TPM To Bolster Laptop Security

Laptop computers are a never-ending nightmare for IT shops. They can be a carrier for malware, bypassing perimeter security so easily that even well secured firms like Microsoft have been violated by them.

Laptops can be easily lost or stolen, something that the year's headlines are only too ready to remind us. We've seen the embarrassment, and potential legal liability, resulting from the loss of laptops along with protected customer financial or medical information. And we can't convince employees not to use the damn things because many increasingly find themselves working at home or on the road where there are few more secure alternatives.

Laptops with a Trusted Platform Module (TPM) have been around for some time. While they're generally not activated, TPM could provide increased protection in the connection between the laptop and corporate information assets, were it actually used. But even securing that connection does little good against lost or stolen laptops.

In a few short weeks, however, a new class of drive will emerge, first from Seagate and then from others, that will use the TPM in a new way. And any organization with lots of laptops that contain sensitive information should jump on this new technology.

Safer Driving

The TPM on the drive, if properly implemented, will do two critical things. First, it encrypts the drive. When used with a compliant systems management product like Wave Systems' Embassy solution, the IT organization can then centrally manage all these newly protected drives.

The entire drive is encrypted, and not just selected partitions or files. These drive-resident keys can be remotely deleted, rendering the data on the drive useless. This suggests that the protection on these centralized tools needs to be very high. This process is also under review by the government as a cheaper, potentially more effective way than the currently required overwrite methods in use.

The benefits for this range from the ability to tie the encryption to a multi-factor authentication process (we still prefer a combination of biometrics and smart cards for this), to the ability to broadcast a code that could remotely destroy the key should the notebook be stolen or the employee terminated.

The other critical thing is tying the drive solidly to the notebook by creating a trust relationship between the notebook TPM and the drive TPM. Should someone remove the drive from the notebook, it would be worthless. This feature could also be extended to desktops or servers where drive theft, for industrial espionage, is more likely.

This technology promises some future benefits which could include tying access to the drive to a local device like a TPM-enabled cell phone. That way, were the user to be five or more feet away from the notebook (say the user went into an airport restroom) the drive would be inaccessible until he or she returned. Even in the situation where the notebook gets stolen or accessed while in the baggage compartment of an airplane, the data would remain safe, even if the thief had a password or was somehow able to duplicate the biometrics typically needed to access the thing.

If you are at all concerned with laptops (they scare the hell out of me), make sure your preferred vendor is ready to implement these drives and help you with the entire solution. TPM will go a long way to reducing this fear to manageable levels. And with any luck, they'll improve the odds it's your biggest competitor and not you that makes the front page when the next time a data-rich laptop gets nicked.

— Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading

Organizations mentioned in this story