Cloud computing and consumerization of IT are two of the 800-pound gorillas currently dominating IT discussions today. Together they comprise a simple, alluring idea: People can use any device they want to access the Internet and data from anywhere.
Unfortunately, this vision poses some frustratingly complex questions of execution. Two of the biggest are, how do I know who’s accessing my networks and data and, more importantly, can I trust them? That’s because despite the pervasive marketing hype, people don’t really mean just any device – they mean any known device.
One of the simplest and most effective means to create known devices is the Trusted Platform Module (TPM). TPMs are dedicated hardware impervious to remotely-based attacks on a device’s software – the perfect place to safeguard encryption keys that serve as authentication credentials proving the device is known and trusted. A proven technology, TPMs have already shipped on more than 500 million corporate desktop and laptop computers worldwide.
I read Julie Bort’s interesting piece in Network World last week mentioning how TPMs are a linchpin of Microsoft’s plans for delivering cloud-based corporate applications. She questions whether Microsoft’s cloud will support Apple iOS and Google Android consumers who don’t buy TPM-equipped devices.
Fortunately, I don’t think Julie or the rest of us have to worry. Microsoft didn’t talk about interoperability because it didn’t have to. Aside from not wanting to give competitors free advertising, Microsoft knows that Microsoft Windows Server supports all browsers that meet Secure Sockets Layer (SSL) encryption standards.
Browsers, not operating systems, are what matter here. As long as Apple Safari, Google Chrome and other major browsers maintain SSL compatibility – which barring a meteor strike or other world-ending event, they probably will – Microsoft will remain interoperable with them, TPMs or not. The bigger concern is not whether people without TPMs can access Microsoft’s cloud, it’s how secure their online interactions will be once they’re on it. Again, standards are the key here.
Standards are a good lens for thinking about how to improve adoption of IT security technologies, too. Consider the successes of the Occupational Safety and Health Administration (OSHA), the Environmental Protection Agency (EPA) and Underwriters Laboratories (UL).
All three organizations set standards requiring technical designs to incorporate safety functions to achieve desired results. The EPA made a rule forbidding lead solder on all motherboards. Now it’s impossible to buy a new motherboard containing it. UL helps ensure any toaster you can buy won’t electrocute you when you fish out your English muffin with a butter knife.
Cloud security is a big deal – and often, a deal breaker – because organizations can’t always trust the people and devices trying to access Internet-based assets. Organizations need technologies that automatically protect because training and awareness only go so far. Signs that warn “Don’t put your hand in that drill press!” are great, but making the machine so you can’t insert your hand in the first place is much better.
The same goes for IT security: News reports and IT studies galore indicate that no matter how much people know about IT security best practices, they still fall victim to social engineering, malware and their own carelessness and stupidity.
The only long-term defense against worsening cybersecurity threats is device-based protection using automated hardware-based security. Enter TPMs, all of which follow the Initiative for Open Authentication (OATH) and other well-respected IT security standards.
Thanks to standards, a computer is required to not set you on fire—but not to protect your data. It makes me wonder: Why can’t we apply an OSHA, EPA and UL model to IT security?