Event
Summary
On Monday,
October 11, Compaq, Hewlett Packard, IBM, Intel and Microsoft announced the
launch of a new alliance, the Trusted Computing
Platform Alliance. The Alliance has chartered itself with the mission of
developing a new hardware and software specification to enable technology companies
to use a more trusted and secure personal computer platform based on common
standards. Alliance Chairman, David Chan of Hewlett-Packard says, "This workgroup
was formed to define the necessary set of capabilities for a security subsystem
that would allow a system integrator and solution provider to establish trust
on a hardware platform." The Alliance also stated that "personal computers
lack a standard set of system hardware-based functions needed to establish trust
on the platform."
The cited mission
is somewhat nebulous. Are they trying to help Microsoft learn how to secure
their widely publicized operating system security holes? Are they trying to
develop or certify a PKI (Public Key Infrastructure) solution? Or are they trying
to develop desktop and server security standards for systems integrators and
solution providers? Whatever their mission is, they plan on creating a proposal
for a security specification of sorts by the second half of 2000. Their plan
is to make the specification available through licensing subject to proper verification
and implementation.
Market
Impact
In a world
of co-existing truths, it is likely that there are multiple purposes behind
this alliance. Microsoft needs to gain consumer confidence in the security of
its operating systems, and having two high profile Unix vendors, HP and IBM,
on its side is certainly a good starting point. Compaq, HP, and IBM all want
to sell servers, and without the confidence of a secure operating system, many
organizations today who want a turnkey commercial off-the-shelf server solution
are turning to vendors like Sun Microsystems and Novell. E-commerce is the prevailing
internet market driver, and without security, financial transactions are a risk
and a liability that smart businesses and organizations are not willing to take.
Though the
Alliance may be hedging towards putting more security in the BIOS, there are
no easy and quick short-cuts to securing information technology infrastructure.
Most security experts agree that using a layered security model is the best
approach. A layered model secures an organization's network, operating systems,
and applications. According to Marcus Ranum, CEO of Network
Flight Recorder, and the person most often credited for developing the first
firewall, "What it seems they're saying is that they're going to develop hardware
specs and BIOS extensions that will enable certain security services to the
operating system. That's nice but if the operating system isn't good, security-wise,
it won't matter what the hardware provides."
If nothing
else, the formation of this alliance is sure to heighten security awareness
in the information technology sector as a whole. Elias Levy, Chief Technical
Officer of Security Focus and moderator
of the well-known Bugtraq security mailing list says, "The alliance is a good
idea and has potential. There is a great need to build security features into
the basic structure of the computer and the operating system. Only when these
features become universal will application writers start making use of them
benefiting the end user. Although it is still too early to tell what the exact
deliverables are that the alliance hopes to produce, it is encouraging to see
these important companies at least attempting to solve some these security issues."
User
Recommendations
The Alliance
invites other companies to participate in helping to architect its mission.
If your organization has anything to offer the Alliance, applications
for membership are currently being accepted. With such a lofty agenda, and
aggressive delivery intentions, the Alliance will certainly need all the help
it can get. In the meantime, users should not hold their breath. The first step
to take in securing an organization's network is to have a security vulnerability
assessment done as soon as possible. In light of the rapidly increasing network
and system security break-ins, it would behoove any organization that has confidential
information on its network to analyze their risks and take due precaution as
soon as possible.