At age 10, Trusted Computing Group sees a new world of threats
SAN FRANCISCO — The Trusted Computing Group, an industry security standards organization, is celebrating its 10th anniversary at this week's RSA security conference.
Best known for the Trusted Platform Module (TPM) security chip, the organization more recently has published specs for integrating network security information into the government's Security Content Automation Protocol (SCAP). Sessions at its conference workshop will focus on network security trends and data protection in a rapidly changing IT landscape.
"Sophisticated, targeted threats and the challenges of mobile devices are two ends of the security spectrum," said Wave Systems' Brian Berger, a TCG board member.
With the number of user endpoints on the Internet being measured in the billions — many of them untethered wireless devices — building security into those devices and enabling secure network access controls is becoming an imperative.
"The definition of mobile and mobility has changed, and that changes the context of security," Berger said. "Security has to catch up."
TCG was formed in 2003 and that same year adopted specifications for its signature TPM. Since then the chip, a cryptoprocessor that can store data securely in hardware, has become almost ubiquitous, with some 600 million shipped in computing devices from desktop and laptop PCs to mobile phones and automotive systems. Since then, it has slowly worked its way into the security infrastructure of end devices. It is a core component of Microsoft Windows 8 security and also is used by the Google Chromebook.
Despite the support for the group's efforts from government entities such as the National Security Agency, the pace of TPM adoption by government has been — at best — deliberate.
"Government moves at government's pace," Berger said. But in the past several years, TPM has been showing up as a requirement in government purchasing vehicles.
The National Institute of Standards and Technology calls the chip "the foundation for an entire ecosystem" of PC security, enabling the secure storage and passing of information within and between computers. But government had little input into the development of the first versions of the specification, and they did not meet Federal Information Procession Standards, required for government crypto systems.
But NSA has been participating in the development of TPM 2.0, which is expected to be FIPS 140-2 or 140-3 certified. NSA also is working with TCG to create protection profiles to allow certification of self-encrypting drives, another TCG specification that is gaining adoption.
Last fall, TCG released draft specifications for standardizing content using the government's SCAP in TCG's Trusted Network Connect (TNC) architecture. The two protocols handle different domains of IT security. The TNC standards focus on network security, while SCAP, developed by NIST, focuses on endpoint compliance. Using them in tandem could help improve endpoints security.