manage AV, and maintain good images of user environments," he says. "So why do I want to use dedicated hardware? It's more secure as it's harder to break ... at least without having possession of the hardware. But it costs more, and it's more to manage, hardware tends to be very inflexible, and gets old really fast."

TPM also might not be as secure as initially sold. Just last year, researcher Christopher Tarnovsky announced that he managed to hack an Infineon TPM chip.

But Wave Systems' Sprague says for many organizations, flipping the switch on a fleet of previously inactive TPM chips can have an immediate and positive security impact.

"In the overall scope of things, if the average IT security department did nothing in the next year but turn on their TPMs and use them, they'd do more for cybersecurity than any other investment they could make," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: